Hide Forgot
1. Proposed title of this feature request Need heat policy to be configured to include a read-only role . 3. What is the nature and description of the request? Customer has requirement of read-only admin role for all core services . 4. Why does the customer need this? (List the business requirements here) A read-only admin user is necessary for customer environment . Additional info: The following bug is raised for keystone to add role . This role can be configured in policy file . Bug 1228474 - [RFE] Read only role for tenant access (edit) https://blueprints.launchpad.net/keystone/+spec/admin-readonly-role
Unfortunately this is a big can of worms. The problem with Keystone is that you cannot (securely) create a role with *less* privileges than the default. (This is because there are various ways for users to create a token that drops a role.) You can only reduce the default privileges and then create a role that has more privileges. So making a change like this to the default policy (either upstream or in RHOS) would break existing deployments (since users previously created with write access would lose it). This is not impossible, but it would have to be done upstream, with a lot of notice, to have a migration strategy, and preferably to be done in concert with all other OpenStack projects. That's unlikely to happen in the near term. The default policy is just that - a default. Customers can and should customise it to their particular requirements, and that is the approach that I would recommend here.
The upstream change that I described above as unlikely to happen in the near term was actually discussed at the OpenStack Design Summit and there was general agreement that it should take place, though not until at least the Ocata or P time frame (OSP 11/12). Just to be clear, we can and should make it possible for users to deploy customised policy files through Director. We can't make adding a read-only role the default without a comprehensive migration plan, which is now being co-ordinated upstream.