Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    AppFormix Role-Based Access

    AppFormix has role-based access for system configuration and data visibility. AppFormix integrates with Keystone for identity. The roles by which a user is a member of projects determine that user's capabilities in AppFormix.

    AppFormix has three categories of user permissions. Each category is configured with a set of Keystone roles that are permitted to access the functionality in that category. If a user is a member of a project with a role that matches one of the roles configured for a category, then the user will gain access to the functionality associated with that user category.

    AppFormix AdministratorUsers in this category can configure system settings in AppFormix, such as data retention policy, host and instance SLA policies, and Chargeback rate cards and departments.
    Infrastructure ViewUsers in this category can view all entities in an environment: hosts, projects, instances, aggregates, and infrastructure services.
    Tenant ViewUsers in this category can view all project and instances for which the user is a member. A user that is not in AppFormix Admin or Infrastructure View categories will by default have access in the Tenant View category (if enabled).

    Configuring Roles

    During installation, you can configure the set of roles for each user category. The following Ansible variables configure the roles. Define these variables in an inventory file for the controller host or in group variables for the appformix_controller group. (For example, in the file group_vars/appformix_controller).

    appformix_administrator_rolesList of Keystone roles that comprise the AppFormix Administrator user category.
    appformix_infrastructure_view_rolesList of Keystone roles that comprise the Infrastrucure View user category.

    Granting AppFormix Permissions to Read-Only OpenStack Users

    It is possible to give users access to AppFormix without granting OpenStack privileges to those users. This is achieved by creating a Keystone role and project in OpenStack such that users can interact with OpenStack APIs only in a read-only manner.

    As an example, the following steps create an appformix-admin user that has an AppFormix Administrator role and an appformix-infra user that has Infrastructure View role. Both accounts do not have any quota by which to create resources in OpenStack. Other accounts, roles, and projects can be created in a similar manner.

    To create an appformix-admin user that has AppFormix Administrator role and an appformix-infra user that has Infrastructure View role:

    1. Create a new Keystone role for users that will have an administrator role in AppFormix. For example, AppFormixAdmin.
      $ openstack role create AppFormixAdmin
    2. Create a new Keystone role for users that will have an infrastructure view role in AppFormix. For example, AppFormixInfra.
      $ openstack role create AppFormixInfra
    3. Create a new project in OpenStack. For example, ReadOnly.
      $ openstack project create ReadOnly
    4. Set all quotas for the ReadOnly project to 0. This is most easily accomplished using the OpenStack Horizon dashboard.
    5. For users that should have administrator privilege in AppFormix, create a user in the ReadOnly project with the AppFormixAdmin role.
      $ openstack user create --password-prompt \
          --description "Read-only OpenStack user for AppFormix administrator" \
          appformix-admin
      $ openstack role add --project ReadOnly --user appformix-admin AppFormixAdmin

      For users that should have infrastructure view privilege in AppFormix, create a user, and add the user to the ReadOnly project with the AppFormixInfra role.

      $ openstack user create --password-prompt \
          --description "Read-only OpenStack user for AppFormix infrastructure view" \
          appformix-infra
      $ openstack role add --project ReadOnly --user appformix-infra AppFormixInfra
    6. Configure the mapping from Keystone roles to AppFormix roles.

      Define the appformix_administrator_roles Ansible variable to include the Keystone roles that will have administrator privilege in AppFormix.

      Note: The admin role is required for AppFormix Platform to access OpenStack.

      Define the appformix_infrastructure_view_roles Ansible variable to include the Keystone roles that will have administrator privilege in AppFormix.

      These variables can be defined in an inventory file for the controller host or in group variables for the appformix_controller group. For example, in the file group_vars/appformix_controller.

      appformix_administrator_roles:
          - 'admin'
          - 'AppFormixAdmin'
      
      appformix_infrastructure_view_roles:
          - 'AppFormixInfra'

    Modified: 2017-11-12