lorin at nimbisservices
May 12, 2012, 6:10 AM
Post #4 of 5
(78 views)
Permalink
|
|
Re: Keystone 2012.1 - global and private endpoints
[In reply to]
|
|
Unfortunately, It isn't in the docs yet. :(
I'm hoping to find some time to add this to the docs in the next few days.
Take care,
Lorin
--
Lorin Hochstein
Lead Architect - Cloud Services
Nimbis Services, Inc.
www.nimbisservices.com
On May 12, 2012, at 8:43 AM, Leandro Reox wrote:
> Clear as crystal. Thanks a lot Lorin! i didnt see this reflected on the docs.
>
> Best
> Lean
>
> On May 12, 2012 8:45 AM, "Lorin Hochstein" <lorin [at] nimbisservices> wrote:
> Leandro:
>
> On May 10, 2012, at 10:58 AM, Leandro Reox wrote:
>
>> Hi all,
>>
>> I was wondering if is there any way to create private and global endpoints in Keystone essex final, what for ?
>>
>> I have users defined for specific applications, for example i want that the "images" user, just to have access to the SWIFT endpoint, but no to nova, and etc
>>
>> In previous versions of Keystone, you can define "is_global" attribute for an endpoint, or create a direct relationship between a tenant and an endpoint if your endpoint was previously defined as non global.
>>
>> Is there any way to do this on the new Essex Final Keystone ? If not, how do i avoid the swift users to create instances on nova?
>>
>
> The /etc/$APP/policy.json controls what users are allowed to do for $APP. For example, /etc/nova/policy.json controls this for nova, /etc/glance/policy.json controls glance. (I think swift uses a different scheme).
>
> If you want to restrict users from doing things in nova, you need to create a role in keystone and then modify /etc/nova/policy.json so that this role is required for nova operations.
>
> For example, you could create a role called "novauser", and then /etc/nova/policy.json to require that role for every operation. I think it would look like this (haven't tried this myself):
>
> {
> "admin_or_owner": [["role:admin"], ["project_id:%(project_id)s"]],
> "default": [["rule:admin_or_owner"]],
>
>
> "compute:create": ["role":"novauser"],
> "compute:create:attach_network": ["role":"novauser"],
> "compute:create:attach_volume": ["role":"novauser"],
> "compute:get_all": ["role":"novauser"],
>
>
> "admin_api": [["role:admin"]],
> "compute_extension:accounts": [["rule:admin_api"]],
> "compute_extension:admin_actions": [["rule:admin_api"]],
> "compute_extension:admin_actions:pause": [["rule:admin_or_owner"]],
> "compute_extension:admin_actions:unpause": [["rule:admin_or_owner"]],
> "compute_extension:admin_actions:suspend": [["rule:admin_or_owner"]],
> "compute_extension:admin_actions:resume": [["rule:admin_or_owner"]],
> "compute_extension:admin_actions:lock": [["rule:admin_api"]],
> "compute_extension:admin_actions:unlock": [["rule:admin_api"]],
> "compute_extension:admin_actions:resetNetwork": [["rule:admin_api"]],
> "compute_extension:admin_actions:injectNetworkInfo": [["rule:admin_api"]],
> "compute_extension:admin_actions:createBackup": [["rule:admin_or_owner"]],
> "compute_extension:admin_actions:migrateLive": [["rule:admin_api"]],
> "compute_extension:admin_actions:migrate": [["rule:admin_api"]],
> "compute_extension:aggregates": [["rule:admin_api"]],
> "compute_extension:certificates": ["role":"novauser"],
> "compute_extension:cloudpipe": [["rule:admin_api"]],
> "compute_extension:console_output": ["role":"novauser"],
> "compute_extension:consoles": ["role":"novauser"],
> "compute_extension:createserverext": ["role":"novauser"],
> "compute_extension:deferred_delete": ["role":"novauser"],
> "compute_extension:disk_config": ["role":"novauser"],
