[Openstack] cloud-wide access policies

Andrew Bogott abogott at wikimedia.org
Mon Oct 5 21:47:07 UTC 2015


I would like to be able to create some accounts with cloud-wide 
permissions in my OpenStack install.  Specifically:

'observer' permissions:

     This would be an account (or type of account) that has 'read-only 
access' to all tenants.  This would be used to provide a public view 
onto cloud usage[1], and also be used for monitoring and metrics.

'cloudadmin' permissions:

     This would be an account (or type of account) that has access to 
everything.

Right now I accomplish the latter by hooking tenant creation and 
explicitly adding an account called 'novaadmin' to each project. I'm 
pretty sure I know how to write policy.json stanzas to define the 
various sets of rights that I want, the challenge is in assigning them 
to cloud-wide users.

I have the impression that new Domains and Groups features would allow 
for a more elegant solution, but googling for 'domains' and 'groups' 
hasn't turned up anything other than a few years-old design documents.

How are other people addressing the 'cloudadmin' issue?  Are there docs 
that explain this that I'm overlooking?

I'm currently running Kilo but will entertain suggestions that require 
Liberty as well.  Similarly, right now everything is tuned to keystone 
api v2.0 but I'm planning to migrate to 3 sometime soon so that's not a 
deal-breaker either.

Thank you!

-Andrew


[1]  Being wikimedia, we try to practice transparency in all things :)  
Most of this information is already available to the public, but 
collected asynchronously and a real drag to maintain.  Also the link 
that displays it is preposterous: 
https://wikitech.wikimedia.org/w/index.php?title=Special:Ask&offset=0&limit=250&q=[[Resource+Type%3A%3Aproject]]&p=format%3Dbroadtable%2Flink%3Dall%2Fheaders%3Dshow%2Fmainlabel%3D-2D%2Fsearchlabel%3Dprojects&po=%3F%0A%3FDescription%0A




More information about the Openstack mailing list