Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
documentation.suse.com / Documentation / Security Guide / Service Admin Role Segregation in the Identity Service
Applies to SUSE OpenStack Cloud 9

4 Service Admin Role Segregation in the Identity Service

4.1 Overview

Under the default OpenStack user policies, a user can have either member privilege or admin privilege. Admin privilege is assigned by creating a user account with the role of admin. However, the default admin role is too broad and often grants users more privilege than they need, giving them access to additional tasks and resources that they should not have.

Ideally, each user account should only be assigned privileges necessary to perform tasks they are required to perform. According to the widely accepted principle of least privilege, a user who needs to perform administrative tasks should have a user account with the privileges required to perform only those administrative tasks and no others. This prevents the granting of too much privilege while retaining the individual accountability of the user.

Service Administrator Roles is an alternative to the current one-size-fits-all admin role model and can help you institute different privileges for different administrators.

4.2 Pre-Installed Service Admin Role Components

The main components of Service Administrator Roles are:

  • nova_admin role in the Identity service (keystone) and support in nova_policy.json

  • neutron_admin role in the Identity service and support in neutron_policy.json

  • cinder_admin role in the Identity service and support in cinder_policy.json

  • swiftoperator role in the Identity service, defined in the keystoneauth section of the proxy-server.conf file.

  • glance_admin role in the Identity service and support in glance_policy.json

    Warning: Changing glance_policy.json may Introduce a Security Issue

    A security issue is described in the OpenStack Security Note OSSN-0075 https://wiki.openstack.org/wiki/OSSN/OSSN-0075. It refers to a scenario where a malicious tenant is able to reuse deleted glance image IDs to share malicious images with other tenants in a manner that is undetectable to the victim tenant.

    The default policy glance_policy.json that is shipped with SUSE OpenStack Cloud prevents this by ensuring only admins can deactivate/reactivate images:

    "deactivate": "role:admin"
    "reactivate": "role:admin"

    It is suggested to not change these settings. If you do change them, please refer to the OSSN-0075 https://wiki.openstack.org/wiki/OSSN/OSSN-0075. This reference has details about the exact scope of the security issue.

    The OpenStack admin user has broad capabilities to administer the cloud, including nova, neutron, cinder, swift, and glance. This is maintained to ensure backwards compatilibity, but if separation of duties is desired among administrative staff then the OpenStack roles may be partitioned across different administrators. For example, it is possible to have a set of network administrators with the neutron_admin role, a set of storage administrators with the cinder_admin and/or swiftoperator roles, and a set of compute administrators with the nova_admin and glance_admin roles.

4.3 Features and Benefits

Service Administrator Roles offer the following features and benefits:

  • Support separation of duties through more granular roles

  • Are enabled by default

  • Are backwards compatible

  • Have predefined service administrator roles in the Identity service

  • Have predefined policy.json files with corresponding service admin roles to facilitate quick and easy deployment

4.4 Roles

The following are the roles defined in SUSE OpenStack Cloud 9. These roles serve as a way to group common administrative needs at the OpenStack service level. Each role represents administrative privilege into each service. Multiple roles can be assigned to a user. You can assign a Service Admin Role to a user once you have determined that the user is authorized to perform administrative actions and access resources in that service.

Pre-Installed Service Admin Roles

The following service admin roles exist by default:

nova_admin role

Assign this role to users whose job function it is to perform nova compute-related administrative tasks.

neutron_admin role

Assign this role to users whose job function it is to perform neutron networking-related administrative tasks.

cinder_admin role

Assign this role to users whose job function it is to perform cinder storage-related administrative tasks.

glance_admin role

Assign this role to users whose job function it is to perform glance image service-related administrative tasks.