Custom Role

asked 2014-04-09 00:55:32 -0500

aaron_robin gravatar image

updated 2014-04-09 04:23:45 -0500

smaffulli gravatar image

How can i create a custom role in openstack? Eg- A project admin , who can view/manage only the projects under him/her as well as add users to his/her projects. It is different from the admin role, which is similar to a cloud admin, where all the projects are managed by him/her.

Where should i set the permissions for this role?

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted

answered 2014-04-10 21:56:26 -0500

updated 2014-04-10 22:09:45 -0500

In keystone you can create any role, but I don't think it is going to work with v2 api. With v3 it will work

    Sample policy.json

  "is_cloud_admin": "role:identity.cloud_admin",
    "is_domain_admin": "role:identity.domain_admin",
    "cloud_admin": "rule:is_cloud_admin ",
    "service_role": "role:identity.service",
    "domain_admin_or_owner": "(rule:is_domain_admin and domain_id:%( or rule:owner",

    "identity:get_project": "rule:cloud_admin or (rule:domain_admin and domain_id:%(target.project.domain_id)s)",
    "identity:list_projects": "rule:cloud_admin or (rule:domain_admin and domain_id:%(domain_id)s)",
    "identity:list_user_projects": "rule:owner or (rule:domain_admin and domain_id:%(domain_id)s)",
    "identity:create_project": "rule:cloud_admin or (rule:domain_admin and domain_id:%(project.domain_id)s)",
    "identity:update_project": "rule:cloud_admin or (rule:domain_admin and domain_id:%(target.project.domain_id)s)",
    "identity:delete_project": "rule:cloud_admin or (rule:domain_admin and domain_id:%(target.project.domain_id)s)",

  1)   In  keystone create 2 roles  identity.cloud_admin and idenity.domain_admin
  2)   Using v3 api create 2 domains and  couple of v3 projects/users in each domain
  3)   Assing the role domain_admin to  one user in each domain

  4)  The domain admin can only list the projects in his domain.  Domain admin in another domain can't do anything with the project in another domain
  5)  If you  have another user with role "identity.cloud_admin", he can do operations in  both the domains

Note: I have used the role name as 'identity.cloud_admin" instead of standard "admin" . All the Openstack services consider the role with name "admin" as admin. So no way to distinguish between swfit admin and nova admin. Here you know for sure that identity.cloud_admin is keystone admin. Also I have prefixed the role name with namespae to avoid collision.

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools



Asked: 2014-04-09 00:55:32 -0500

Seen: 1,014 times

Last updated: Apr 10 '14