Applies to SUSE OpenStack Cloud 7

E Configuring Role Based Access Control (RBAC)

To limit users' access rights (or to define more fine-grained access rights), you can use Role Based Access Control (RBAC, only available with Keystone v3). In the example below, we will create a new role (ProjectAdmin). It allows users with this role to add and remove other users to the Member role on the same project.

To create a new role that can be assigned to a user-project pair, the following basic steps are needed:

  1. Create a custom policy.json file for the Keystone component. On the node where the keystone-server role is deployed, copy the file to /etc/keystone/CUSTOM_policy.json. For details, see Section E.1, “Editing policy.json.

  2. Create a custom keystone_policy.json file for the Horizon component. On the node where the nova_dashboard-server role is deployed, copy the custom keystone_policy.json file to /srv/www/openstack-dashboard/openstack_dashboard/conf/ (default directory for policy files in Horizon). For details, see Section E.2, “Editing keystone_policy.json.

  3. Make the Keystone component aware of the CUSTOM_policy.json file by editing and reapplying the Keystone barclamp. For details, see Section E.3, “Adjusting the Keystone Barclamp Proposal”.

  4. Make the Horizon component aware of the keystone_policy.json file by editing and reapplying the Horizon barclamp. For details, see Section E.4, “Adjusting the Horizon Barclamp Proposal”.

E.1 Editing policy.json

The policy.json file is located in /etc/keystone/ on the node where the keystone-server role is deployed.

  1. Copy /etc/keystone/policy.json and save it under a different name, for example CUSTOM_policy.json.

    Important
    Important: Use Different File Name

    If you use the same name as the original file, your custom file will be overwritten by the next package update.

  2. To edit the file, open it in an editor of your choice.

  3. To add the new role, enter the following two lines at the beginning of the file:

    {
      "subadmin": "role:ProjectAdmin",
      "projectadmin": "rule:subadmin and project_id:%(target.project.id)s",
      [...]
  4. Adjust the other rules in the file accordingly:

      "identity:get_domain": "rule:admin_required or rule:subadmin",
      [...]
      "identity:get_project": "rule:admin_required or rule:projectadmin",
      [...]
      "identity:list_user_projects": "rule:admin_or_owner or rule:projectadmin",
      [...]
      "identity:update_project": "rule:admin_required or rule:projectadmin",
      [...]
      "identity:get_user": "rule:admin_required or rule:projectadmin",
      "identity:list_users": "rule:admin_required or rule:subadmin",
      [...]
      "identity:list_groups": "rule:admin_required or rule:subadmin",
      [...]
      "identity:list_roles": "rule:admin_required or rule:subadmin",
      [...]
      "identity:list_grants": "rule:admin_required or (rule:subadmin and project_id:%(target.project.id)s)",
      "identity:create_grant": "rule:admin_required or (rule:subadmin and project_id:%(target.project.id)s and 'Member':%(target.role.name)s)",
      "identity:revoke_grant": "rule:admin_required or (rule:subadmin and project_id:%(target.project.id)s and 'Member':%(target.role.name)s)",
      [...]
      "identity:list_role_assignments": "rule:admin_required or rule:subadmin",
  5. Save the changes.

  6. On the node where the keystone-server role is deployed, copy the file to /etc/keystone/CUSTOM_policy.json. Usually, the keystone-server role is deployed to a Control Node (or to a cluster, if you use a High Availability setup).

E.2 Editing keystone_policy.json

By default, the keystone_policy.json file is located in /srv/www/openstack-dashboard/openstack_dashboard/conf/ on the node where the nova_dashboard-server role is deployed. It is similar (but not identical) to policy.json and defines which actions the user with a certain role is allowed to execute in Horizon. If the user is not allowed to execute a certain action, the OpenStack Dashboard will show an error message.

  1. Copy /srv/www/openstack-dashboard/openstack_dashboard/conf/keystone_policy.json and save it under a different name, for example CUSTOM_keystone_policy.json.

    Important
    Important: Use Different File Name

    If you use the same name as the original file, your custom file will be overwritten by the next package update.

  2. To edit the file, open it in an editor of your choice.

  3. To add the new role, enter the following two lines at the beginning of the file:

    {
      "subadmin": "role:ProjectAdmin",
      "projectadmin": "rule:subadmin and project_id:%(target.project.id)s",
      [...]
  4. Adjust the other rules in the file accordingly:

      "identity:get_project": "rule:admin_required or rule:projectadmin",
      [...]
      "identity:list_user_projects": "rule:admin_or_owner or rule:projectadmin",
      [...]
      "identity:get_user": "rule:admin_required or rule:projectadmin",
      "identity:list_users": "rule:admin_required or rule:subadmin",
      [...]
      "identity:list_roles": "rule:admin_required or rule:subadmin",
      [...]
      "identity:list_role_assignments": "rule:admin_required or rule:subadmin",
  5. Save the changes and copy the file to /srv/www/openstack-dashboard/openstack_dashboard/conf/CUSTOM_keystone_policy.json on the node where the nova_dashboard-server role is deployed.

E.3 Adjusting the Keystone Barclamp Proposal

  1. Log in to the Crowbar Web interface.

  2. Select Barclamps › All barclamps.

  3. Go to the Keystone barclamp and click Edit.

  4. In the Attributes section, click Raw. This shows the complete configuration file and allows you to edit it directly.

  5. Adjust the policy_file parameter to point to the CUSTOM_policy.json file. For example:

    {
      [...]
      "policy_file": "mypolicy.json",
  6. Save and Apply the changes to the Keystone barclamp.

E.4 Adjusting the Horizon Barclamp Proposal

  1. Log in to the Crowbar Web interface.

  2. Select Barclamps › All barclamps.

  3. Go to the Horizon barclamp and click Edit.

  4. In the Attributes section, click Raw. This shows the complete configuration file and allows you to edit it directly.

  5. If needed, adjust the policy_file_path parameter to point to the directory where you copied the newly added CUSTOM_keystone_policy.json file. By default, its value is an empty string—this means that the default directory will be used.

  6. Enter the new file's name as value of the identity parameter within the policy_file section (1):

    {
      "policy_file_path": "",
      "policy_file": {
        "identity": "mykeystone_policy.json", 1
        "compute": "nova_policy.json",
        "volume": "cinder_policy.json",
        "image": "glance_policy.json",
        "orchestration": "heat_policy.json",
        "network": "neutron_policy.json",
        "telemetry": "ceilometer_policy.json"
  7. Save and Apply the changes to the Horizon barclamp.

Print this page