OpenStack Keystone Charm

Bug #1688612
Comment #2

Comment 2 for bug 1688612

Revision history for this message

Hua Zhang (zhhuabj) wrote on 2017-06-08: Re: Unable to create read-only users within openstack

I tested it according to the following steps:

1, create a role viewer and a user hua

keystone role-create --name viewer
keystone user-create --name hua --pass password
keystone user-role-add --user hua --role viewer --tenant demo
keystone user-role-list --tenant demo --user hua

2, /etc/nova/policy.json needs to be modified for each of the services

diff --git a/etc/nova/policy.json b/etc/nova/policy.json
index c238393..012b051 100644
--- a/etc/nova/policy.json
+++ b/etc/nova/policy.json
@@ -1,7 +1,20 @@
{
"context_is_admin": "role:admin",
- "admin_or_owner": "is_admin:True or project_id:%(project_id)s",
+ "context_is_member": "not role:viewer",
+ "admin_or_owner": "is_admin:True or (project_id:%(project_id)s and rule:context_is_member)",
"default": "rule:admin_or_owner",
+ "default_or_viewer": "is_admin:True or (project_id:%(project_id)s and not role:viewer)",
+
+ "compute:get":"rule:default_or_viewer",
+ "compute:get_all": "rule:default_or_viewer",
+ "compute:get_all_tenants": "rule:default_or_viewer",
+ "compute:stop":"rule:default_or_viewer",
+ "compute:start":"rule:default_or_viewer",
+ "compute:reboot":"rule:default_or_viewer", "compute:get_vnc_console":"rule:default_or_viewer",
+ "compute:get_spice_console":"rule:default_or_viewer",
+ "compute:get_console_output":"rule:default_or_viewer",
+ "compute_extension:console_output": "rule:default_or_viewer",
+ "compute_extension:consoles": "rule:default_or_viewer",

"cells_scheduler_filter:TargetCellFilter": "is_admin:True",

3, test it, it works

ubuntu@zhhuabj-bastion-xenial:~/openstack-charm-testing$ nova flavor-create test-flav 'auto' 1024 80 4
ERROR (Forbidden): Policy doesn't allow compute_extension:flavormanage to be performed. (HTTP 403) (Request-ID: req-5787298d-af70-432f-900c-121ed2c27eb2)
ubuntu@zhhuabj-bastion-xenial:~/openstack-charm-testing$ nova list
+----+------+--------+------------+-------------+----------+
| ID | Name | Status | Task State | Power State | Networks |
+----+------+--------+------------+-------------+----------+
+----+------+--------+------------+-------------+----------+

I tested it according to the following steps:

1, create a role viewer and a user hua

keystone role-create --name viewer
keystone user-create --name hua --pass password
keystone user-role-add --user hua --role viewer  --tenant demo
keystone user-role-list --tenant demo --user hua

2, /etc/nova/policy.json needs to be modified for each of the services

diff --git a/etc/nova/policy.json b/etc/nova/policy.json
index c238393..012b051 100644
--- a/etc/nova/policy.json
+++ b/etc/nova/policy.json
@@ -1,7 +1,20 @@
 {
     "context_is_admin":  "role:admin",
-    "admin_or_owner":  "is_admin:True or project_id:%(project_id)s",
+    "context_is_member": "not role:viewer",
+    "admin_or_owner":  "is_admin:True or (project_id:%(project_id)s and rule:context_is_member)",
     "default": "rule:admin_or_owner",
+    "default_or_viewer": "is_admin:True or (project_id:%(project_id)s and not role:viewer)",
+
+    "compute:get":"rule:default_or_viewer",
+    "compute:get_all": "rule:default_or_viewer",
+    "compute:get_all_tenants": "rule:default_or_viewer",
+    "compute:stop":"rule:default_or_viewer",
+    "compute:start":"rule:default_or_viewer",
+    "compute:reboot":"rule:default_or_viewer", "compute:get_vnc_console":"rule:default_or_viewer",
+    "compute:get_spice_console":"rule:default_or_viewer",
+    "compute:get_console_output":"rule:default_or_viewer",
+    "compute_extension:console_output": "rule:default_or_viewer",
+    "compute_extension:consoles": "rule:default_or_viewer",
 
     "cells_scheduler_filter:TargetCellFilter": "is_admin:True",

3, test it, it works