On 9/25/20 07:25, Ben Nemec wrote: > I don't believe that the reader role was respected by most projects in > Train. Moving every project to support it is still a work in progress. This is true and for nova, we have added support for the reader role beginning in the Ussuri release as part of this spec work: https://specs.openstack.org/openstack/nova-specs/specs/ussuri/implemented/policy-defaults-refresh.html Documentation: https://docs.openstack.org/nova/latest/configuration/policy-concepts.html To accomplish a read-only user in the Train release for nova, you can DIY to a limited extent by creating custom roles and adjusting your policy.json file [1][2] accordingly. There are separate policies for GET/POST/PUT/DELETE in many cases so if you were to create a role ReadWriteUser you could specify that for POST/PUT/DELETE APIs and create another role ReadOnlyUser and specify that for GET APIs. Hope this helps, -melanie [1] https://docs.openstack.org/nova/train/configuration/sample-policy.html [2] https://docs.openstack.org/security-guide/identity/policies.html > On 9/24/20 11:58 PM, its-openstack at zohocorp.com wrote: >> Dear Openstack, >> >> We have deployed openstack train branch. >> >> This mail is in regards to the default role in openstack. we are >> trying to create a read-only user i.e, the said user can only view in >> the web portal(horizon)/using cli commands. >> the user cannot create an instance or delete an instance , the same >> with any resource. >> >> we created a user in a project test with reader role, but in >> horizon/cli able to create and delete instance and similar to other >> access also >> if you so kindly help us fix this issue would be grateful. >> >> the commands used for creation >> >> >> >> $ openstack user create --domain default --password-prompt >> test-reader at test.com <mailto:test-reader at test.com> >> $ openstack role add --project test --user test-reader at test.com >> <mailto:gowtham.sankar at zohocorp.com> reader >> >> >> >> Thanks and Regards >> sysadmin >> >> >> >> >> >