osdir.com


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Pike: "Observer" or "read-only" admin access?


Hi Ken,

On 4/11/19 5:05 PM, Ken D'Ambrosio wrote:
> Hi, all.  Beginning to roll out a newer-than-what-we-had OpenStack
> release -- likely to be Pike, "For reasons."  (Which is still *worlds*
> newer than Juno, where we are.)  And I've been asked if there's such a
> thing as an account (or ACL) that allows a user to read everything,
> but write nothing.  Googling, I see mention of such things -- but
> nothing really firm.  Does it exist?

Not yet, but it is something we're working towards.

> Is it in Pike (or more recent releases)?  

A few projects implemented support for better policy configuration (nova
and keystone) in Pike. During the Queens development cycle there was a
community-wide initiative to register all policy defaults in code [0].
I'm mentioning this because that work makes the changes required for a
read-only role a little easier to manage. At least until things get
fixed upstream.

[0] https://governance.openstack.org/tc/goals/queens/policy-in-code.html

> If it doesn't exist, is there a graceful way to make it happen, anyway?

Yes (though it depends on you definition of "graceful".) Most OpenStack
services support a policy file that facilitates a way for operators to
specify the policies they want to use in their deployment. For example,
if you want to override `identity:get_users = role:reader`, you would do
that in keystone's policy file. Each service has their own policy file,
and most will have defaults in code, so if you don't specify a policy
for a given API a default will be applied.

There has been extensive work done in Pike, Queens, Rocky, and Stein to
make a read-only a first-class citizen in OpenStack. As of the Stein
release, only a handful of projects support it out-of-the-box [1][2]
(see keystone's Stein release notes for more details on what exactly we
worked on for this release). We're hoping it will catch hold in some
other services in the Train and U development cycles.

If you're going to be in Denver for the summit/forum/ptg there is a
hands-on lab scheduled to help people write custom policies while we get
things squared-away by default [3].

[1] https://docs.openstack.org/releasenotes/keystone/stein.html
[2]
http://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html
[3]
https://www.openstack.org/summit/denver-2019/summit-schedule/events/23005/access-control-policy-hands-on-lab

>
> Thanks!
>
> -Ken
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20190415/8df36f6b/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20190415/8df36f6b/attachment-0001.sig>