You can add policy section for controlling RBAC policy for specific services.
Each OpenStack service, such as identity, compute, networking, and so on, has its own role-based access policies. These policies determine which objects you can access and they are defined in the services policy configuration file. For
VMware Integrated OpenStack deployment, you must use
viocli update command for editing the corresponding services policy configuration.
Note: For VIO 7.x, Keystone has a default reader and member role. It is not functional by default. You must edit the corresponding services policy for using the role explicitly to meet your permission control requirements. For more information about user and role management, see
Keystone User and Role Management.
Syntax:
Use viocli update <service> command for adding RBAC policy for specified services.
You can use
project_id,
user_id,
domain_id, or
role for creating the user scoping conditions. Use the following operators for general scopes combination:
- !: No user can perform the operation.
- @ or "": Any users can perform the operation.
- not, and, or: The operator for combining multiple scope.
The following sample code shows the different operators for general scopes combination:
conf:
policy:
"alias_1": "is_admin:True or project_id:%(project_id)s"
"alias_2": "role:reader"
"alias_3": "other user scope definition"
"operation_1": "!"
"operation_2": "@"
"operation_3": "rule:alias_1 or (rule:alias_2 and rule:alias_3)"
Example:
You can define certain rules like the
power_user and the
read_user within your policy configuration file. For example, in the following code the
read_user calls the APIs for server index, show, and details, but it cannot create, delete, start, and stop Nova instances.
conf:
nova:
vmware:
#some configurations for VIO
policy:
power_user: (role:member) and project_id:%(project_id)s
read_user: (role:reader) and project_id:%(project_id)s
os_compute_api:servers:detail: rule:read_user
os_compute_api:servers:index: rule:read_user
os_compute_api:servers:show: rule:read_user
os_compute_api:servers:start: rule:power_user
os_compute_api:servers:stop: rule:power_user
os_compute_api:servers:create: rule:power_user
os_compute_api:servers:delete: rule:power_user
Review the full policies:
You must find the service pod and then review the policy file content. Use the following commands for reviewing the full Nova policy:
# osctl get pod | grep nova-api-osapi nova-api-osapi-7d7978fb44-b24rl 2/2 Running 0 3d23h # osctl exec -it nova-api-osapi-7d7978fb44-b24rl /bin/bash Defaulting container name to nova-osapi. Use 'kubectl describe pod/nova-api-osapi-7d7978fb44-b24rl -n openstack' to see all of the containers in this pod. [root@nova-api-osapi-7d7978fb44-b24rl /]# cat /etc/nova/policy.yaml os_compute_api:os-simple-tenant-usage:discoverable: '@' ......
For more information about policies for different services, see the following OpenStack community documents:
Keystone: Keystone Policy
Nova: Nova Policy
Cinder: Cinder Policy
Glance: Glance Policy
Neutron: Neutron Policy