> "compute_extension:extended_server_attributes": [["rule:admin_api"]],
> "compute_extension:extended_status": ["role":"novauser"],
> "compute_extension:flavorextradata": ["role":"novauser"],
> "compute_extension:flavorextraspecs": ["role":"novauser"],
> "compute_extension:flavormanage": [["rule:admin_api"]],
> "compute_extension:floating_ip_dns": ["role":"novauser"],
> "compute_extension:floating_ip_pools": ["role":"novauser"],
> "compute_extension:floating_ips": ["role":"novauser"],
> "compute_extension:hosts": [["rule:admin_api"]],
> "compute_extension:keypairs": ["role":"novauser"],
> "compute_extension:multinic": ["role":"novauser"],
> "compute_extension:networks": [["rule:admin_api"]],
> "compute_extension:quotas": ["role":"novauser"],
> "compute_extension:rescue": ["role":"novauser"],
> "compute_extension:security_groups": ["role":"novauser"],
> "compute_extension:server_action_list": [["rule:admin_api"]],
> "compute_extension:server_diagnostics": [["rule:admin_api"]],
> "compute_extension:simple_tenant_usage:show": [["rule:admin_or_owner"]],
> "compute_extension:simple_tenant_usage:list": [["rule:admin_api"]],
> "compute_extension:users": [["rule:admin_api"]],
> "compute_extension:virtual_interfaces": ["role":"novauser"],
> "compute_extension:virtual_storage_arrays": ["role":"novauser"],
> "compute_extension:volumes": ["role":"novauser"],
> "compute_extension:volumetypes": ["role":"novauser"],
>
>
> "volume:create": ["role":"novauser"],
> "volume:get_all": ["role":"novauser"],
> "volume:get_volume_metadata": ["role":"novauser"],
> "volume:get_snapshot": ["role":"novauser"],
> "volume:get_all_snapshots": ["role":"novauser"],
>
>
> "network:get_all_networks": ["role":"novauser"],
> "network:get_network": ["role":"novauser"],
> "network:delete_network": ["role":"novauser"],
> "network:disassociate_network": ["role":"novauser"],
> "network:get_vifs_by_instance": ["role":"novauser"],
> "network:allocate_for_instance": ["role":"novauser"],
> "network:deallocate_for_instance": ["role":"novauser"],
> "network:validate_networks": ["role":"novauser"],
> "network:get_instance_uuids_by_ip_filter": ["role":"novauser"],
>
> "network:get_floating_ip": ["role":"novauser"],
> "network:get_floating_ip_pools": ["role":"novauser"],
> "network:get_floating_ip_by_address": ["role":"novauser"],
> "network:get_floating_ips_by_project": ["role":"novauser"],
> "network:get_floating_ips_by_fixed_address": ["role":"novauser"],
> "network:allocate_floating_ip": ["role":"novauser"],
> "network:deallocate_floating_ip": ["role":"novauser"],
> "network:associate_floating_ip": ["role":"novauser"],
> "network:disassociate_floating_ip": ["role":"novauser"],
>
> "network:get_fixed_ip": ["role":"novauser"],
> "network:add_fixed_ip_to_instance": ["role":"novauser"],
> "network:remove_fixed_ip_from_instance": ["role":"novauser"],
> "network:add_network_to_project": ["role":"novauser"],
> "network:get_instance_nw_info": ["role":"novauser"],
>
> "network:get_dns_domains": ["role":"novauser"],
> "network:add_dns_entry": ["role":"novauser"],
> "network:modify_dns_entry": ["role":"novauser"],
> "network:delete_dns_entry": ["role":"novauser"],
> "network:get_dns_entries_by_address": ["role":"novauser"],
> "network:get_dns_entries_by_name": ["role":"novauser"],
> "network:create_private_dns_domain": ["role":"novauser"],
> "network:create_public_dns_domain": ["role":"novauser"],
> "network:delete_dns_domain": ["role":"novauser"]
> }
>
>
> Take care,
>
> Lorin
> --
> Lorin Hochstein
> Lead Architect - Cloud Services
> Nimbis Services, Inc.
> www.nimbisservices.com
>
>
>
>
|
