What is “role”? It is little bit confusing because it has name “admin”. Which roles we can use except admin? What permissions they can give to the user?
role is an identical mark of the user. It can associate with projects(tenants) with different roles. As for the permission of different user-role-tenant mapping in each service, it’s been defined in the authorization middleware in the OpenStack services’s pipeline. Basically, the role means nothing until you define it in the authorization middleware (Keystone Auth in case of Keystone) . And the authorization middleware of OpenStack components are almost independent for each service. [image: 內置圖片 1] Since you are asking about the Swift & Keystone integration. Here’s how things work. User get token and Swift storage endpoint from Keystone. Then uses the token to access it’s associated account in Swift. The mapping of Swift account and Keystone is . Like AUTH_b1234567890 . The request routes to keystone middleware for validating the existence of the incoming token from Keystone server. If exist, pull the full info of this token. The info includes user-role-tenant mapping. After that, the Swift auth middleware determine what kind of permission to the requested resource the token has. In Keystone, you can specify two type of roles only. The operator or reseller*admin. If the user has a operator role of a project, the user can do anything to the relevant Swift Account. As for the reseller_admin, the user can access any account that prefix with `KEY*` in swift cluster. For your scenario reader - can read from the next containers: “video”, “audio”, “subtitles”, “photos” The user should not have any role in operator or reseller list. This requires additional logic to do containers/account ACL for keystone users media_manager - can do anything in the next containers: “video”, “audio”, “subtitles”, “photos” The user must have operator role. crypt_manager - can not do anything in Swift but can get tokens directly from keystone (it is for other usage). no any available roles reflect to operator/reseller_admin in the keystone middleware. But what this role mean? How to set some permissions on this role (i.e. if I want to set readonly permission for all in swift but write only for some containers?) What we should specify in a region-id? Which Keystone version are you using ? If the region ID is available in your version, you can query it from API or DB. If you are not going to have multiple regions, you can try to ignore it by using the default one. What we should specify in admin,public,internal url? What they mean? You can configure 3 set of service endpoints for a single keystone endpoint. They are admin/public/internal. All three will be returned to client and client can pickup the one it want to access to. This concept is design for users from different scope. Internal might be the IP in the DMZ. Public would be the normal one for the network where end-user can hit your service. You can defined admin for other network segment or FQDN. It’s flexible design. Most of client tools grab the public one as I know. Regards // Hugo 2016-09-22 18:28 GMT+08:00 Alexandr Porunov <alexandr.poru...@gmail.com>: > Hello, > > I have installed Swift and Keystone. Now I want to create several users > with different permissions: > > reader - can read from the next containers: "video", "audio", "subtitles", > "photos" > media_manager - can do anything in the next containers: "video", "audio", > "subtitles", "photos" > crypt_manager - can not do anything in Swift but can get tokens directly > from keystone (it is for other usage). > > There are a lot of things in keystone (user, role, project, service, > endpoint, region-id, admin-url, public-url, internal-url) and it is little > bit confusing. Can somebody explain me how to configure such users with > those roles? > > I haven't bootstrap the keystone, so I haven't the admin role yet. I am > worried about security with an administrator user. Do we need to define it? > I have read examples which says that firstly you have to bootstrap your > keystone and it will create the admin user with the admin role: > > keystone-manage bootstrap --bootstrap-password s3cr3t > > Also the full command for define all things is: > > keystone-manage bootstrap \ > --bootstrap-password s3cr3t \ > --bootstrap-username admin \ > --bootstrap-project-name admin \ > --bootstrap-role-name admin \ > --bootstrap-service-name keystone \ > --bootstrap-region-id RegionOne \ > --bootstrap-admin-url http://localhost:35357 \ > --bootstrap-public-url http://localhost:5000 \ > --bootstrap-internal-url http://localhost:5000 > > What is "role"? It is little bit confusing because it has name "admin". > Which roles we can use except admin? What permissions they can give to the > user? > Also we can create additional roles: > keystone role-create --name my_new_role > > But what this role mean? How to set some permissions on this role (i.e. if > I want to set readonly permission for all in swift but write only for some > containers?) > > What we should specify in a region-id? > > What we should specify in admin,public,internal url? What they mean? > > Sorry for a lot of questions > > Sincerely, > Alexandr > > _______________________________________________ > Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/ > openstack > Post to : openstack@lists.openstack.org > Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/ > openstack > >
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack