openstack/tripleo-docs
Code Issues Proposed changes
tripleo-docs/deploy-guide/source/features/api_policies.rst
Alex Schultz c6918e5da6 Migrate install to deploy-guide 
The deployment guide is currently pointed at triplo-docs but it has been
requested that we actually publish a deployment guide. This change
extracts many of the installation doc pages and moves them into the
deploy-guide source tree.  Once the deploy-guide is published, we will
follow up to reference the deployment guide from tripleo-docs.

Change-Id: I0ebd26f014180a92c6cf4ab0929d99b2d860796f
2019-08-16 15:42:17 -06:00

1003 B
Raw Blame History

Configuring API access policies

Each OpenStack service, has its own role-based access policies. They determine which user can access which resources in which way, and are defined in the services policy.json file.

Warning

While editing policy.json is supported, modifying the policy can have unexpected side effects and is not encouraged.

supports custom API access policies through parameters in TripleO Heat Templates. To enable this feature, you need to use some parameters to enable the custom policies on the services you want.

Creating an environment file and adding the following arguments to your openstack overcloud deploy command will do the trick:

$ cat ~/nova-policies.yaml
parameter_defaults:
  NovaApiPolicies: { nova-context_is_admin: { key: 'compute:get_all', value: '' } }

-e nova-policies.yaml

In this example, we allow anyone to list Nova instances, which is very insecure but can be done with this feature.