Open Stack

On 10/05/2015 05:47 PM, Andrew Bogott wrote:
> I would like to be able to create some accounts with cloud-wide 
> permissions in my OpenStack install.  Specifically:
>


https://bugs.launchpad.net/keystone/+bug/968696

> 'observer' permissions:
>
>     This would be an account (or type of account) that has 'read-only 
> access' to all tenants.  This would be used to provide a public view 
> onto cloud usage[1], and also be used for monitoring and metrics.
>
> 'cloudadmin' permissions:
>
>     This would be an account (or type of account) that has access to 
> everything.
>
> Right now I accomplish the latter by hooking tenant creation and 
> explicitly adding an account called 'novaadmin' to each project. I'm 
> pretty sure I know how to write policy.json stanzas to define the 
> various sets of rights that I want, the challenge is in assigning them 
> to cloud-wide users.
>
> I have the impression that new Domains and Groups features would allow 
> for a more elegant solution, but googling for 'domains' and 'groups' 
> hasn't turned up anything other than a few years-old design documents.
>
> How are other people addressing the 'cloudadmin' issue?  Are there 
> docs that explain this that I'm overlooking?
>
> I'm currently running Kilo but will entertain suggestions that require 
> Liberty as well.  Similarly, right now everything is tuned to keystone 
> api v2.0 but I'm planning to migrate to 3 sometime soon so that's not 
> a deal-breaker either.
>
> Thank you!
>
> -Andrew

I;ve been trying to get movement behind a solution for this for a while.

You can come up with a hard coded solution for your cloud, but it will 
involve editing the policy files.

The best bet it to come up with an admin domain, and have a ruile that 
chekcs that a user is in the admin domain.

See my presentation from Vancouver;
http://openstacksummitmay2015vancouver.sched.org/event/14f4c5993e34b0f6a10c810510abbd73#.VhL0mbP-SV4




>
>
> [1]  Being wikimedia, we try to practice transparency in all things 
> :)  Most of this information is already available to the public, but 
> collected asynchronously and a real drag to maintain. Also the link 
> that displays it is preposterous: 
> https://wikitech.wikimedia.org/w/index.php?title=Special:Ask&offset=0&limit=250&q=[[Resource+Type%3A%3Aproject]]&p=format%3Dbroadtable%2Flink%3Dall%2Fheaders%3Dshow%2Fmainlabel%3D-2D%2Fsearchlabel%3Dprojects&po=%3F%0A%3FDescription%0A
>
> _______________________________________________
> Mailing list: 
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe : 
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack