Adding back the mailing list +openstack-discuss@ On 11/1/20 23:15, its-openstack@zohocorp.com wrote:

Dear Openstack,

      we are implementing this reader role through kolla-ansible. Need help in understanding the policy file for adding custom role both in nova and keystone.

You can learn how to use the policy file directly by reading the docs I linked earlier: * https://docs.openstack.org/security-guide/identity/policies.html * https://docs.openstack.org/oslo.policy/train/admin/policy-json-file.html And then the APIs you can control access to in nova are shown in this sample file: * https://docs.openstack.org/nova/train/configuration/sample-policy.html APIs in keystone are shown in this sample file: * https://docs.openstack.org/keystone/train/configuration/samples/policy-yaml.... I'm afraid I don't know anything about how to adjust the policy file through kolla-ansible though. Cheers, -melanie

---- On Fri, 02 Oct 2020 02:12:39 +0530 *melanie witt <melwittt@gmail.com>* wrote ----

On 9/25/20 07:25, Ben Nemec wrote: > I don't believe that the reader role was respected by most projects in > Train. Moving every project to support it is still a work in progress.

This is true and for nova, we have added support for the reader role beginning in the Ussuri release as part of this spec work:

https://specs.openstack.org/openstack/nova-specs/specs/ussuri/implemented/po... <https://specs.openstack.org/openstack/nova-specs/specs/ussuri/implemented/policy-defaults-refresh.html>

Documentation:

https://docs.openstack.org/nova/latest/configuration/policy-concepts.html <https://docs.openstack.org/nova/latest/configuration/policy-concepts.html>

To accomplish a read-only user in the Train release for nova, you can DIY to a limited extent by creating custom roles and adjusting your policy.json file [1][2] accordingly. There are separate policies for GET/POST/PUT/DELETE in many cases so if you were to create a role ReadWriteUser you could specify that for POST/PUT/DELETE APIs and create another role ReadOnlyUser and specify that for GET APIs.

Hope this helps, -melanie

[1] https://docs.openstack.org/nova/train/configuration/sample-policy.html <https://docs.openstack.org/nova/train/configuration/sample-policy.html>

[2] https://docs.openstack.org/security-guide/identity/policies.html <https://docs.openstack.org/security-guide/identity/policies.html>

> On 9/24/20 11:58 PM, its-openstack@zohocorp.com <mailto:its-openstack@zohocorp.com> wrote: >> Dear Openstack, >> >> We have deployed openstack train branch. >> >> This mail is in regards to the default role in openstack. we are >> trying to create a read-only user i.e, the said user can only view in >> the web portal(horizon)/using cli commands. >> the user cannot create an instance or delete an instance , the same >> with any resource. >> >> we created a user in a project test with reader role, but in >> horizon/cli able to create and delete instance and similar to other >> access also >> if you so kindly help us fix this issue would be grateful. >> >> the commands used for creation >> >> >> >> $ openstack user create --domain default --password-prompt >> test-reader@test.com <mailto:test-reader@test.com> <mailto:test-reader@test.com <mailto:test-reader@test.com>> >> $ openstack role add --project test --user test-reader@test.com <mailto:test-reader@test.com> >> <mailto:gowtham.sankar@zohocorp.com <mailto:gowtham.sankar@zohocorp.com>> reader >> >> >> >> Thanks and Regards >> sysadmin >> >> >> >> >> >