Ask Your Question
0

Is there an account-role combination available to collect data from the Nova and Ceilometer API for an entire cloud without having to use an account with full admin right, which has global access to all resources?

asked 2016-06-08 12:59:39 -0600

Many IT security teams recoil at the thought of releasing such broad administrative rights for collecting data for monitoring purposes. Right it looks like only two user roles are available, standard and admin, the latter with full access across the whole cloud. However, I was wondering whether such question has been raised before. The data collected is used for capacity planning purposes.

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted
0

answered 2016-06-28 17:32:14 -0600

edmondsw gravatar image

There has been talk of an "observer" role that is read-only, but that has not been implemented to-date. Many users have customized their policy.json files to add new roles that they define. You could do that in the meantime.

Also, if your cloud has multiple keystone projects/tenants (synonymous terms), then be aware that only the admin role allows you to make requests (with limitations) across all projects. I.e., If you define your own non-admin role, also plan on making separate requests for each project until/unless support for global roles is implemented (also discussed but not implemented to-date).

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2016-06-08 12:59:39 -0600

Seen: 53 times

Last updated: Jun 08 '16