[keystone] Re: Pike: "Observer" or "read-only" admin access?
On Thu, Apr 11, 2019, at 15:05, Ken D'Ambrosio wrote:
> Hi, all. Beginning to roll out a newer-than-what-we-had OpenStack
> release -- likely to be Pike, "For reasons." (Which is still *worlds*
> newer than Juno, where we are.) And I've been asked if there's such a
> thing as an account (or ACL) that allows a user to read everything, but
> write nothing. Googling, I see mention of such things -- but nothing
> really firm. Does it exist? Is it in Pike (or more recent releases)?
> If it doesn't exist, is there a graceful way to make it happen, anyway?
There is currently no read-only role that works out of the box in Pike or even in Stein. It's been a longstanding request and we're working on it:
The problem now is that just creating a role named "reader" in keystone doesn't automatically fix the problem, we need to coordinate with every project to redefine their default policies to use the reader role instead of using a catch-all member/Member/__member__ role. In the mean time, you can modify the policies of the services you run to limit write operations to non-reader roles:
Hope this helps.