← Back to team overview

openstack team mailing list archive

Re: [Keystone] Custom Roles

 

On 02/17/2012 06:31 AM, Leander Bessa wrote:
Hello,

I was wondering if it would be possible to create custom roles in
keystone. For instance, i would like to create a role which would allow
a project owner to create/remove flavors without the intervention of an
admin account.

I *think* this should be possible with the new policy support that was recently added.

Check out the /etc/nova/policy.json file. You should be able to edit that file to customize access to specific resource actions for a new role... (hint: look for compute_extension:flavormanage)

That said, policy.json is pretty undocumented, and when I wrote the doc for Glance's similar policy.json support (http://glance.openstack.org/policies.html) I knew I was missing a lot of context. Hopefully Brian Waldon (cc'd) can provide some more help to you.

Sidenote, though... if you allow a custom role to create a new flavor, would you allow anyone to launch an instance with that flavor?

-jay


Follow ups

References