Read-Only Role for OpenStack Services

[seancarlisle]

Use cases exist where users need to retrieve usage information, but not be able to create or delete anything in the environment. This necessitates the creation of a read-only Keystone role, but will require modifications to policy.json for each of the services. Below are VERY rough steps on how I modified Nova's policy.json in my lab:

• Create new role called "viewer"
• Add "viewer" role to all users
• Open /etc/nova/policy.json in your favorite text editor
• Add a new rule named "viewer" like so:
  • "viewer": "role:viewer"
• Change the "default" rule like so:
  • "default": "rule:viewer"
• Change "admin_or_owner" rule like so:
  • "admin_or_owner": "is_admin:True or role:Member"
• Add the "admin_or_owner" rule to all policies allowing for read-write access that are currently default. For example:
  • "compute:create": "", becomes "compute:create": "rule:admin_or_owner",
• Create new user through normal processes.
• Add "viewer" role to new user.
• Remove "Member" role from new user.
• New expected behavior:
  • root@controller-policy-test:~# nova flavor-list +----+-----------+-----------+------+-----------+------+-------+-------------+-----------+-------------+ | ID | Name | Memory_MB | Disk | Ephemeral | Swap | VCPUs | RXTX_Factor | Is_Public | extra_specs | +----+-----------+-----------+------+-----------+------+-------+-------------+-----------+-------------+ | 1 | m1.tiny | 512 | 0 | 0 | | 1 | 1.0 | True | {} | | 2 | m1.small | 2048 | 20 | 0 | | 1 | 1.0 | True | {} | | 3 | m1.medium | 4096 | 40 | 0 | | 2 | 1.0 | True | {} | | 4 | m1.large | 8192 | 80 | 0 | | 4 | 1.0 | True | {} | | 5 | m1.xlarge | 16384 | 160 | 0 | | 8 | 1.0 | True | {} | +----+-----------+-----------+------+-----------+------+-------+-------------+-----------+-------------+
  • root@controller-policy-test:~# nova flavor-create test-flav 'auto' 1024 80 4 ERROR: Policy doesn't allow compute_extension:flavormanage to be performed. (HTTP 403) (Request-ID: req-3caaa0be-a94c-4fb5-a47a-d33609c3ca5c)

[odyssey4me]

We've thought of a few roles:

1. Project Admin - Admin for a Project only. Should be able to do what is standard for a normal 'member' today. Launch, terminate, etc servers and all that. This role should perhaps also be allowed to create users for the project too?
2. Project Viewer - Only allowed access to work within a project in a read-only way. ie no access to erminate/create/etc. Server console access is allowed too.
3. Project Reporter - Pretty much the same as a viewer, but no access to the server consoles. The purpose is to provide access to reporting information: quotas, stats, ceilometer stats, etc.
4. Domain Admin - Admin for a Keystone v3 Domain. Should be able to create projects & users, but should only be a 'reporter' within projects.
5. Domain Reporter - Should only have access reporting/quota information for the domain and its projects.

[Simna123]

its not working for me ! Please help

[mancdaz]

Hi @Simna123

What exactly isn't working for you? If you could provide a little more information (logs, errors etc) it would aid us in getting to the bottom of your problem.

Thanks

[Simna123]

All i need is a read-only role which can be assigned to users in openstack.

As explained in the above post (by seancarlisle),

I created a Role - "viewer" Assigned it to a new User Removed the member role from that particular user And in /etc/nova/policy.json Added a new rule named "viewer" like so: "viewer": "role:viewer" Change the "default" rule like so: "default": "rule:viewer" Change "admin_or_owner" rule like so: "admin_or_owner": "is_admin:True or role:Member" & "compute:create": "", becomes "compute:create": "rule:admin_or_owner"

Now what i am expecting as output is that, the new user with viewer role will not be able to launch instances.

But the new user is still able to launch instances. :/

[binoymvas]

same for me too. New user is still able to launch instances

[kingttx]

There is an old but inactive blueprint for this. I would love to have this role added to the vanilla code! https://blueprints.launchpad.net/keystone/+spec/admin-readonly-role