openstack team mailing list archive

[Dolph Mathews <dolph.mathews@xxxxxxxxx>]

policy.json is entirely end-user configurable (it's not hardcoded at all):
replace every instance of "role:admin" in your policy.json (there's two by
default in nova's policy.json, for example) with "role:myadmin", create the
corresponding "myadmin" role in keystone, and grant it to the appropriate
users instead of "admin".

You can also have multiple roles with admin-like behaviors (see nova's
admin_or_owner as an example), or roles with very limited sets of
capabilities, e.g.:

    "volume:create": [["role:custom_role_that_can_only_create_volumes"]]

-Dolph

On Thu, May 10, 2012 at 4:32 PM, Salman A Baset <sabaset@xxxxxxxxxx> wrote:

> It seems that 'admin' role is hard-coded cross nova and horizon. As a
> result if I want to define 'myadmin' role, and grant it all the admin
> privileges, it does not seem possible. Is this a recognized limitation?
>
> Further, is there some good documentation on policy.json for nova,
> keystone, and glance?
>
> Thanks.
>
> Best Regards,
>
> Salman A. Baset
> Research Staff Member, IBM T. J. Watson Research Center
> Tel: +1-914-784-6248
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp
>
>