[keystone] Re: Pike: "Observer" or "read-only" admin access?
Colleen Murphy
colleen at gazlene.net
Fri Apr 12 15:49:20 UTC 2019
Hi Ken,
On Thu, Apr 11, 2019, at 15:05, Ken D'Ambrosio wrote:
> Hi, all. Beginning to roll out a newer-than-what-we-had OpenStack
> release -- likely to be Pike, "For reasons." (Which is still *worlds*
> newer than Juno, where we are.) And I've been asked if there's such a
> thing as an account (or ACL) that allows a user to read everything, but
> write nothing. Googling, I see mention of such things -- but nothing
> really firm. Does it exist? Is it in Pike (or more recent releases)?
> If it doesn't exist, is there a graceful way to make it happen, anyway?
>
> Thanks!
>
> -Ken
>
>
There is currently no read-only role that works out of the box in Pike or even in Stein. It's been a longstanding request and we're working on it:
http://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html
The problem now is that just creating a role named "reader" in keystone doesn't automatically fix the problem, we need to coordinate with every project to redefine their default policies to use the reader role instead of using a catch-all member/Member/__member__ role. In the mean time, you can modify the policies of the services you run to limit write operations to non-reader roles:
https://docs.openstack.org/keystone/latest/admin/service-api-protection.html
https://docs.openstack.org/oslo.policy/latest/admin/policy-yaml-file.html
Hope this helps.
Colleen
More information about the openstack-discuss
mailing list