← Back to team overview

openstack team mailing list archive

Re: [Keystone] Custom Roles

 

Thanks, that is just what i'm looking foor. This will only be available in
the final Essex release of OpenStack right?

In regards to the side note, i was hoping to restrict that flavor to the
tenant in which it was created. Although if it isn't possible, i suppose it
could do no harm, assuming per tenant quotas are in place.


Regards,

Leander
On Fri, Feb 17, 2012 at 2:50 PM, Jay Pipes <jaypipes@xxxxxxxxx> wrote:

> On 02/17/2012 06:31 AM, Leander Bessa wrote:
>
>> Hello,
>>
>> I was wondering if it would be possible to create custom roles in
>> keystone. For instance, i would like to create a role which would allow
>> a project owner to create/remove flavors without the intervention of an
>> admin account.
>>
>
> I *think* this should be possible with the new policy support that was
> recently added.
>
> Check out the /etc/nova/policy.json file. You should be able to edit that
> file to customize access to specific resource actions for a new role...
> (hint: look for compute_extension:**flavormanage)
>
> That said, policy.json is pretty undocumented, and when I wrote the doc
> for Glance's similar policy.json support (http://glance.openstack.org/**
> policies.html <http://glance.openstack.org/policies.html>) I knew I was
> missing a lot of context. Hopefully Brian Waldon (cc'd) can provide some
> more help to you.
>
> Sidenote, though... if you allow a custom role to create a new flavor,
> would you allow anyone to launch an instance with that flavor?
>
> -jay
>
> ______________________________**_________________
> Mailing list: https://launchpad.net/~**openstack<https://launchpad.net/~openstack>
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~**openstack<https://launchpad.net/~openstack>
> More help   : https://help.launchpad.net/**ListHelp<https://help.launchpad.net/ListHelp>
>

Follow ups

References