Ask Your Question
0

Is that possible to create customize role ?

asked 2011-04-27 04:04:16 -0500

tonytkdk gravatar image

As title .

In my research of RBAC.

There're several roles , include sysadmin/PM/developer/netadmin. I'm not very sure how to manage users in my environment. with these roles. Is that possible to create customize role ?

My problem:

Assume a project "XYZ" and project manager "hugo" , and assign a sysadmin role for "test" account I found that "test" can see all instances in this project, and terminate any instance as their will. It seems not safe.

How can I limit a user's permission in project XYZ? Could I add a role with permission limit as follow?

======My purpose============== I hope "test" can only see his own instances / run up instance / terminate his own instance

And "hugo" owns full permission with all instance.

===What I do now=== Create a project for one user, and assign sysadmin role for those account in their own project.

Associate hugo to all projects.

Is there has a better wasy ???

Thanks guys

Cheers, Hugo Kuo

edit retag flag offensive close merge delete

5 answers

Sort by ยป oldest newest most voted
0

answered 2011-04-27 05:25:28 -0500

koolhead17 gravatar image

Is that possible to create customize role ?

NO

assign a sysadmin role for "test" account I found that "test" can see all instances in this project, and terminate any instance as their will. It seems not safe.

Well as per the RBAC the role "sysadmin" is meant to all those jobs, it has notthing to do with not being safe. You can change the permission of the user to only developer and check if still same permissions he gets.

How can I limit a user's permission in project XYZ?

by associating a user with appropriate roles.

I hope "test" can only see his own instances / run up instance / terminate his own instance And "hugo" owns full permission with all instance.

well since "hugo" is project manager he has role to do all the things, as superuser.

edit flag offensive delete link more

Comments

good answer

SGPJ gravatar imageSGPJ ( 2014-08-30 12:49:50 -0500 )edit
0

answered 2011-05-05 08:20:51 -0500

tonytkdk gravatar image

Thanks Vish Ishaya, that solved my question.

edit flag offensive delete link more
0

answered 2011-04-27 07:35:38 -0500

tonytkdk gravatar image

Hello , Vish

yeah , man :) I did that at beginning ....and it's working

but my will is let "test" account can only manage his own instance .......

once I add sysadmin for "test" , this account can terminate other user's instance .....

edit flag offensive delete link more
0

answered 2011-04-27 07:23:00 -0500

vishvananda gravatar image

Nova-manage role add user sysadmin And Nova-manage role add user sysadmin project You need both. Then you can launch and terminate. On Apr 26, 2011 11:20 PM, "Hugo Kou" question154383@answers.launchpad.net wrote:

Question #154383 on OpenStack Compute (nova) changed: https://answers.launchpad.net/nova/+q...

Status: Answered => Open

Hugo Kou is still having a problem: <global project=""> Well , once I change "test" as <developer sysadmin=""> role . This user can see all instances in this project , but could not run or terminate an instance.

So , is that means only sysadmin role & project manger can run/terminate instance ? no other choice?


You received this question notification because you are a member of Nova Core, which is an answer contact for OpenStack Compute (nova).

edit flag offensive delete link more
0

answered 2011-04-27 06:20:38 -0500

tonytkdk gravatar image

<global project=""> Well , once I change "test" as <developer sysadmin=""> role . This user can see all instances in this project , but could not run or terminate an instance.

So , is that means only sysadmin role & project manger can run/terminate instance ? no other choice?

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2011-04-27 04:04:16 -0500

Seen: 232 times

Last updated: May 05 '11