On 9/25/20 07:25, Ben Nemec wrote:
I don't believe that the reader role was respected by most projects in Train. Moving every project to support it is still a work in progress.
This is true and for nova, we have added support for the reader role beginning in the Ussuri release as part of this spec work: https://specs.openstack.org/openstack/nova-specs/specs/ussuri/implemented/po... Documentation: https://docs.openstack.org/nova/latest/configuration/policy-concepts.html To accomplish a read-only user in the Train release for nova, you can DIY to a limited extent by creating custom roles and adjusting your policy.json file [1][2] accordingly. There are separate policies for GET/POST/PUT/DELETE in many cases so if you were to create a role ReadWriteUser you could specify that for POST/PUT/DELETE APIs and create another role ReadOnlyUser and specify that for GET APIs. Hope this helps, -melanie [1] https://docs.openstack.org/nova/train/configuration/sample-policy.html [2] https://docs.openstack.org/security-guide/identity/policies.html
On 9/24/20 11:58 PM, its-openstack@zohocorp.com wrote:
Dear Openstack,
We have deployed openstack train branch.
This mail is in regards to the default role in openstack. we are trying to create a read-only user i.e, the said user can only view in the web portal(horizon)/using cli commands. the user cannot create an instance or delete an instance , the same with any resource.
we created a user in a project test with reader role, but in horizon/cli able to create and delete instance and similar to other access also if you so kindly help us fix this issue would be grateful.
the commands used for creation
$ openstack user create --domain default --password-prompt test-reader@test.com <mailto:test-reader@test.com> $ openstack role add --project test --user test-reader@test.com <mailto:gowtham.sankar@zohocorp.com> reader
Thanks and Regards sysadmin