[Openstack] 'admin' role hard-coded in keystone and nova, and policy.json
Brian Waldon
brian.waldon at rackspace.com
Fri May 11 01:32:01 UTC 2012
Dolph: I think what Salman is looking for is some want to configure what role is used to determine admin-ness within a service. For example, Glance allows you to set a 'service_role' option. The context.is_admin checks make sure whatever role defined in service_role is found in the roles returned by Keystone rather than assuming it is 'admin'.
Salman: As for documentation, you can look to http://glance.openstack.org/policies.html for an overview of what is available in Glance.
Brian
On May 10, 2012, at 6:10 PM, Dolph Mathews wrote:
> policy.json is entirely end-user configurable (it's not hardcoded at all): replace every instance of "role:admin" in your policy.json (there's two by default in nova's policy.json, for example) with "role:myadmin", create the corresponding "myadmin" role in keystone, and grant it to the appropriate users instead of "admin".
>
> You can also have multiple roles with admin-like behaviors (see nova's admin_or_owner as an example), or roles with very limited sets of capabilities, e.g.:
>
> "volume:create": [["role:custom_role_that_can_only_create_volumes"]]
>
> -Dolph
>
> On Thu, May 10, 2012 at 4:32 PM, Salman A Baset <sabaset at us.ibm.com> wrote:
> It seems that 'admin' role is hard-coded cross nova and horizon. As a result if I want to define 'myadmin' role, and grant it all the admin privileges, it does not seem possible. Is this a recognized limitation?
>
> Further, is there some good documentation on policy.json for nova, keystone, and glance?
>
> Thanks.
>
> Best Regards,
>
> Salman A. Baset
> Research Staff Member, IBM T. J. Watson Research Center
> Tel: +1-914-784-6248
>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack at lists.launchpad.net
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack at lists.launchpad.net
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20120510/0ad00bed/attachment.html>
More information about the Openstack
mailing list