<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Dolph: I think what Salman is looking for is some want to configure what role is used to determine admin-ness within a service. For example, Glance allows you to set a 'service_role' option. The <a href="http://context.is">context.is</a>_admin checks make sure whatever role defined in service_role is found in the roles returned by Keystone rather than assuming it is 'admin'.<div><br></div><div>Salman: As for documentation, you can look to <a href="http://glance.openstack.org/policies.html">http://glance.openstack.org/policies.html</a> for an overview of what is available in Glance.</div><div><br></div><div><br></div><div>Brian</div><div><br></div><div><br></div><div><div><div>On May 10, 2012, at 6:10 PM, Dolph Mathews wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite">policy.json is entirely end-user configurable (it's not hardcoded at all): replace every instance of "role:admin" in your policy.json (there's two by default in nova's policy.json, for example) with "role:myadmin", create the corresponding "myadmin" role in keystone, and grant it to the appropriate users instead of "admin".<div>
<br></div><div>You can also have multiple roles with admin-like behaviors (see nova's admin_or_owner as an example), or roles with very limited sets of capabilities, e.g.:</div><div><br></div><div> "volume:create": [["role:custom_role_that_can_only_create_volumes"]]<div>
<br></div><div>-Dolph<br><br><div class="gmail_quote">On Thu, May 10, 2012 at 4:32 PM, Salman A Baset <span dir="ltr"><<a href="mailto:sabaset@us.ibm.com" target="_blank">sabaset@us.ibm.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div><p><font face="sans-serif">It seems that 'admin' role is hard-coded cross nova and horizon. As a result if I want to define 'myadmin' role, and grant it all the admin privileges, it does not seem possible. Is this a recognized limitation? </font><br>
<br>
<font face="sans-serif">Further, is there some good documentation on policy.json for nova, keystone, and glance?</font><br>
<br>
<font face="sans-serif">Thanks.</font><br>
<br>
<font face="sans-serif">Best Regards,<br>
<br>
Salman A. Baset<br>
Research Staff Member, IBM T. J. Watson Research Center<br>
Tel: <a href="tel:%2B1-914-784-6248" value="+19147846248" target="_blank">+1-914-784-6248</a><br>
<br>
</font></p></div><br>_______________________________________________<br>
Mailing list: <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
Post to : <a href="mailto:openstack@lists.launchpad.net">openstack@lists.launchpad.net</a><br>
Unsubscribe : <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br>
<br></blockquote></div><br></div></div>
_______________________________________________<br>Mailing list: <a href="https://launchpad.net/~openstack">https://launchpad.net/~openstack</a><br>Post to : <a href="mailto:openstack@lists.launchpad.net">openstack@lists.launchpad.net</a><br>Unsubscribe : <a href="https://launchpad.net/~openstack">https://launchpad.net/~openstack</a><br>More help : <a href="https://help.launchpad.net/ListHelp">https://help.launchpad.net/ListHelp</a><br></blockquote></div><br></div></body></html>