Page MenuHomePhabricator

Give 'novaobserver' keystone account rights to read everything, everywhere, write or change nothing
Closed, ResolvedPublic

Description

It's fairly straightforward to create an 'observer' role and edit the policy.json files to allow it to read things.

In Icehouse, though, roles are per-project which means we'd have to add the novaobserver user and role to every project and every newly created project.

In Kilo (or Liberty?) there are keystone 'domains' that allow privs to be assigned to groups of projects. So, deferring this pending an OpenStack upgrade.

Related Objects

StatusSubtypeAssignedTask
OpenNone
ResolvedAndrew
ResolvedKrenair
ResolvedAndrew
OpenNone
ResolvedAndrew
ResolvedAndrew
ResolvedAndrew
ResolvedAndrew
ResolvedAndrew
ResolvedAndrew
ResolvedAndrew
ResolvedAndrew
ResolvedRobH
ResolvedCmjohnson
ResolvedCmjohnson
ResolvedAndrew
ResolvedAndrew
ResolvedAndrew
ResolvedAndrew
DeclinedNone
ResolvedAndrew
ResolvedAndrew
ResolvedAndrew
ResolvedAndrew

Event Timeline

Andrew claimed this task.
Andrew raised the priority of this task from to Needs Triage.
Andrew updated the task description. (Show Details)
Andrew added projects: Cloud-VPS, Cloud-Services.
Andrew added subscribers: Krenair, yuvipanda, Aklapper, Andrew.

Apparently "@" in a policy file allows universal access.

Andrew triaged this task as Medium priority.Jul 14 2015, 5:25 PM
Andrew set Security to None.

Change 244215 had a related patch set uploaded (by Andrew Bogott):
Openstack: Added a custom keystone/policy.json

https://gerrit.wikimedia.org/r/244215

Change 244215 merged by Andrew Bogott:
Openstack: Added a custom keystone/policy.json

https://gerrit.wikimedia.org/r/244215

I just upgraded us to keystone v3 api, which should allow us to use domains.

Change 251151 had a related patch set uploaded (by Andrew Bogott):
Update keystone policy.json to allow the 'observer' role to observe.

https://gerrit.wikimedia.org/r/251151

Change 251151 merged by Andrew Bogott:
Update keystone policy.json to allow the 'observer' role to observe.

https://gerrit.wikimedia.org/r/251151

Note that I plan to make the creds for this user 100% public.

Would we want to allow labs instances to access keystone (or even designate)? Note that we currently allow them to connect to nova-api, though I don't think it'll let them do much without keystone access.

Andrew claimed this task.

This works!