"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "doc/source/admin/identity-concepts.rst" between
keystone-18.0.0.tar.gz and keystone-19.0.0.tar.gz

About: OpenStack Keystone (Core Service: Identity) provides an authentication and authorization service for other OpenStack services. Provides a catalog of endpoints for all OpenStack services.
The "Wallaby" series (latest release).

identity-concepts.rst  (keystone-18.0.0):identity-concepts.rst  (keystone-19.0.0)
skipping to change at line 125 skipping to change at line 125
.. code-block:: console .. code-block:: console
$ openstack role create compute-user $ openstack role create compute-user
.. note:: .. note::
Individual services assign meaning to roles, typically through Individual services assign meaning to roles, typically through
limiting or granting access to users with the role to the limiting or granting access to users with the role to the
operations that the service supports. Role access is typically operations that the service supports. Role access is typically
configured in the service's ``policy.json`` file. For example, configured in the service's ``policy.yaml`` file. For example,
to limit Compute access to the ``compute-user`` role, edit the to limit Compute access to the ``compute-user`` role, edit the
Compute service's ``policy.json`` file to require this role for Compute service's ``policy.yaml`` file to require this role for
Compute operations. Compute operations.
The Identity service assigns a project and a role to a user. You might The Identity service assigns a project and a role to a user. You might
assign the ``compute-user`` role to the ``alice`` user in the ``acme`` assign the ``compute-user`` role to the ``alice`` user in the ``acme``
project: project:
.. code-block:: console .. code-block:: console
$ openstack role add --project acme --user alice compute-user $ openstack role add --project acme --user alice compute-user
A user can have different roles in different projects. For example, Alice A user can have different roles in different projects. For example, Alice
might also have the ``admin`` role in the ``Cyberdyne`` project. A user might also have the ``admin`` role in the ``Cyberdyne`` project. A user
can also have multiple roles in the same project. can also have multiple roles in the same project.
The ``/etc/[SERVICE_CODENAME]/policy.json`` file controls the The ``/etc/[SERVICE_CODENAME]/policy.yaml`` file controls the
tasks that users can perform for a given service. For example, the tasks that users can perform for a given service. For example, the
``/etc/nova/policy.json`` file specifies the access policy for the ``/etc/nova/policy.yaml`` file specifies the access policy for the
Compute service, the ``/etc/glance/policy.json`` file specifies Compute service, the ``/etc/glance/policy.yaml`` file specifies
the access policy for the Image service, and the the access policy for the Image service, and the
``/etc/keystone/policy.json`` file specifies the access policy for ``/etc/keystone/policy.yaml`` file specifies the access policy for
the Identity service. the Identity service.
The default ``policy.json`` files in the Compute, Identity, and The default ``policy.yaml`` files in the Compute, Identity, and
Image services recognize only the ``admin`` role. Any user with Image services recognize only the ``admin`` role. Any user with
any role in a project can access all operations that do not require the any role in a project can access all operations that do not require the
``admin`` role. ``admin`` role.
To restrict users from performing operations in, for example, the To restrict users from performing operations in, for example, the
Compute service, you must create a role in the Identity service and Compute service, you must create a role in the Identity service and
then modify the ``/etc/nova/policy.json`` file so that this role then modify the ``/etc/nova/policy.yaml`` file so that this role
is required for Compute operations. is required for Compute operations.
For example, the following line in the ``/etc/cinder/policy.json`` For example, the following line in the ``/etc/cinder/policy.yaml``
file does not restrict which users can create volumes: file does not restrict which users can create volumes:
.. code-block:: none .. code-block:: none
"volume:create": "", "volume:create": "",
If the user has any role in a project, he can create volumes in that If the user has any role in a project, he can create volumes in that
project. project.
To restrict the creation of volumes to users who have the To restrict the creation of volumes to users who have the
 End of changes. 8 change blocks. 
9 lines changed or deleted 9 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)