Task 6: Assign and control resources and policies using role and resource based access for users
Goal
In this task, you will see how Contrail enables user based access to the resources in the cloud. Contrail has the ability to create, update, and delete objects or resources in the cloud environment based on the permissions assigned to a user. This improves security of your cloud resources and prevents unauthorized access.
Disclaimer: The steps in this task are only applicable to Juniper’s Cloud Software Trial tool.
Some values and/or information may vary for users executing this task using a non-Juniper trial tool.
Step-by-Step Procedure
Login to the OpenStack dashboard
Open a new tab in the browser and point it to https://192.168.250.1/horizon.
Use the below credentials to login.
Username: admin
Password: contrail123.
Navigate to Identity > Users using the left navigation panel.
Click on (+) icon to create a new user
Provide a User Name, Password, choose the Primary Project as “admin” & Role as “_member_”
Click on “Create User”
This creates a user called “test-user” with a user-defined password in “admin” project and “_member_” role
Now, open the Contrail web interface in the browser by navigating to https://192.168.250.1:8143.
Then, login to the Contrail dashboard using the below credentials.
Username: admin
Password: contrail123
Domain: (leave blank)
Navigate to Configure > Infrastructure > RBAC > Project in the left navigation panel.
Then, click on (+) icon to create a new API access
Create a new RBAC rule to provide READ ONLY access to “test-user” with “_member_” role in “admin” project
Verify, the rule was successfully created
Now logout & log back in as “test-user”. You must be able to see all Contrail objects like Virtual networks, ports, etc. but you will not be able to Create/Delete/Update Contrail resources
You can login as “admin” user & modify the existing RBAC API access rule to provide “test-user” Create/Delete/Update permissions.