Add service_type config info for access rules
The service_type config param is crucial to successfully use application credentials with access rules. Closes-Bug: #1950464 Change-Id: I98d1cfcbd229f2939d900861f453efa996466c32
This commit is contained in:
parent
65e3e33b6b
commit
3856cbf10d
@ -174,8 +174,47 @@ Access Rules
|
|||||||
============
|
============
|
||||||
|
|
||||||
In addition to delegating a subset of roles to an application credential, you
|
In addition to delegating a subset of roles to an application credential, you
|
||||||
may also delegate more fine-grained access control by using access rules. For
|
may also delegate more fine-grained access control by using access rules.
|
||||||
example, to create an application credential that is constricted to creating
|
|
||||||
|
.. note::
|
||||||
|
|
||||||
|
Application credentials with access rules require additional configuration
|
||||||
|
of each service that will use it. See below for details.
|
||||||
|
|
||||||
|
If application credentials with access rules are required, an OpenStack
|
||||||
|
service using keystonemiddleware to authenticate with keystone, needs to
|
||||||
|
define ``service_type`` in its configuration file. Following is an example for the
|
||||||
|
cinder V3 service:
|
||||||
|
|
||||||
|
.. code-block:: ini
|
||||||
|
|
||||||
|
[keystone_authtoken]
|
||||||
|
service_type = volumev3
|
||||||
|
|
||||||
|
For other OpenStack sevices, their types can be obtained using the OpenStack
|
||||||
|
client. For example:
|
||||||
|
|
||||||
|
.. code-block:: console
|
||||||
|
|
||||||
|
$ openstack service list -c Name -c Type
|
||||||
|
+-----------+-----------+
|
||||||
|
| Name | Type |
|
||||||
|
+-----------+-----------+
|
||||||
|
| glance | image |
|
||||||
|
| cinderv3 | volumev3 |
|
||||||
|
| cinderv2 | volumev2 |
|
||||||
|
| keystone | identity |
|
||||||
|
| nova | compute |
|
||||||
|
| neutron | network |
|
||||||
|
| placement | placement |
|
||||||
|
+-----------+-----------+
|
||||||
|
|
||||||
|
.. note::
|
||||||
|
|
||||||
|
Updates to the configuration files of a service require restart of the appropriate
|
||||||
|
services for the changes to take effect.
|
||||||
|
|
||||||
|
In order to create an example application credential that is constricted to creating
|
||||||
servers in nova, the user can add the following access rules:
|
servers in nova, the user can add the following access rules:
|
||||||
|
|
||||||
.. code-block:: console
|
.. code-block:: console
|
||||||
|
Loading…
Reference in New Issue
Block a user