CSS Corp Open Source Services

[OpenStack Beginner’s Guide for Ubuntu 11.04] Role Based Access Control

with 3 comments

Every nova user has a role associated with him. This role can be assigned at the time of creation of the account using “nova-manage add user…” or by editing the profile later using the Openstack Dashboard by the project manager. The role can be either global or project specific in scope. All access in Openstack is governed by roles. Each role has a predefined set of operations permitted within the relevant scope(global or local)

Administrator (admin)

This is a project based role. Users who are created with admin roles at time of creation. They enjoy the rights as a administrator for carrying out tasks such as

  • adding an instance
  • removing an instance
  • removing an image
  • adding a key

IT security (itsec)

This is a global role. It permits role holders to quarantine instances.

Project Manager (projectmanager)

This is the default role for project owners. It permits the following tasks:

  • adding available roles to user associated in project
  • revoking provided roles to a specific user in the project.
  • adding an instance
  • removing an instance
  • removing an image
  • adding a key
  • managing network related operations

Network Administrator (netadmin)

A role which allows particular user to carry out network related operations such as:

  • allocate publicly accessible IP addresses
  • assign publicly accessible IP addresses
  • create firewall rules
  • modify firewall rules

Developer (developer)

This is a general purpose role that is assigned to users by default. This role can create and download keys.

Summary of role and permitted tasks for each role:

Roles Global Local Key mgmt. Instance mgmt. Image mgmt. Network mgmt. Project mgmt. Creating / Modifying Firewall Rules
Developer No Yes Yes No No No No No
Project Manager No Yes Yes Yes Yes Yes Yes Yes
It Security Yes No Yes No No No No No
Cloud Admin Yes No Yes Yes Yes Yes Yes Yes
Net Admin No No No No No No No Yes

Role Management is done using “nova-manage role” command. Please refer to the section on OpenStack Commands for more details.


Add role to a user

nova-manage role add user1 netadmin

Remove a role from a particular user

nova-manage role remove user1 netadmin

3 Responses

Subscribe to comments with RSS.

  1. I think there are mistakes on this page. Is admin a global or project role? Its inconsistent. Where is the netadmin row in the table? And which roles can create/modify security groups and firewall rules? Thanks.


    May 20, 2011 at 11:15 am

    • Hi Dean,

      Admin is a Project based role.
      Thanks for mentioning about the missing netadmin row, it has now been added. Netadmin is responsible for the management of firewalls and Security groups.



      May 23, 2011 at 12:49 pm

  2. what are differences beetwen “Admin Role” ” Cloud Admin”?

    Bui Thanh

    September 10, 2013 at 1:14 pm

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: