Nova recently was changed to allow the rolename that gets is_admin privileges specified in context. There is still some work needed to break out the is_admin capabilities into individual policy actions, but at least you can pick a different name for your admin role.
from nova's policy.json: "context_is_admin": [["role:admin"]], On Aug 31, 2012, at 10:11 AM, Gabriel Hurley <gabriel.hur...@nebula.com> wrote: > One additional note on that, however: for legacy reasons many of the projects > have hardcoded assumptions about the role named “admin”. In Grizzly we’ll be > working to make the role-based access control truly customizable, but for now > you’re stuck with needing that one. > > - Gabriel > > From: openstack-bounces+gabriel.hurley=nebula....@lists.launchpad.net > [mailto:openstack-bounces+gabriel.hurley=nebula....@lists.launchpad.net] On > Behalf Of Dolph Mathews > Sent: Friday, August 31, 2012 12:34 AM > To: Jack > Cc: openstack > Subject: Re: [Openstack] About the Role and User's rights > > Those roles you see in keystone are merely examples, and don't have any > "meaning" by themselves. You create your own roles in keystone (e.g. $ > keystone role-create) and define the associated actions specific to each > service via each service's own policy.json. For example, here's nova's > default policy.json: > > https://github.com/openstack/nova/blob/master/etc/nova/policy.json > > -Dolph > > > On Fri, Aug 31, 2012 at 2:21 AM, Jack <545997...@qq.com> wrote: > hi all, > openstack uses a rights management system that employs a Role-Based > Access Control , Roles control the actions that a user is allowed to perform > .there are 5 roles in keystone ,there are > admin,KeystoneAdmin,KeystoneServiceAdmin,Member,anotherrole ,but ,how > openstack control every role's rights? how openstack lmits the actions of > each role? > > Looking forward > > _______________________________________________ > Mailing list: https://launchpad.net/~openstack > Post to : openstack@lists.launchpad.net > Unsubscribe : https://launchpad.net/~openstack > More help : https://help.launchpad.net/ListHelp > > > _______________________________________________ > Mailing list: https://launchpad.net/~openstack > Post to : openstack@lists.launchpad.net > Unsubscribe : https://launchpad.net/~openstack > More help : https://help.launchpad.net/ListHelp
_______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
