openstack team mailing list archive

Thread
Date

Re: About the Role and User's rights

To: Gabriel Hurley <Gabriel.Hurley@xxxxxxxxxx>
From: Vishvananda Ishaya <vishvananda@xxxxxxxxx>
Date: Fri, 31 Aug 2012 13:34:13 -0700
Cc: Jack <545997714@xxxxxx>, openstack <openstack@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <BD35DBE010D5B64589500D43F775F23629236ED3@CH1PRD0511MB431.namprd05.prod.outlook.com>

Nova recently was changed to allow the rolename that gets is_admin privileges specified in context.  There is still some work needed to break out the is_admin capabilities into individual policy actions, but at least you can pick a different name for your admin role.

from nova's policy.json:
  "context_is_admin":  [["role:admin"]],

On Aug 31, 2012, at 10:11 AM, Gabriel Hurley <Gabriel.Hurley@xxxxxxxxxx> wrote:

> One additional note on that, however: for legacy reasons many of the projects have hardcoded assumptions about the role named “admin”. In Grizzly we’ll be working to make the role-based access control truly customizable, but for now you’re stuck with needing that one.
>  
> -          Gabriel
>  
> From: openstack-bounces+gabriel.hurley=nebula.com@xxxxxxxxxxxxxxxxxxx [mailto:openstack-bounces+gabriel.hurley=nebula.com@xxxxxxxxxxxxxxxxxxx] On Behalf Of Dolph Mathews
> Sent: Friday, August 31, 2012 12:34 AM
> To: Jack
> Cc: openstack
> Subject: Re: [Openstack] About the Role and User's rights
>  
> Those roles you see in keystone are merely examples, and don't have any "meaning" by themselves. You create your own roles in keystone (e.g. $ keystone role-create) and define the associated actions specific to each service via each service's own policy.json. For example, here's nova's default policy.json:
>  
>     https://github.com/openstack/nova/blob/master/etc/nova/policy.json
>  
> -Dolph
>  
> 
> On Fri, Aug 31, 2012 at 2:21 AM, Jack <545997714@xxxxxx> wrote:
> hi all,
>      openstack uses a rights management system that employs a Role-Based Access Control , Roles control the actions that a user is allowed to perform .there are 5 roles in keystone ,there are admin,KeystoneAdmin,KeystoneServiceAdmin,Member,anotherrole ,but ,how openstack control every role's rights? how openstack lmits the actions of each role?
>  
> Looking forward
> 
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp
> 
>  
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp

Follow ups

Re: About the Role and User's rights
From: Gabriel Hurley, 2012-08-31

References

About the Role and User's rights
From: Jack, 2012-08-31
Re: About the Role and User's rights
From: Dolph Mathews, 2012-08-31
Re: About the Role and User's rights
From: Gabriel Hurley, 2012-08-31