Hi Ken, On Thu, Apr 11, 2019, at 15:05, Ken D'Ambrosio wrote:
Hi, all. Beginning to roll out a newer-than-what-we-had OpenStack release -- likely to be Pike, "For reasons." (Which is still *worlds* newer than Juno, where we are.) And I've been asked if there's such a thing as an account (or ACL) that allows a user to read everything, but write nothing. Googling, I see mention of such things -- but nothing really firm. Does it exist? Is it in Pike (or more recent releases)? If it doesn't exist, is there a graceful way to make it happen, anyway?
Thanks!
-Ken
There is currently no read-only role that works out of the box in Pike or even in Stein. It's been a longstanding request and we're working on it: http://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/def... The problem now is that just creating a role named "reader" in keystone doesn't automatically fix the problem, we need to coordinate with every project to redefine their default policies to use the reader role instead of using a catch-all member/Member/__member__ role. In the mean time, you can modify the policies of the services you run to limit write operations to non-reader roles: https://docs.openstack.org/keystone/latest/admin/service-api-protection.html https://docs.openstack.org/oslo.policy/latest/admin/policy-yaml-file.html Hope this helps. Colleen