AppFormix Role-Based Access

 

AppFormix has role-based access for system configuration and data visibility. AppFormix integrates with Keystone for identity. The roles by which a user is a member of projects determine that user's capabilities in AppFormix.

AppFormix has three categories of user permissions. Each category is configured with a set of Keystone roles that are permitted to access the functionality in that category. If a user is a member of a project with a role that matches one of the roles configured for a category, then the user will gain access to the functionality associated with that user category.

Category

Description

AppFormix Administrator

Users in this category can configure system settings in AppFormix, such as:

  • Data retention policy.

  • Host and instance SLA policies.

  • Chargeback rate cards and departments.

Users can also view and operate all entities in an environment, as described in the following Infrastructure View category.

Infrastructure View

Users in this category can view and operate all entities in an environment: hosts, projects, instances, aggregates, and infrastructure services. Users can perform the following actions:

  • Configure alarms.

  • Configure composite alarms.

  • Configure notification services.

  • Start, stop, and migrate instances. This capability is available for OpenStack. Nova API is invoked using a user token and OpenStack authorizes the user request.

  • Generate reports.

Read-Only Infrastructure View

Users in this category can view the same entities as the Infrastructure View category but they cannot perform any of the actions listed in Infrastructure View. For example, a user in this category cannot configure an alarm. User can view an report generated by another Administrator or Infrastructure View user but a user in this category cannot generate a report.

Tenant View

A user that is not in any of the above categories will by default have access in the Tenant View category (if enabled). Users in this category can view all project and instances for which the user is a member. User can create alarms and generate reports for instances that are visible.

Configure Roles

During installation, you can configure the set of roles for each user category. The following Ansible variables configure the roles. Define these variables in an inventory file for the controller host or in group variables for the appformix_controller group. (For example, in the file group_vars/appformix_controller).

appformix_administrator_rolesList of Keystone roles that comprise the AppFormix Administrator user category.
appformix_infrastructure_view_rolesList of Keystone roles that comprise the Infrastructure View user category.
appformix_read_only_infrastructure_view_rolesList of Keystone roles that comprise the Read-Only Infrastructure View user category.

Granting AppFormix Permissions to Read-Only OpenStack Users

It is possible to give users access to AppFormix without granting OpenStack privileges to those users. This is achieved by creating a Keystone role and project in OpenStack such that users can interact with OpenStack APIs only in a read-only manner.

As an example, the following steps create an appformix-admin user that has an AppFormix Administrator role and an appformix-infra user that has Infrastructure View role. Both accounts do not have any quota by which to create resources in OpenStack. Other accounts, roles, and projects can be created in a similar manner.

To create an appformix-admin user that has AppFormix Administrator role and an appformix-infra user that has Infrastructure View role:

  1. Create a new Keystone role for users that will have an administrator role in AppFormix. For example, AppFormixAdmin.
  2. Create a new Keystone role for users that will have an infrastructure view role in AppFormix. For example, AppFormixInfra.
  3. Create a new project in OpenStack. For example, ReadOnly.
  4. Set all quotas for the ReadOnly project to 0. This is most easily accomplished using the OpenStack Horizon dashboard.
  5. For users that should have administrator privilege in AppFormix, create a user in the ReadOnly project with the AppFormixAdmin role.

    For users that should have infrastructure view privilege in AppFormix, create a user, and add the user to the ReadOnly project with the AppFormixInfra role.

  6. Configure the mapping from Keystone roles to AppFormix roles.

    Define the appformix_administrator_roles Ansible variable to include the Keystone roles that will have administrator privilege in AppFormix.

    Note

    The admin role is required for AppFormix Platform to access OpenStack.

    Define the appformix_infrastructure_view_roles Ansible variable to include the Keystone roles that will have administrator privilege in AppFormix.

    These variables can be defined in an inventory file for the controller host or in group variables for the appformix_controller group. For example, in the file group_vars/appformix_controller.