Ask Your Question
1

custom roles for swift and cinder

asked 2016-09-20 07:54:43 -0600

CloudEnthusiast gravatar image

Hello All,

I want to create two keystone users with custom roles as below for one of my tenant in openstack (mitaka):

  • one user who can only access and manage swift and without having permission to other services.
  • another one who will manage cinder resource alone and not any other resource.

Am bit aware of policy.json file to define custom roles. BTW i could not find policy.json file for swift in /etc/swift directory !! But block storage is having policy.json in /etc/cinder directory.

Can any one please suggest me how to achieve this ..!! ??

--Thanks

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted
1

answered 2016-09-27 11:32:55 -0600

Donagh McCabe gravatar image

Swift does not use policy json file.

Instead, Swift has two configurable items -- in the keystoneauth section of the proxy-server.conf file:

operator_roles -- if the user has any of the roles listed here, they can create, delete, etc containers and objects in the project(s) where they have this role.

reseller_admin_role -- if the user has any of the roles listed here, they can access any/all project data in Swift.

If you don't find them in your proxy-server.conf file, it means they have defaults to:

operator_roles = Admin, swiftoperator reseller_admin_role = ResellerAdmin

So, it you want a user who can manage any/all Swift accounts, you could give them the ResellerAdmin role (on any project). Assuming this role is not listed in the policy file of anything else (a safe bet), this user can only manage Swift and has no access to any other service.

There is one snag with this -- the swift and openstack CLIs will only let you scope to one project at a time --- so in effect to use the ResellerAdmin role, you can use the normal tooling to get a token (for the project that they have ResellerAdmin role on) and then use a tool such as curl to access a different project. There is a hidden danger here -- this user could accidentally delete the project (aka account) in Swift. There is no way back from this.

Hence, a better way might be to use the "swiftoperator" role. Give the user the "swiftoperator" on all projects (and don't give "swiftoperator" to any other user).. This allows the user to access any project simply by setting OS_PROJECT_NAME (assuming you use CLI). Since "swiftoperator" is not in any other policy.json file, other OpenStack components will not allow that user to have access.

On the Cinder side, you need to create a custom policy.json file. You can create a single role that means your Cinder user only needs a role on a single project (something like Swift's ResellerAdmin). However, you have the same problem as mentioned above about using the CLIs. Hence, the best bet is to invent a role that only Cinder uses and give the user that role on ALL projects.

Here's where you hit a snag. To do anything useful in Cinder, that user must also be able to access all projects in Swift -- this is because Cinder stores backups, etc. in Swift -- using the same project as the volume. Hence, you will probably need to give that user access to all projects in Swift. So this user will also be able to access any data (not just the data generated by Cinder) in Swift. One way around this is to not use Cinder's default Swift storage layout, but to use a dedicated Swift account that stores all Cinder data in one Swift account.

In summary:

  • If you've followed the above, you can (almost) do what you asked in your question

  • If you don't understand some of the ...

(more)
edit flag offensive delete link more

Comments

Thank you very much for pretty much detailed explanation.

I want to get a good understanding of keystone concepts like service catalog, roles & policy.json file usage, can you please provide me some good pointers. --Regards

CloudEnthusiast gravatar imageCloudEnthusiast ( 2016-11-05 22:24:28 -0600 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

2 followers

Stats

Asked: 2016-09-20 07:54:43 -0600

Seen: 114 times

Last updated: Sep 27 '16