Bug 1084296
| Summary: | [Doc][RFE][CAG]: Implement RBAC support for volume | ||
|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Deepti Navale <dnavale> |
| Component: | doc-Configuration_Reference_Guide | Assignee: | Deepti Navale <dnavale> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Don Domingo <ddomingo> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | aberezin, ajeain, aortega, iovadia, jpichon, markmc, mrunge, rhos-integ, yeylon |
| Target Milestone: | --- | Keywords: | Documentation, FutureFeature, Reopened, Triaged |
| Target Release: | 5.0 (RHEL 7) | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| URL: | https://blueprints.launchpad.net/horizon/+spec/block-rbac | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Enhancement | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 1041965 | Environment: | |
| Last Closed: | 2014-09-04 13:06:53 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1041965 | ||
| Bug Blocks: | |||
|
Comment 2
Julie Pichon
2014-06-03 10:07:27 UTC
Changing component to doc-Cloud_Administrator_Guide as this is for the deployers/adminstrators. There is general information in the Cloud Admin guide about policy.json files for components along with examples for some of the components. Mentioning cinder_policy.json would be redundant. ========= The /etc/[SERVICE_CODENAME]/policy.json file controls the tasks that users can perform for a given service. For example, /etc/nova/policy.json specifies the access policy for the Compute service, /etc/glance/policy.json specifies the access policy for the Image Service, and /etc/keystone/policy.json specifies the access policy for the Identity Service. ========= The guide also mentions that the COMPONENT_policy.json file must match the service /etc/COMPONENT/policy.json policy file. Closing this as NOTABUG. This is a bit different in the context of Horizon, as the dashboard carries duplicated policy files under /etc/openstack-dashboard/ for the other services (cinder_policy.json, keystone_policy.json, etc). The duplication is something we hope to get rid of in the future but for now there is no API for Horizon to access the other services' policy files. Horizon uses these files to determine what actions a user is allowed to perform in the web dashboard (e.g. hiding buttons if they're not). They're only used in the context of the web dashboard and the other services would still rely on their own /etc/[SERVICE_CODENAME/policy.json to perform the check after Horizon sends them a command. The policy files Horizon provides by default are copies of the default policy.json provided by the other projects. Julie, So what I understand here is that at first, both /etc/[SERVICE_CODENAME/policy.json and /etc/openstack-dashboard/SERVICE_CODENAME_policy.json are the same but the admin can change the later based on what they want a user to be able to access. So, how about I add a note to let users know the same? ------ Note - When OpenStack is first deployed, both /etc/[SERVICE_CODENAME/policy.json and /etc/openstack-dashboard/SERVICE_CODENAME_policy.json are the same. But the admin can modify the policy.json files in /etc/openstack-dashboard to control the access based on a user's role. ------ That sounds good to me - is this going to be in a dashboard-specific section? I wonder if it may be worthwhile adding "on the web interface" in the last sentence to clarify that this will only affect the dashboard. (If only the policy in /etc/openstack-dashboard is modified, a user would still be able to perform the action using the CLI tools.) Changing componenet to Configuration Reference Guide. |