Configuring API access policies

updated: 2018-10-25 17:26

Limit Environment Specific Content

Operating Systems

CentOS
RHEL

Branches

Install from stable branch
Install from Newton branch
Install from Ocata branch

RHEL Registration Types

Portal
Satellite

Environments

Baremetal
Virtual

Features

Validations
Optional

Additional Overcloud Roles

Ceph

Upgrade Version

Upgrading Mitaka to Newton
Upgrading Newton to Ocata
Upgrading Ocata to Pike

Configuring API access policies¶

Each OpenStack service, has its own role-based access policies. They determine which user can access which resources in which way, and are defined in the service’s policy.json file.

Warning

While editing policy.json is supported, modifying the policy can have unexpected side effects and is not encouraged.

TripleO supports custom API access policies through parameters in TripleO Heat Templates. To enable this feature, you need to use some parameters to enable the custom policies on the services you want.

Creating an environment file and adding the following arguments to your openstack overcloud deploy command will do the trick:

$ cat ~/nova-policies.yaml
parameter_defaults:
  NovaApiPolicies: { nova-context_is_admin: { key: 'compute:get_all', value: '' } }

-e nova-policies.yaml

In this example, we allow anyone to list Nova instances, which is very insecure but can be done with this feature.

updated: 2018-10-25 17:26

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.

Configuring API access policies

Configuring API access policies¶

tripleo-docs 0.0.1.dev980