You can add policy section for controlling RBAC policy for specific services.

Each OpenStack service, such as identity, compute, networking, and so on, has its own role-based access policies. These policies determine which objects you can access and they are defined in the services policy configuration file. For VMware Integrated OpenStack deployment, you can use viocli update command for editing the corresponding services policy configuration.
Note: For VIO 7.x, Keystone has a default reader and member role. It is not functional by default. You must edit the corresponding services policy for using the role explicitly to meet your permission control requirements. For more information about user and role management, see Keystone User and Role Management.


Use viocli update <service> command for adding RBAC policy for specified services.

You can use project_id, user_id, domain_id, or role for creating the user scoping conditions. Use the following operators for general scopes combination:
  • !: No user can perform the operation.
  • @ or "": Any users can perform the operation.
  • not, and, or: The operator for combining multiple scope.
The following sample code shows the different operators for general scopes combination:
    "alias_1": "is_admin:True or project_id:%(project_id)s"
    "alias_2": "role:reader"
    "alias_3": "other user scope definition"
    "operation_1": "!"
    "operation_2": "@"
    "operation_3": "rule:alias_1 or (rule:alias_2 and rule:alias_3)"


You can define certain rules like the power_user and the read_user within your policy configuration file. For example, in the following code the read_user calls the APIs for server index, show, and details, but it cannot create, delete, start, and stop Nova instances.
      #some configurations for VIO
    power_user: (role:member) and project_id:%(project_id)s
    read_user: (role:reader) and project_id:%(project_id)s
    os_compute_api:servers:detail: rule:read_user
    os_compute_api:servers:index: rule:read_user
    os_compute_api:servers:show: rule:read_user
    os_compute_api:servers:start: rule:power_user
    os_compute_api:servers:stop: rule:power_user
    os_compute_api:servers:create: rule:power_user
    os_compute_api:servers:delete: rule:power_user

Review the full policies:

You must find the service pod and then review the policy file content. Use the following commands for reviewing the full Nova policy:

# osctl get pod | grep nova-api-osapi
nova-api-osapi-7d7978fb44-b24rl                                   2/2     Running     0          3d23h
# osctl exec -it nova-api-osapi-7d7978fb44-b24rl /bin/bash
Defaulting container name to nova-osapi.
Use 'kubectl describe pod/nova-api-osapi-7d7978fb44-b24rl -n openstack' to see all of the containers in this pod.
[root@nova-api-osapi-7d7978fb44-b24rl /]# cat /etc/nova/policy.yaml
os_compute_api:os-simple-tenant-usage:discoverable: '@'

For more information about policies for different services, see the following OpenStack community documents:

Keystone: Keystone Policy

Nova: Nova Policy

Cinder: Cinder Policy

Glance: Glance Policy

Neutron: Neutron Policy