blob: 6642cbee763426f7238ad7fc5d4841c0cf928ac8 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
|
This is a repository of the files/tools we are developping around
integrating the sevone (monitoring software) into RH-OSP.
This project includes several areas:
- Add policy files to the overcloud to restrict the 'readonly' role and prevent
update/create/delete operations.
- Add tooling (OBSOLETE since this will be done through node-payload in the
osp10 templates) to push/update policies on the overcloud.
- Provide a MOP (Method of procedure) to enable Sevone pre-requisites on
both the undercloud and overcloud. An ASCII version of the MOP is provided
in this repository.
This work on the 'readonly' role was a request of the VZW HQ Planning group.
Here is how it works:
On the undercloud, as the 'stack' user perform the following steps:
1) source stackrc
2) git clone https://gitlab.cee.redhat.com/vcojot/OSP-Readonly-Policies/tree/master
3) ./policydir/files/push_readonly_policies_to_overcloud.sh
4) source overcloudrc
5) openstack role create readonly
(this will auto-detect the controllers and push the appropriate policies)
To restrict a user, then simply do add the 'readonly' role to the user, do a:
openstack role add --project <tenant_name> --user <user_name> readonly
To lift the restrictions and re-enable modifications to the overcloud, do a:
openstack role remove --project <tenant_name> --user <user_name> readonly
|