openstack team mailing list archive

Thread
Date

Re: RBAC handled by keystone or each services ?

To: Kuo Hugo <tonytkdk@xxxxxxxxx>, "openstack@xxxxxxxxxxxxxxxxxxx" <openstack@xxxxxxxxxxxxxxxxxxx>
From: Joe Savak <joe.savak@xxxxxxxxxxxxx>
Date: Thu, 6 Oct 2011 17:08:07 +0000
Accept-language: en-US
In-reply-to: <CA++_uhv9eNMjqTVT93SXVVZVJiKTxUCDtFsDypsPvXEmwiPwkQ@mail.gmail.com>
Thread-index: AQHMg7kUESxKwHhiD0ywtxm/lLakXZVvippw
Thread-topic: [Openstack] RBAC handled by keystone or each services ?

Hi Kuo,
   RBAC is a hot topic at Essex right now with a few sessions to explicitly discuss them:

http://essexdesignsummit.sched.org/event/2610368e1c5bd0e52982777f75baafb5
http://essexdesignsummit.sched.org/event/2d4b84fe8559d6a144897a1d53adbb9e
http://essexdesignsummit.sched.org/event/6648ad6a353fd56d39d45193a69f6908

I'm sure notes will be shared about the Essex design summit soon.

In the meantime, Keystone tag 2011.03 provides the following functionality for roles:

1.       Core calls as defined in https://github.com/openstack/keystone/blob/master/keystone/content/admin/identityadminguide.pdf (should be fully  developed)

a.       GET /users/{user_id}/roles - returns global roles for a specific user (excludes tenant roles)

b.      GET /tenants/{tenantId}/users/{user_id}/roles - returns roles for a specific user on a specific tenant (excludes global roles)

2.       Extension calls as defined in https://github.com/openstack/keystone/blob/master/keystone/content/admin/OS-KSADM-admin-devguide.pdf (contract complete but not code complete)

a.       GET /OS-KSADM/roles - list roles

b.      POST /OS-KSADM/roles - add role

c.       GET /OS-KSADM/roles/{roleId} - get a role

d.      DELETE /OS-KSADM/roles/{roleId} - delete a role

Since the extension isn't complete yet,  you can use keystone-manage to add users, roles, etc for testing.

Thanks,
Joe

From: openstack-bounces+joe.savak=rackspace.com@xxxxxxxxxxxxxxxxxxx [mailto:openstack-bounces+joe.savak=rackspace.com@xxxxxxxxxxxxxxxxxxx] On Behalf Of Kuo Hugo
Sent: Wednesday, October 05, 2011 6:39 PM
To: openstack@xxxxxxxxxxxxxxxxxxx
Subject: [Openstack] RBAC handled by keystone or each services ?

Hello folks ,

While playing with Keystone , there's four roles named [Admin,Member,KeystoneAdmin,KeystoneServiceAdmin].
I'm confusing about that who handles these roles's permission / privileges .... I mean RBAC include  admin, itsec, projectmanager, netadmin, developer roles in NOVA but not Admin/Member .
is that handled by keystone or service itself ???

Is there any API to add Roles(also set permission / privileges)?

In my guess , the RBAC still on each service(nova / swift ) , but how NOVA knows the permission of Role "Admin" ?


--
+Hugo Kuo+
tonytkdk@xxxxxxxxx<mailto:tonytkdk@xxxxxxxxx>
hugo.kuo@xxxxxxxxxxxx<mailto:hugo.kuo@xxxxxxxxxxxx>
+886-935-004-793

www.cloudena.com<http://www.cloudena.com>
This email may include confidential information. If you received it in error, please delete it.

References

RBAC handled by keystone or each services ?
From: Kuo Hugo, 2011-10-05