[Openstack] RBAC handled by keystone or each services ?

Joe Savak joe.savak at RACKSPACE.COM
Thu Oct 6 17:08:07 UTC 2011 

Hi Kuo,
   RBAC is a hot topic at Essex right now with a few sessions to explicitly discuss them:

http://essexdesignsummit.sched.org/event/2610368e1c5bd0e52982777f75baafb5
http://essexdesignsummit.sched.org/event/2d4b84fe8559d6a144897a1d53adbb9e
http://essexdesignsummit.sched.org/event/6648ad6a353fd56d39d45193a69f6908

I'm sure notes will be shared about the Essex design summit soon.

In the meantime, Keystone tag 2011.03 provides the following functionality for roles:

1.       Core calls as defined in https://github.com/openstack/keystone/blob/master/keystone/content/admin/identityadminguide.pdf (should be fully  developed)

a.       GET /users/{user_id}/roles - returns global roles for a specific user (excludes tenant roles)

b.      GET /tenants/{tenantId}/users/{user_id}/roles - returns roles for a specific user on a specific tenant (excludes global roles)

2.       Extension calls as defined in https://github.com/openstack/keystone/blob/master/keystone/content/admin/OS-KSADM-admin-devguide.pdf (contract complete but not code complete)

a.       GET /OS-KSADM/roles - list roles

b.      POST /OS-KSADM/roles - add role

c.       GET /OS-KSADM/roles/{roleId} - get a role

d.      DELETE /OS-KSADM/roles/{roleId} - delete a role

Since the extension isn't complete yet,  you can use keystone-manage to add users, roles, etc for testing.

Thanks,
Joe

From: openstack-bounces+joe.savak=rackspace.com at lists.launchpad.net [mailto:openstack-bounces+joe.savak=rackspace.com at lists.launchpad.net] On Behalf Of Kuo Hugo
Sent: Wednesday, October 05, 2011 6:39 PM
To: openstack at lists.launchpad.net
Subject: [Openstack] RBAC handled by keystone or each services ?

Hello folks ,

While playing with Keystone , there's four roles named [Admin,Member,KeystoneAdmin,KeystoneServiceAdmin].
I'm confusing about that who handles these roles's permission / privileges .... I mean RBAC include  admin, itsec, projectmanager, netadmin, developer roles in NOVA but not Admin/Member .
is that handled by keystone or service itself ???

Is there any API to add Roles(also set permission / privileges)?

In my guess , the RBAC still on each service(nova / swift ) , but how NOVA knows the permission of Role "Admin" ?


--
+Hugo Kuo+
tonytkdk at gmail.com<mailto:tonytkdk at gmail.com>
hugo.kuo at cloudena.com<mailto:hugo.kuo at cloudena.com>
+886-935-004-793

www.cloudena.com<http://www.cloudena.com>
This email may include confidential information. If you received it in error, please delete it.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20111006/6bc4bc28/attachment.html>

More information about the Openstack mailing list