starlingx/docs
Code Issues Proposed changes
47040fa69b
docs/doc/source/security/kubernetes/keystone-account-roles-64098d1abdc1.rst
Elaine Fonaro bfa44b173a Support for reader role: creation of a new doc 
Minor grammar fixes.
Updated the commands line to use the standard ~(keystone_admin)]$.
Minor text updates.
Created the Keystone Account Roles doc.
Updtaded the doc toctree to add a new file.

Story: 2010149
Task: 46908

Signed-off-by: Elaine Fonaro <elaine.fonaro@windriver.com>
Change-Id: I61f79ee8d5dca3410c8e5f155b8e820305176248
2022-12-09 10:17:32 -03:00

3.9 KiB
Raw Blame History

Keystone Account Roles

In , 3 different keystone roles are supported: admin, member and reader.

Users with an admin role in the admin project can execute any action in the system.

Users with a reader role in the admin project have read-only access. They cannot perform any changes in the system but can read any configuration. In the , commands with prefix or suffix, such as, list, query, show and summary get the configuration from the system, and are allowed for this type of user, all other commands are denied. Some examples of commands executed by a user with reader role are shown below.

~(keystone_admin)]$ system host-list

+-----+--------------+-------------+----------------+-------------+--------------+
| id  | hostname     | personality | administrative | operational | availability |
+-----+--------------+-------------+----------------+-------------+--------------+
| 1   | controller-0 | controller  | unlocked       | enabled     | degraded     |
+-----+--------------+-------------+----------------+-------------+--------------+
~(keystone_admin)]$ system host-lock controller-0

Error: Forbidden
~(keystone_admin)]$ fm alarm-summary

+-----------------+--------------+--------------+----------+
| Critical Alarms | Major Alarms | Minor Alarms | Warnings |
+-----------------+--------------+--------------+----------+
| 1               | 13           | 0            | 0        |
+-----------------+--------------+--------------+----------+
~(keystone_admin)]$ fm event-suppress --alarm_id 100.103

Error: Forbidden.

Exception: all fm read-only commands require reader role but there is no project verification, so a user in a project different from admin may execute them. Examples: alarm-list, alarm-show, alarm-summary, event-list, event-show and event-suppress-list.

Currently, the member role is equivalent to reader role, but this may change in the future, allowing a user with member role to execute some actions that change the system configuration.

The following sections describe how to create users with specific keystone roles in .

Creation of user with specific role for Horizon only

Use the following commands to add a new user named readeruser with password "Passw0rd*" and role reader:

~(keystone_admin)]$ openstack user create readeruser --project admin --password Passw0rd*
~(keystone_admin)]$ openstack role add --project admin --user readeruser reader

To create a user with admin role instead of reader role, change reader to admin using the openstack role add command.

When this user is added in the central cloud, it is propagated to the managed subclouds. To check if this new user is already present in a host, use the openstack user list command.

Creation of user with specific role for Horizon and CLI

Follow the instructions in Manage Composite Local LDAP Accounts at Scale <manage-local-ldap-39fe3a85a528> using the parameter user_role=reader in extra-vars of manage_local_ldap_account.yml playbook to create a user with reader role. To create a user with admin role, use user_role=admin instead.

Warning

Users with reader role do not have sudo capabilities, use sudo_permission=false when the users role is user_role=reader.