Chapter 10. Improving user access security
You can enable secure role-based access control (SRBAC) in Red Hat OpenStack Platform 17. The SRBAC model has three personas, based on three roles existing within the project scope.
10.1. SRBAC personas
Personas are a combination of roles and the scope to which they belong. When you deploy Red Hat OpenStack Platform 17, you can assign any of the personas from the project scope.
10.1.1. Red Hat OpenStack Platform SRBAC roles
Currently, three different roles are available within the project scope.
- admin
-
The
admin
role includes all create, read, update, or delete operations on a resource or API. - member
-
The
member
role is allowed to create, read, update, and delete resources that are owned by the scope in which they are a member. - reader
-
The
reader
role is for read-only operations, regardless of the scope it is applied to. This role can view resources across the entirety of the scope to which it is applied.
10.1.2. Red Hat OpenStack Platform SRBAC scope
The scope is the context in which operations are performed. Only the project
scope is available in Red Hat OpenStack Platform 17. The project
scope is a contained subset of APIs for isolated self-service resources within OpenStack.
10.1.3. Red Hat OpenStack Platform SRBAC personas
- Admin
Because the project admin persona is the only administrative persona available, Red Hat OpenStack Platform 17 includes modified policies that grant the project admin persona the highest level of authorization. This persona includes create, read, update and delete operations on resources across projects, which includes adding and removing users and other projects.
NoteThis persona is expected to change in scope with future development. This role implies all permissions granted to project members and project readers.
- Project member
- The project member persona is for users who are granted permission to consume resources within the project scope. This persona can create, list, update, and delete resources within the project to which they are assigned. This persona implies all permissions granted to project readers.
- Project reader
- The project reader persona is for users who are granted permission to view non-sensitive resources in the project. On projects, assign the reader role to end users who need to inspect or view resources, or to auditors, who only need to view project-specific resources within a single project for the purposes of an audit The project-reader persona will not address all auditing use cases.
Additional personas based on the system
or domain
scopes are in development and are not available for use.
The Image service (glance) does not support SRBAC permissions for metadef APIs. The default policies in RHOSP 17.1 for Image service metadef APIs are for the admin only.
10.2. Activating secure role-based access control
When you activate secure role-based Authentication, you are activating a new set of policy files that define the scope of permissions assigned to users in your Red Hat OpenStack Platform environment.
Prerequisites
- You have an installed Red Hat OpenStack Platform director environment.
Procedure
Include the
enable-secure-rbac.yaml
environment file in the deployment script when deploying Red Hat OpenStack Platform:openstack overcloud deploy --templates … -e /usr/share/openstack-tripleo-heat-templates/environments/enable-secure-rbac.yaml
10.3. Assigning roles in an SRBAC environment
With SRBAC on Red Hat OpenStack Platform, you can assign users to the role of admin
, project-member
, or project-reader
.
Prerequisites
- You have deployed Red Hat OpenStack Platform with secure role based authentication (SRBAC).
Procedure
Use the
openstack role add
command using the following syntax:Assign the
admin
role:$ openstack role add --user <user> --user-domain <domain> --project <project> --project-domain <project-domain> admin
Assign the
member
role:$ openstack role add --user <user> --user-domain <domain> --project <project> --project-domain <project-domain> member
Assign the
reader
role:$ openstack role add --user <user> --user-domain <domain> --project <project> --project-domain <project-domain> reader
-
Replace
<user>
with an existing user to apply the role. -
Replace
<domain>
with the domain to which the role applies. -
Replace
<project>
with the project for which the user is being granted the role. -
Replace
<project-domain>
with the domain that the project is in.