Chapter 2. Role Management
2.1. Role Management
OpenStack uses a role-based access control (RBAC) mechanism to manage access to its resources. Roles define which actions users can perform. By default, there are two predefined roles: a member role that gets attached to a tenant, and an administrative role to enable non-admin users to administer the environment. Note that there are abstract levels of permission, and it is possible to create the roles the administrator needs, and configure services adequately.
2.1.1. View Roles
Use the following command to list the available predefined roles.
To get details for a specified role, run:
openstack role show admin
$ openstack role show adminExample
2.1.2. Create and Assign a Role
As a cloud administrator, you can create and manage roles on the Keystone client using the following set of commands. Each OpenStack deployment must include at least one project, one user, and one role, linked together. However, users can be members of multiple projects. To assign users to multiple projects, create a role and assign that role to a user-project pair. Note that you can create a user and assign a primary project and default role in the dashboard.
Either the name or ID can be used to specify users, roles, or projects.
- Create the - new-rolerole:- openstack role create [ROLE_NAME] - $ openstack role create [ROLE_NAME]- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- To assign a user to a project, you must assign the role to a user-project pair. To do this, obtain the user, role, and project names or IDs: - List users: - openstack user list - $ openstack user list- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- List roles: - openstack role list - $ openstack role list- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- List projects: - openstack project list - $ openstack project list- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
- Assign a role to a user-project pair. - openstack role add --project [PROJECT_NAME] --user [USER_ID] [ROLE_ID] - openstack role add --project [PROJECT_NAME] --user [USER_ID] [ROLE_ID]- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example - In this example, you assign the - adminrole to the- adminuser in the- demoproject:- openstack role add --project demo --user 895e43465b9643b9aa29df0073572bb2 ae49e2b796ea4820ac51637be27650d8 - $ openstack role add --project demo --user 895e43465b9643b9aa29df0073572bb2 ae49e2b796ea4820ac51637be27650d8- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Verify the role assignment for the user - admin:- openstack role assignment list --user [USER_ID] --project [PROJECT_ID] - $ openstack role assignment list --user [USER_ID] --project [PROJECT_ID]- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
2.2. Implied Roles and Domain-specific Roles
2.2.1. Implied roles
In OpenStack, access control is enforced by confirming that a user is assigned to a specific role. Until recently, those roles had to be explicitly assigned to either a user, or to a group in which the user was a member. Identity Service (keystone) has now added the concept of implied role assignments: If a user is explicitly assigned to a role, then the user could be implicitly assigned to additional roles as well.
2.2.2. Inference Rules
					Implied assignment is managed by role inference rules. An inference rule is written in the form superior implies subordinate. For example, a rule might state that the admin role implies the _member_ role. As a result, a user assigned to admin for a project would implicitly be assigned to the _member_ role as well.
				
With implied roles, a user’s role assignments are processed cumulatively, allowing the user to inherit the subordinate roles. This result is dependent on an inference rule being created that specifies this outcome.
2.2.2.1. Keystone Configuration
						For keystone to observe implied roles, the infer_roles setting must be enabled in /etc/keystone/keystone.conf:
					
[token] infer_roles = true
[token]
infer_roles = trueImplied roles are governed by a defined set of inference rules. These rules determine how a role assignment can result in the implied membership of another role. See Section 2.2.3.1, “Demonstration of Implied Roles” for an example.
2.2.3. Prevent Certain Roles From Being Implied
					You can prevent certain roles from being implied onto a user. For example, in /etc/keystone/keystone.conf, you can add a ListOpt of roles:
				
[assignment] prohibited_implied_role = admin
[assignment]
prohibited_implied_role = adminThis will prevent a user from ever being assigned a role implicitly. Instead, the user will need to be explicitly granted access to that role.
2.2.3.1. Demonstration of Implied Roles
						This section describes how to create an inference rule, resulting in an implied role. These rules control how one role can imply membership of another. The example rule used in the following procedure will imply that members of the admin role also have _member_ access:
					
2.2.3.1.1. Assign a Role to the User
- Retrieve the ID of a user that will have the - _member_role implied. For example:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Retrieve the ID of the - demoproject:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Retrieve the ID of the - adminrole:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Give the - User1user- adminprivileges to the- demoproject:- openstack role add --user User1 --project demo admin - $ openstack role add --user User1 --project demo admin- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Confirm the - adminrole assignment:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
2.2.3.1.2. Create the Inference Rule
							Now that you have granted the admin role to User1, run the following steps to create the inference rule:
						
- First, confirm User1’s current role membership: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Retrieve the list of role IDs: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Create the inference rule. These are currently created using - curl. This example uses the IDs of the roles returned in the previous step. It also runs the command using the- admin_tokenin keystone.conf:- source overcloudrc export OS_TOKEN=`grep ^admin_token /etc/keystone/keystone.conf | awk -F'=' '{print $2}'` curl -X PUT -H "X-Auth-Token: $OS_TOKEN" -H "Content-type: application/json" $OS_AUTH_URL/roles/9b821b2920544be7a4d8f71fa99fcd35/implies/9fe2ff9ee4384b1894a90878d3e92bab- source overcloudrc export OS_TOKEN=`grep ^admin_token /etc/keystone/keystone.conf | awk -F'=' '{print $2}'` curl -X PUT -H "X-Auth-Token: $OS_TOKEN" -H "Content-type: application/json" $OS_AUTH_URL/roles/9b821b2920544be7a4d8f71fa99fcd35/implies/9fe2ff9ee4384b1894a90878d3e92bab- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Review the results using the CLI. In this example, User1 has received implied access to the - _member_role, as indicated by ID- 9fe2ff9ee4384b1894a90878d3e92bab:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Review your inference rules using curl: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
2.2.4. Domain-Specific Roles
Domain-specific roles grant you more granular control when defining rules for roles, allowing the roles to act as aliases for the existing prior roles. Note that you cannot have a global role implying a domain-specific role. As a result, if you list the effective role assignments of a user in a project, the domain-specific roles will not be present.
Domain-specific roles can be created by a user who administers their keystone domain; they do not have to be administrators of the OpenStack deployment. This means that a domain-specific role definition can be limited to a specific domain.
Domain-specific roles cannot be used to scope a token. This can only be done with global roles.
2.2.4.1. Using Domain-Specific Roles
This example describes how to create a domain specific role and review its effect.
- Create a domain: - openstack domain create corp01 - $ openstack domain create corp01- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Create a role that specifies a domain (note that this parameter is distinct from - --domain):- openstack role create operators --role-domain domain-corp01 - $ openstack role create operators --role-domain domain-corp01- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow