[Openstack] cloud-wide access policies
Adam Young
ayoung at redhat.com
Mon Oct 5 22:07:27 UTC 2015
On 10/05/2015 05:47 PM, Andrew Bogott wrote:
> I would like to be able to create some accounts with cloud-wide
> permissions in my OpenStack install. Specifically:
>
https://bugs.launchpad.net/keystone/+bug/968696
> 'observer' permissions:
>
> This would be an account (or type of account) that has 'read-only
> access' to all tenants. This would be used to provide a public view
> onto cloud usage[1], and also be used for monitoring and metrics.
>
> 'cloudadmin' permissions:
>
> This would be an account (or type of account) that has access to
> everything.
>
> Right now I accomplish the latter by hooking tenant creation and
> explicitly adding an account called 'novaadmin' to each project. I'm
> pretty sure I know how to write policy.json stanzas to define the
> various sets of rights that I want, the challenge is in assigning them
> to cloud-wide users.
>
> I have the impression that new Domains and Groups features would allow
> for a more elegant solution, but googling for 'domains' and 'groups'
> hasn't turned up anything other than a few years-old design documents.
>
> How are other people addressing the 'cloudadmin' issue? Are there
> docs that explain this that I'm overlooking?
>
> I'm currently running Kilo but will entertain suggestions that require
> Liberty as well. Similarly, right now everything is tuned to keystone
> api v2.0 but I'm planning to migrate to 3 sometime soon so that's not
> a deal-breaker either.
>
> Thank you!
>
> -Andrew
I;ve been trying to get movement behind a solution for this for a while.
You can come up with a hard coded solution for your cloud, but it will
involve editing the policy files.
The best bet it to come up with an admin domain, and have a ruile that
chekcs that a user is in the admin domain.
See my presentation from Vancouver;
http://openstacksummitmay2015vancouver.sched.org/event/14f4c5993e34b0f6a10c810510abbd73#.VhL0mbP-SV4
>
>
> [1] Being wikimedia, we try to practice transparency in all things
> :) Most of this information is already available to the public, but
> collected asynchronously and a real drag to maintain. Also the link
> that displays it is preposterous:
> https://wikitech.wikimedia.org/w/index.php?title=Special:Ask&offset=0&limit=250&q=[[Resource+Type%3A%3Aproject]]&p=format%3Dbroadtable%2Flink%3Dall%2Fheaders%3Dshow%2Fmainlabel%3D-2D%2Fsearchlabel%3Dprojects&po=%3F%0A%3FDescription%0A
>
> _______________________________________________
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack at lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
More information about the Openstack
mailing list