osdir.com


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[keystone] Re: Pike: "Observer" or "read-only" admin access?


Hi Ken,

On Thu, Apr 11, 2019, at 15:05, Ken D'Ambrosio wrote:
> Hi, all.  Beginning to roll out a newer-than-what-we-had OpenStack 
> release -- likely to be Pike, "For reasons."  (Which is still *worlds* 
> newer than Juno, where we are.)  And I've been asked if there's such a 
> thing as an account (or ACL) that allows a user to read everything, but 
> write nothing.  Googling, I see mention of such things -- but nothing 
> really firm.  Does it exist?  Is it in Pike (or more recent releases)?  
> If it doesn't exist, is there a graceful way to make it happen, anyway?
> 
> Thanks!
> 
> -Ken
> 
>

There is currently no read-only role that works out of the box in Pike or even in Stein. It's been a longstanding request and we're working on it:

http://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html

The problem now is that just creating a role named "reader" in keystone doesn't automatically fix the problem, we need to coordinate with every project to redefine their default policies to use the reader role instead of using a catch-all member/Member/__member__ role. In the mean time, you can modify the policies of the services you run  to limit write operations to non-reader roles:

https://docs.openstack.org/keystone/latest/admin/service-api-protection.html
https://docs.openstack.org/oslo.policy/latest/admin/policy-yaml-file.html

Hope this helps.

Colleen