OpenStack Compute (nova)

Is that possible to create customize role ?

Asked by Hugo Kou

As title .

In my research of RBAC.

There're several roles , include sysadmin/PM/developer/netadmin. I'm not very sure how to manage users in my environment. with these roles. Is that possible to create customize role ?

My problem:

Assume a project "XYZ" and project manager "hugo" , and assign a sysadmin role for "test" account
I found that "test" can see all instances in this project, and terminate any instance as their will. It seems not safe.

How can I limit a user's permission in project XYZ?
Could I add a role with permission limit as follow?

======My purpose==============
I hope "test" can only see his own instances / run up instance / terminate his own instance
And "hugo" owns full permission with all instance.
===========================

===What I do now===
Create a project for one user, and assign sysadmin role for those account in their own project.
Associate hugo to all projects.
===============

Is there has a better wasy ???

Thanks guys

Cheers,
Hugo Kuo

Question information

Language:
English Edit question
Status:
Solved
For:
OpenStack Compute (nova) Edit question
Assignee:
No assignee Edit question
Solved by:
Vish Ishaya
Solved:
Last query:
Last reply:
Revision history for this message
koolhead17 (koolhead17) said : 		#1

Is that possible to create customize role ?

NO

assign a sysadmin role for "test" account
I found that "test" can see all instances in this project, and terminate any instance as their will. It seems not safe.

Well as per the RBAC the role "sysadmin" is meant to all those jobs, it has notthing to do with not being safe. You can change the permission of the user to only developer and check if still same permissions he gets.

How can I limit a user's permission in project XYZ?

by associating a user with appropriate roles.

I hope "test" can only see his own instances / run up instance / terminate his own instance
And "hugo" owns full permission with all instance.

well since "hugo" is project manager he has role to do all the things, as superuser.

Revision history for this message
Hugo Kou (tonytkdk) said : 		#2

<global/project>
Well , once I change "test" as <developer/sysadmin> role . This user can see all instances in this project , but could not run or terminate an instance.

So , is that means only sysadmin role & project manger can run/terminate instance ? no other choice?

Revision history for this message
Best Vish Ishaya (vishvananda) said : 		#3

Nova-manage role add user sysadmin
And
Nova-manage role add user sysadmin project
You need both. Then you can launch and terminate.
 On Apr 26, 2011 11:20 PM, "Hugo Kou" <email address hidden>
wrote:
> Question #154383 on OpenStack Compute (nova) changed:
> https://answers.launchpad.net/nova/+question/154383
>
> Status: Answered => Open
>
> Hugo Kou is still having a problem:
> <global/project>
> Well , once I change "test" as <developer/sysadmin> role . This user can
 see all instances in this project , but could not run or terminate an
instance.
>
> So , is that means only sysadmin role & project manger can
> run/terminate instance ? no other choice?
>
> --
> You received this question notification because you are a member of Nova
> Core, which is an answer contact for OpenStack Compute (nova).

Revision history for this message
Hugo Kou (tonytkdk) said : 		#4

Hello , Vish

yeah , man :) I did that at beginning ....and it's working

but my will is let "test" account can only manage his own instance .......

once I add sysadmin for "test" , this account can terminate other user's instance .....

Revision history for this message
Hugo Kou (tonytkdk) said : 		#5

Thanks Vish Ishaya, that solved my question.