On 10/05/2015 05:47 PM, Andrew Bogott wrote:
I would like to be able to create some accounts with cloud-wide
permissions in my OpenStack install. Specifically:
https://bugs.launchpad.net/keystone/+bug/968696
'observer' permissions:
This would be an account (or type of account) that has 'read-only
access' to all tenants. This would be used to provide a public view
onto cloud usage[1], and also be used for monitoring and metrics.
'cloudadmin' permissions:
This would be an account (or type of account) that has access to
everything.
Right now I accomplish the latter by hooking tenant creation and
explicitly adding an account called 'novaadmin' to each project. I'm
pretty sure I know how to write policy.json stanzas to define the
various sets of rights that I want, the challenge is in assigning them
to cloud-wide users.
I have the impression that new Domains and Groups features would allow
for a more elegant solution, but googling for 'domains' and 'groups'
hasn't turned up anything other than a few years-old design documents.
How are other people addressing the 'cloudadmin' issue? Are there
docs that explain this that I'm overlooking?
I'm currently running Kilo but will entertain suggestions that require
Liberty as well. Similarly, right now everything is tuned to keystone
api v2.0 but I'm planning to migrate to 3 sometime soon so that's not
a deal-breaker either.
Thank you!
-Andrew
I;ve been trying to get movement behind a solution for this for a while.
You can come up with a hard coded solution for your cloud, but it will
involve editing the policy files.
The best bet it to come up with an admin domain, and have a ruile that
chekcs that a user is in the admin domain.
See my presentation from Vancouver;
http://openstacksummitmay2015vancouver.sched.org/event/14f4c5993e34b0f6a10c810510abbd73#.VhL0mbP-SV4
[1] Being wikimedia, we try to practice transparency in all things
:) Most of this information is already available to the public, but
collected asynchronously and a real drag to maintain. Also the link
that displays it is preposterous:
https://wikitech.wikimedia.org/w/index.php?title=Special:Ask&offset=0&limit=250&q=[[Resource+Type%3A%3Aproject]]&p=format%3Dbroadtable%2Flink%3Dall%2Fheaders%3Dshow%2Fmainlabel%3D-2D%2Fsearchlabel%3Dprojects&po=%3F%0A%3FDescription%0A
_______________________________________________
Mailing list:
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe :
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
