Is there an account-role combination available to collect data from the Nova and Ceilometer API for an entire cloud without having to use an account with full admin right, which has global access to all resources?

asked 2016-06-08 12:59:39 -0500

Many IT security teams recoil at the thought of releasing such broad administrative rights for collecting data for monitoring purposes. Right it looks like only two user roles are available, standard and admin, the latter with full access across the whole cloud. However, I was wondering whether such question has been raised before. The data collected is used for capacity planning purposes.

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted

answered 2016-06-28 17:32:14 -0500

edmondsw gravatar image

There has been talk of an "observer" role that is read-only, but that has not been implemented to-date. Many users have customized their policy.json files to add new roles that they define. You could do that in the meantime.

Also, if your cloud has multiple keystone projects/tenants (synonymous terms), then be aware that only the admin role allows you to make requests (with limitations) across all projects. I.e., If you define your own non-admin role, also plan on making separate requests for each project until/unless support for global roles is implemented (also discussed but not implemented to-date).

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2016-06-08 12:59:39 -0500

Seen: 77 times

Last updated: Jun 08 '16