openstack team mailing list archive

Thread
Date

Re: 'admin' role hard-coded in keystone and nova, and policy.json

To: Dolph Mathews <dolph.mathews@xxxxxxxxx>, Salman A Baset <sabaset@xxxxxxxxxx>
From: Brian Waldon <brian.waldon@xxxxxxxxxxxxx>
Date: Thu, 10 May 2012 18:32:01 -0700
Cc: "openstack \(openstack@xxxxxxxxxxxxxxxxxxx\)" <openstack@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <CACgyLQYn7bcT890vLOmuBCTP6PoZPNKUZYaDiT_HFF-RsPg_DA@mail.gmail.com>

Dolph: I think what Salman is looking for is some want to configure what role is used to determine admin-ness within a service. For example, Glance allows you to set a 'service_role' option. The context.is_admin checks make sure whatever role defined in service_role is found in the roles returned by Keystone rather than assuming it is 'admin'.

Salman: As for documentation, you can look to http://glance.openstack.org/policies.html for an overview of what is available in Glance.


Brian


On May 10, 2012, at 6:10 PM, Dolph Mathews wrote:

> policy.json is entirely end-user configurable (it's not hardcoded at all): replace every instance of "role:admin" in your policy.json (there's two by default in nova's policy.json, for example) with "role:myadmin", create the corresponding "myadmin" role in keystone, and grant it to the appropriate users instead of "admin".
> 
> You can also have multiple roles with admin-like behaviors (see nova's admin_or_owner as an example), or roles with very limited sets of capabilities, e.g.:
> 
>     "volume:create": [["role:custom_role_that_can_only_create_volumes"]]
> 
> -Dolph
> 
> On Thu, May 10, 2012 at 4:32 PM, Salman A Baset <sabaset@xxxxxxxxxx> wrote:
> It seems that 'admin' role is hard-coded cross nova and horizon. As a result if I want to define 'myadmin' role, and grant it all the admin privileges, it does not seem possible. Is this a recognized limitation? 
> 
> Further, is there some good documentation on policy.json for nova, keystone, and glance?
> 
> Thanks.
> 
> Best Regards,
> 
> Salman A. Baset
> Research Staff Member, IBM T. J. Watson Research Center
> Tel: +1-914-784-6248
> 
> 
> 
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp
> 
> 
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp

References

Openstack Beginners guide for Ubuntu 12.04/Essex
From: Atul Jha, 2012-05-10
Re: Openstack Beginners guide for Ubuntu 12.04/Essex
From: Rick Jones, 2012-05-10
'admin' role hard-coded in keystone and nova, and policy.json
From: Salman A Baset, 2012-05-10
Re: 'admin' role hard-coded in keystone and nova, and policy.json
From: Dolph Mathews, 2012-05-11