settingsLogin | Registersettings

[Openstack] project read-only role or create role with specific capabilities

0 votes

Hi list,

As I understand, keystone only defined two roles:

  • admin
  • non-admin, but can be any role name you want, role1, role2, user, member, whatever

say there are quite few people in the same project, so far, the users
assigned with the same role has exactly the same right to a project.

Is it possible to create a role with read-only capabilities with all
resources in a project?

If so, any hints?

In addition, I'd like to create a role which isn't admin but can manage
projects(create project, delete his project, manage project members and
etc.)

thanks in advance!

--
Thanks,
Chengwei


Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

asked Oct 21, 2017 in openstack by Chengwei_Yang (180 points)  

2 Responses

0 votes

you can archive what you want by modifying the policy.json of Nova and
other projects to define readonly role, and create that role in keystone,
then assign to users you want.

On Thu, Oct 19, 2017 at 3:15 PM, Chengwei Yang chengwei.yang.cn@gmail.com
wrote:

Hi list,

As I understand, keystone only defined two roles:

  • admin
  • non-admin, but can be any role name you want, role1, role2, user,
    member, whatever

say there are quite few people in the same project, so far, the users
assigned with the same role has exactly the same right to a project.

Is it possible to create a role with read-only capabilities with all
resources in a project?

If so, any hints?

In addition, I'd like to create a role which isn't admin but can manage
projects(create project, delete his project, manage project members and
etc.)

thanks in advance!

--
Thanks,
Chengwei


Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/
openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/
openstack

--
Tang Yaguang


Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
responded Oct 21, 2017 by Yaguang_Tang (1,180 points)   1 2 4
0 votes

Thanks yaguang, I'll give a try.

On Sat, Oct 21, 2017 at 11:26:05AM +0800, Yaguang Tang wrote:
you can archive what you want by modifying the policy.json of Nova and other projects to define readonly role, and create that role in keystone, then
assign to users you want.

On Thu, Oct 19, 2017 at 3:15 PM, Chengwei Yang chengwei.yang.cn@gmail.com wrote:

Hi list,

As I understand, keystone only defined two roles:

  - admin
  - non-admin, but can be any role name you want, role1, role2, user, _member_, whatever

say there are quite few people in the same project, so far, the users
assigned with the same role has exactly the same right to a project.

Is it possible to create a role with read-only capabilities with all
resources in a project?

If so, any hints?

In addition, I'd like to create a role which isn't admin but can manage
projects(create project, delete his project, manage project members and
etc.)

thanks in advance!

--
Thanks,
Chengwei

_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to     : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

--
Tang Yaguang

 
SECURITY NOTE: file ~/.netrc must not be accessible by others

--
Thanks,
Chengwei


Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

responded Oct 23, 2017 by Chengwei_Yang (180 points)  
...