4 Service Admin Role Segregation in the Identity Service #
4.1 Overview #
Under the default OpenStack user policies, a user can have either member privilege or admin privilege. Admin privilege is assigned by creating a user account with the role of admin. However, the default admin role is too broad and often grants users more privilege than they need, giving them access to additional tasks and resources that they should not have.
Ideally, each user account should only be assigned privileges necessary to perform tasks they are required to perform. According to the widely accepted principle of least privilege, a user who needs to perform administrative tasks should have a user account with the privileges required to perform only those administrative tasks and no others. This prevents the granting of too much privilege while retaining the individual accountability of the user.
Service Administrator Roles is an alternative to the current one-size-fits-all admin role model and can help you institute different privileges for different administrators.
4.2 Pre-Installed Service Admin Role Components #
The main components of Service Administrator Roles are:
nova_admin
role in the Identity service (keystone) and support innova_policy.json
neutron_admin
role in the Identity service and support inneutron_policy.json
cinder_admin
role in the Identity service and support incinder_policy.json
swiftoperator
role in the Identity service, defined in thekeystoneauth
section of theproxy-server.conf
file.glance_admin
role in the Identity service and support inglance_policy.json
Warning: Changingglance_policy.json
may Introduce a Security IssueA security issue is described in the OpenStack Security Note OSSN-0075 https://wiki.openstack.org/wiki/OSSN/OSSN-0075. It refers to a scenario where a malicious tenant is able to reuse deleted glance image IDs to share malicious images with other tenants in a manner that is undetectable to the victim tenant.
The default policy
glance_policy.json
that is shipped with SUSE OpenStack Cloud prevents this by ensuring only admins can deactivate/reactivate images:"deactivate": "role:admin" "reactivate": "role:admin"
It is suggested to not change these settings. If you do change them, please refer to the OSSN-0075 https://wiki.openstack.org/wiki/OSSN/OSSN-0075. This reference has details about the exact scope of the security issue.
The OpenStack
admin
user has broad capabilities to administer the cloud, including nova, neutron, cinder, swift, and glance. This is maintained to ensure backwards compatilibity, but if separation of duties is desired among administrative staff then the OpenStack roles may be partitioned across different administrators. For example, it is possible to have a set of network administrators with theneutron_admin
role, a set of storage administrators with thecinder_admin
and/orswiftoperator
roles, and a set of compute administrators with thenova_admin
andglance_admin
roles.
4.3 Features and Benefits #
Service Administrator Roles offer the following features and benefits:
Support separation of duties through more granular roles
Are enabled by default
Are backwards compatible
Have predefined service administrator roles in the Identity service
Have predefined
policy.json
files with corresponding service admin roles to facilitate quick and easy deployment
4.4 Roles #
The following are the roles defined in SUSE OpenStack Cloud 9. These roles serve as a way to group common administrative needs at the OpenStack service level. Each role represents administrative privilege into each service. Multiple roles can be assigned to a user. You can assign a Service Admin Role to a user once you have determined that the user is authorized to perform administrative actions and access resources in that service.
Pre-Installed Service Admin Roles
The following service admin roles exist by default:
- nova_admin role
Assign this role to users whose job function it is to perform nova compute-related administrative tasks.
- neutron_admin role
Assign this role to users whose job function it is to perform neutron networking-related administrative tasks.
- cinder_admin role
Assign this role to users whose job function it is to perform cinder storage-related administrative tasks.
- glance_admin role
Assign this role to users whose job function it is to perform glance image service-related administrative tasks.