Role- and Resource-Based Access Control for the Contrail Analytics API
In previous releases of Contrail, any user can access the Contrail analytics API by using queries to get historical information and by using UVEs to get state information.
With Contrail, it is possible to restrict access such that only
cloud-admin user can access the Contrail
Implementation details are as follows:
An external user makes a REST API call to
contrail-analytics-api, passing a token representing the user with the HTTP header X-Auth-Token.
Based on the user role,
contrail-analytics-apiwill only allow access for the
cloud-adminuser and reject the request (
HTTPUnauthorized) for other users.
To set the
use the following fields in
aaa_mode—Takes one of these values:
cloud_admin_role—The user with this role has full access to everything. By default, this is set to "admin". This role must be configured in Keystone.