[Openstack] [OpenStack] [Keystone] How to manage permissions for a role in keystone?
Alexandr Porunov
alexandr.porunov at gmail.com
Thu Sep 22 10:28:46 UTC 2016
Hello,
I have installed Swift and Keystone. Now I want to create several users
with different permissions:
reader - can read from the next containers: "video", "audio", "subtitles",
"photos"
media_manager - can do anything in the next containers: "video", "audio",
"subtitles", "photos"
crypt_manager - can not do anything in Swift but can get tokens directly
from keystone (it is for other usage).
There are a lot of things in keystone (user, role, project, service,
endpoint, region-id, admin-url, public-url, internal-url) and it is little
bit confusing. Can somebody explain me how to configure such users with
those roles?
I haven't bootstrap the keystone, so I haven't the admin role yet. I am
worried about security with an administrator user. Do we need to define it?
I have read examples which says that firstly you have to bootstrap your
keystone and it will create the admin user with the admin role:
keystone-manage bootstrap --bootstrap-password s3cr3t
Also the full command for define all things is:
keystone-manage bootstrap \
--bootstrap-password s3cr3t \
--bootstrap-username admin \
--bootstrap-project-name admin \
--bootstrap-role-name admin \
--bootstrap-service-name keystone \
--bootstrap-region-id RegionOne \
--bootstrap-admin-url http://localhost:35357 \
--bootstrap-public-url http://localhost:5000 \
--bootstrap-internal-url http://localhost:5000
What is "role"? It is little bit confusing because it has name "admin".
Which roles we can use except admin? What permissions they can give to the
user?
Also we can create additional roles:
keystone role-create --name my_new_role
But what this role mean? How to set some permissions on this role (i.e. if
I want to set readonly permission for all in swift but write only for some
containers?)
What we should specify in a region-id?
What we should specify in admin,public,internal url? What they mean?
Sorry for a lot of questions
Sincerely,
Alexandr
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20160922/d84fd1a2/attachment.html>
More information about the Openstack
mailing list