Add a read-only role to keystoneauth

Code Issues Proposed changes

An idea was floated recently of a read-only role that can be used for
cluster-wide audits, and is otherwise safe. It was also included into
the "Consistent and Secure Default Policies" effort in OpenStack,
where it implements "reader" personas in system, domain, and project
scopes. This patch implements it for system scope, where it's most
useful for operators.
Change-Id: I5f5fff2e61a3e5fb4f4464262a8ea558a6e7d7ef

This commit is contained in:

Pete Zaitcev

2020年12月18日 11:16:19 -06:00

parent 1f9b879547

commit 98a0275a9d

3 changed files with 86 additions and 1 deletions

Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL

Download Patch File Download Diff File Expand all files Collapse all files

8
etc/proxy-server.conf-sample

View File

@@ -498,6 +498,14 @@ user_test5_tester5 = testing5 service

# move between domains, you should disable backwards compatible name matching

# in ACLs by setting allow_names_in_acls to false:

# allow_names_in_acls = true

#

# In OpenStack terms, these reader roles are scoped for system: they

# can read anything across projects and domains.

# They are used for auditing and compliance fuctions.

# In Swift terms, these roles are as powerful as the reseller_admin_role,

# only do not modify the cluster.

# By default the list of reader roles is empty.

# system_reader_roles =

[filter:s3api]

use = egg:swift#s3api

Add a read-only role to keystoneauth

8 etc/proxy-server.conf-sample Unescape Escape View File

8
etc/proxy-server.conf-sample

View File