[openstack-dev] [QA][keystone] Best practices for admin roles and policies

Frittoli, Andrea (HP Cloud) frittoli at hp.com
Fri Apr 25 11:52:02 UTC 2014


In the QA meeting yesterday, we discussed about accounts, admin roles and policies, and how we use them in tempest and in our test environments (e.g. devstack and toci).

The conversation was triggered by a discussion on running tempest without admin credentials – see [0], [1].

 

So we are looking for recommendations and best practises available on how to setup roles in keystone and policies when running keystone v3.

 

A little more background on this.

 

Tempest uses admin accounts for two purposes: 

-  setting up test accounts on the fly, useful to run tests in parallel in isolation 

- run tests which require service specific admin privileges, such as list all VMs in a cloud for nova, or manage public routers and networks in neutron

 

When running tests with keystone v2, we use an identity admin account, which is also acts admin for all other services – only exception being swift, for which a dedicated admin role is defined.

We need to define how we want the accounts and roles setup to look like with keystone v3. 

 

Keystone V3 provides (at least) two level of admin role: overall identity admin and domain admin. 

 

Domain admin is sufficient to create users and tenants within a certain domain, which is nice as it could allow tempest to run with a domain admin account only and still use tenant isolation.

But how does that map to the service admin roles, given the fact that services are not domain aware?

 

For instance a nova list --all-tenants will show all VMs in the cloud, and there is no option to see only the VMs owned by users in a certain domain.

Thus the administrator of a single domain should not be able to assign a system wide role (such as nova admin) to one user in his/her domain, as it would give such user visibility to all the VMs in all domains.

 

[0]https://blueprints.launchpad.net/tempest/+spec/run-without-admin / <https://blueprints.launchpad.net/tempest/+spec/run-without-admin%20/>  

[1] https://review.openstack.org/#/c/86967/

 

-- 

Andrea Frittoli

QA Tech Lead

HP Cloud ☁

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140425/8951e6ac/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6199 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140425/8951e6ac/attachment-0001.bin>


More information about the OpenStack-dev mailing list