[keystone][policy] user read-only role not working
melanie witt
melwittt at gmail.com
Mon Nov 2 17:36:19 UTC 2020
Adding back the mailing list +openstack-discuss@
On 11/1/20 23:15, its-openstack at zohocorp.com wrote:
> Dear Openstack,
>
> we are implementing this reader role through kolla-ansible. Need
> help in understanding the policy file for adding custom role both in
> nova and keystone.
You can learn how to use the policy file directly by reading the docs I
linked earlier:
* https://docs.openstack.org/security-guide/identity/policies.html
* https://docs.openstack.org/oslo.policy/train/admin/policy-json-file.html
And then the APIs you can control access to in nova are shown in this
sample file:
* https://docs.openstack.org/nova/train/configuration/sample-policy.html
APIs in keystone are shown in this sample file:
*
https://docs.openstack.org/keystone/train/configuration/samples/policy-yaml.html
I'm afraid I don't know anything about how to adjust the policy file
through kolla-ansible though.
Cheers,
-melanie
> ---- On Fri, 02 Oct 2020 02:12:39 +0530 *melanie witt
> <melwittt at gmail.com>* wrote ----
>
> On 9/25/20 07:25, Ben Nemec wrote:
> > I don't believe that the reader role was respected by most
> projects in
> > Train. Moving every project to support it is still a work in
> progress.
>
> This is true and for nova, we have added support for the reader role
> beginning in the Ussuri release as part of this spec work:
>
> https://specs.openstack.org/openstack/nova-specs/specs/ussuri/implemented/policy-defaults-refresh.html
> <https://specs.openstack.org/openstack/nova-specs/specs/ussuri/implemented/policy-defaults-refresh.html>
>
>
> Documentation:
>
> https://docs.openstack.org/nova/latest/configuration/policy-concepts.html
> <https://docs.openstack.org/nova/latest/configuration/policy-concepts.html>
>
>
> To accomplish a read-only user in the Train release for nova, you can
> DIY to a limited extent by creating custom roles and adjusting your
> policy.json file [1][2] accordingly. There are separate policies for
> GET/POST/PUT/DELETE in many cases so if you were to create a role
> ReadWriteUser you could specify that for POST/PUT/DELETE APIs and
> create
> another role ReadOnlyUser and specify that for GET APIs.
>
> Hope this helps,
> -melanie
>
> [1]
> https://docs.openstack.org/nova/train/configuration/sample-policy.html
> <https://docs.openstack.org/nova/train/configuration/sample-policy.html>
>
> [2] https://docs.openstack.org/security-guide/identity/policies.html
> <https://docs.openstack.org/security-guide/identity/policies.html>
>
> > On 9/24/20 11:58 PM, its-openstack at zohocorp.com
> <mailto:its-openstack at zohocorp.com> wrote:
> >> Dear Openstack,
> >>
> >> We have deployed openstack train branch.
> >>
> >> This mail is in regards to the default role in openstack. we are
> >> trying to create a read-only user i.e, the said user can only
> view in
> >> the web portal(horizon)/using cli commands.
> >> the user cannot create an instance or delete an instance , the same
> >> with any resource.
> >>
> >> we created a user in a project test with reader role, but in
> >> horizon/cli able to create and delete instance and similar to other
> >> access also
> >> if you so kindly help us fix this issue would be grateful.
> >>
> >> the commands used for creation
> >>
> >>
> >>
> >> $ openstack user create --domain default --password-prompt
> >> test-reader at test.com <mailto:test-reader at test.com>
> <mailto:test-reader at test.com <mailto:test-reader at test.com>>
> >> $ openstack role add --project test --user test-reader at test.com
> <mailto:test-reader at test.com>
> >> <mailto:gowtham.sankar at zohocorp.com
> <mailto:gowtham.sankar at zohocorp.com>> reader
> >>
> >>
> >>
> >> Thanks and Regards
> >> sysadmin
> >>
> >>
> >>
> >>
> >>
> >
>
>
>
More information about the openstack-discuss
mailing list