[OpenStack Beginner’s Guide for Ubuntu 11.04] Role Based Access Control
Every nova user has a role associated with him. This role can be assigned at the time of creation of the account using “nova-manage add user…” or by editing the profile later using the Openstack Dashboard by the project manager. The role can be either global or project specific in scope. All access in Openstack is governed by roles. Each role has a predefined set of operations permitted within the relevant scope(global or local)
Administrator (admin)
This is a project based role. Users who are created with admin roles at time of creation. They enjoy the rights as a administrator for carrying out tasks such as
- adding an instance
- removing an instance
- removing an image
- adding a key
IT security (itsec)
This is a global role. It permits role holders to quarantine instances.
Project Manager (projectmanager)
This is the default role for project owners. It permits the following tasks:
- adding available roles to user associated in project
- revoking provided roles to a specific user in the project.
- adding an instance
- removing an instance
- removing an image
- adding a key
- managing network related operations
Network Administrator (netadmin)
A role which allows particular user to carry out network related operations such as:
- allocate publicly accessible IP addresses
- assign publicly accessible IP addresses
- create firewall rules
- modify firewall rules
Developer (developer)
This is a general purpose role that is assigned to users by default. This role can create and download keys.
Summary of role and permitted tasks for each role:
Roles | Global | Local | Key mgmt. | Instance mgmt. | Image mgmt. | Network mgmt. | Project mgmt. | Creating / Modifying Firewall Rules |
Developer | No | Yes | Yes | No | No | No | No | No |
Project Manager | No | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
It Security | Yes | No | Yes | No | No | No | No | No |
Cloud Admin | Yes | No | Yes | Yes | Yes | Yes | Yes | Yes |
Net Admin | No | No | No | No | No | No | No | Yes |
Role Management is done using “nova-manage role” command. Please refer to the section on OpenStack Commands for more details.
Examples:
Add role to a user
nova-manage role add user1 netadmin
Remove a role from a particular user
nova-manage role remove user1 netadmin
I think there are mistakes on this page. Is admin a global or project role? Its inconsistent. Where is the netadmin row in the table? And which roles can create/modify security groups and firewall rules? Thanks.
Dean
May 20, 2011 at 11:15 am
Hi Dean,
Admin is a Project based role.
Thanks for mentioning about the missing netadmin row, it has now been added. Netadmin is responsible for the management of firewalls and Security groups.
Thanks,
Atul
koolhead17
May 23, 2011 at 12:49 pm
what are differences beetwen “Admin Role” ” Cloud Admin”?
Bui Thanh
September 10, 2013 at 1:14 pm