openstack team mailing list archive

Thread
Date

Re: [OpenStack] Limiting new roles

To: Dolph Mathews <dolph.mathews@xxxxxxxxx>, Guillermo Alvarado <guillermoalvarado89@xxxxxxxxx>
From: Gabriel Hurley <Gabriel.Hurley@xxxxxxxxxx>
Date: Wed, 31 Oct 2012 22:42:45 +0000
Accept-language: en-US
Cc: openstack <openstack@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <CAC=h7gVSqrqfvyKEhhkhUDrntWKC7Xb7TU4jKcEeKRkkE3fP_g@mail.gmail.com>
Thread-index: AQHNt7iB32ILlkxeBkuWep9Yam4jcZfUAkyA
Thread-topic: [Openstack] [OpenStack] Limiting new roles

With respect to the comments on Horizon, as soon as Keystone implements the policy rollup and exposes it in the v3 API Horizon will fully honor the policies specified by the various projects. That blueprint for Keystone was targeted for Folsom but got bumped to Grizzly. Hopefully it'll make it in this time so we can get that done.

-          Gabriel

From: openstack-bounces+gabriel.hurley=nebula.com@xxxxxxxxxxxxxxxxxxx [mailto:openstack-bounces+gabriel.hurley=nebula.com@xxxxxxxxxxxxxxxxxxx] On Behalf Of Dolph Mathews
Sent: Wednesday, October 31, 2012 3:39 PM
To: Guillermo Alvarado
Cc: openstack
Subject: Re: [Openstack] [OpenStack] Limiting new roles

I'm specifically referring to keystone, because you mention "...this role only  can create tentants and roles..." If you can create tenants and roles in keystone, you also have the power to create new users and grant yourself additional roles in keystone, due to the binary nature of the policy implementation in keystone today (thereby -- and unfortunately -- defeating the rest of your statement: "... but cannnot change quotas or modify images").

-Dolph

On Wed, Oct 31, 2012 at 5:29 PM, Guillermo Alvarado <guillermoalvarado89@xxxxxxxxx<mailto:guillermoalvarado89@xxxxxxxxx>> wrote:
I know the implementation is not binay, you can modify the permissions related with nova/glance/swifth of the differents roles. I doubt is if horizon know wich template can view each user...

2012/10/31 Dolph Mathews <dolph.mathews@xxxxxxxxx<mailto:dolph.mathews@xxxxxxxxx>>
With regard to keystone, the current policy implementation is entirely binary in that a role may either have total control over keystone or none. The implementation in Grizzly is much more granular.

-Dolph

On Wed, Oct 31, 2012 at 2:35 PM, Guillermo Alvarado <guillermoalvarado89@xxxxxxxxx<mailto:guillermoalvarado89@xxxxxxxxx>> wrote:
Hi everyboy,

I want to create a new role, named "another-admin", so this role only  can create tentants and roles but cannnot change quotas or modify images and all other actions that admin role can do.

I read about create rules in the policy.json of each service (nova, keystone, glance, swift) but my doubt is: How can I limit the views/templates/urls of Horizon, I mean, I want that the role "another-admin" can not see templates related to glance and can not see that menu.

Thanks in advance,
Best Regards.

_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to     : openstack@xxxxxxxxxxxxxxxxxxx<mailto:openstack@xxxxxxxxxxxxxxxxxxx>
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

References

[OpenStack] Limiting new roles
From: Guillermo Alvarado, 2012-10-31
Re: [OpenStack] Limiting new roles
From: Dolph Mathews, 2012-10-31
Re: [OpenStack] Limiting new roles
From: Dolph Mathews, 2012-10-31