Open Stack

With respect to the comments on Horizon, as soon as Keystone implements the policy rollup and exposes it in the v3 API Horizon will fully honor the policies specified by the various projects. That blueprint for Keystone was targeted for Folsom but got bumped to Grizzly. Hopefully it'll make it in this time so we can get that done.


-          Gabriel

From: openstack-bounces+gabriel.hurley=nebula.com at lists.launchpad.net [mailto:openstack-bounces+gabriel.hurley=nebula.com at lists.launchpad.net] On Behalf Of Dolph Mathews
Sent: Wednesday, October 31, 2012 3:39 PM
To: Guillermo Alvarado
Cc: openstack
Subject: Re: [Openstack] [OpenStack] Limiting new roles

I'm specifically referring to keystone, because you mention "...this role only  can create tentants and roles..." If you can create tenants and roles in keystone, you also have the power to create new users and grant yourself additional roles in keystone, due to the binary nature of the policy implementation in keystone today (thereby -- and unfortunately -- defeating the rest of your statement: "... but cannnot change quotas or modify images").

-Dolph

On Wed, Oct 31, 2012 at 5:29 PM, Guillermo Alvarado <guillermoalvarado89 at gmail.com<mailto:guillermoalvarado89 at gmail.com>> wrote:
I know the implementation is not binay, you can modify the permissions related with nova/glance/swifth of the differents roles. I doubt is if horizon know wich template can view each user...

2012/10/31 Dolph Mathews <dolph.mathews at gmail.com<mailto:dolph.mathews at gmail.com>>
With regard to keystone, the current policy implementation is entirely binary in that a role may either have total control over keystone or none. The implementation in Grizzly is much more granular.

-Dolph

On Wed, Oct 31, 2012 at 2:35 PM, Guillermo Alvarado <guillermoalvarado89 at gmail.com<mailto:guillermoalvarado89 at gmail.com>> wrote:
Hi everyboy,

I want to create a new role, named "another-admin", so this role only  can create tentants and roles but cannnot change quotas or modify images and all other actions that admin role can do.

I read about create rules in the policy.json of each service (nova, keystone, glance, swift) but my doubt is: How can I limit the views/templates/urls of Horizon, I mean, I want that the role "another-admin" can not see templates related to glance and can not see that menu.

Thanks in advance,
Best Regards.



_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to     : openstack at lists.launchpad.net<mailto:openstack at lists.launchpad.net>
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20121031/d2a742a7/attachment.html>