Support for reader role: creation of a new doc

Minor grammar fixes.
Updated the commands line to use the standard ~(keystone_admin)]$.
Minor text updates.
Created the Keystone Account Roles doc.
Updtaded the doc toctree to add a new file.

Story: 2010149
Task: 46908

Signed-off-by: Elaine Fonaro <elaine.fonaro@windriver.com>
Change-Id: I61f79ee8d5dca3410c8e5f155b8e820305176248
This commit is contained in:
Elaine Fonaro 2022-11-22 10:15:08 -03:00
parent 1a7cc09e6f
commit bfa44b173a
2 changed files with 100 additions and 0 deletions

View File

@ -0,0 +1,99 @@
.. _keystone-account-roles-64098d1abdc1:
======================
Keystone Account Roles
======================
In |prod|, 3 different keystone roles are supported: ``admin``, ``member``
and ``reader``.
Users with an ``admin`` role in the ``admin`` project can execute any action in the system.
Users with a ``reader`` role in the ``admin`` project have read-only access. They cannot
perform any changes in the system but can read any configuration. In
the |CLI|, commands with prefix or suffix, such as, ``list``, ``query``, ``show``
and ``summary`` get the configuration from the system, and are allowed for this
type of user, all other commands are denied. Some examples of |CLI| commands
executed by a user with ``reader`` role are shown below.
.. code-block:: none
~(keystone_admin)]$ system host-list
+-----+--------------+-------------+----------------+-------------+--------------+
| id | hostname | personality | administrative | operational | availability |
+-----+--------------+-------------+----------------+-------------+--------------+
| 1 | controller-0 | controller | unlocked | enabled | degraded |
+-----+--------------+-------------+----------------+-------------+--------------+
.. code-block:: none
~(keystone_admin)]$ system host-lock controller-0
Error: Forbidden
.. code-block:: none
~(keystone_admin)]$ fm alarm-summary
+-----------------+--------------+--------------+----------+
| Critical Alarms | Major Alarms | Minor Alarms | Warnings |
+-----------------+--------------+--------------+----------+
| 1 | 13 | 0 | 0 |
+-----------------+--------------+--------------+----------+
.. code-block:: none
~(keystone_admin)]$ fm event-suppress --alarm_id 100.103
Error: Forbidden.
**Exception**: all :command:`fm` read-only commands require ``reader`` role but there is no
project verification, so a user in a project different from ``admin`` may execute
them. Examples: :command:`alarm-list`, :command:`alarm-show`, :command:`alarm-summary`,
:command:`event-list`, :command:`event-show` and :command:`event-suppress-list`.
Currently, the ``member`` role is equivalent to ``reader`` role, but this may change
in the future, allowing a user with ``member`` role to execute some actions that
change the system configuration.
The following sections describe how to create users with specific keystone
roles in |prod|.
----------------------------------------------------
Creation of user with specific role for Horizon only
----------------------------------------------------
Use the following commands to add a new user named ``readeruser`` with password
"Passw0rd*" and role ``reader``:
.. code-block:: none
~(keystone_admin)]$ openstack user create readeruser --project admin --password Passw0rd*
.. code-block:: none
~(keystone_admin)]$ openstack role add --project admin --user readeruser reader
To create a user with ``admin`` role instead of ``reader`` role, change
``reader`` to ``admin`` using the :command:`openstack role add` command.
When this user is added in the central cloud, it is propagated to the managed
subclouds. To check if this new user is already present in a host, use the
:command:`openstack user list` command.
-------------------------------------------------------
Creation of user with specific role for Horizon and CLI
-------------------------------------------------------
Follow the instructions in
:ref:`Manage Composite Local LDAP Accounts at Scale <manage-local-ldap-39fe3a85a528>`
using the parameter ``user_role=reader`` in ``extra-vars`` of ``manage_local_ldap_account.yml``
playbook to create a user with ``reader`` role. To create a user with ``admin``
role, use ``user_role=admin`` instead.
.. warning::
Users with ``reader`` role do not have ``sudo`` capabilities, use
``sudo_permission=false`` when the users role is ``user_role=reader``.

View File

@ -17,6 +17,7 @@ See :ref:`Keystone Accounts <about-keystone-accounts>` for more details.
about-keystone-accounts
keystone-account-authentication
keystone-account-roles-64098d1abdc1
manage-keystone-accounts
configure-the-keystone-token-expiration-time
password-recovery