Role- and Resource-Based Access Control for the Contrail Analytics API
In previous releases of Contrail, any user can access the Contrail analytics API by using queries to get historical information and by using UVEs to get state information.
Starting with Contrail Release 3.1, it is possible to restrict
access such that only the cloud-admin
user
can access the Contrail analytics API.
Implementation details are as follows:
An external user makes a REST API call to
contrail-analytics-api
, passing a token representing the user with the HTTP header X-Auth-Token.Based on the user role,
contrail-analytics-api
will only allow access for thecloud-admin
user and reject the request (HTTPUnauthorized
) for other users.
To set the cloud_admin
user,
use the following fields in /etc/contrail/contrail-analytics-api.conf:
aaa_mode
—Takes one of these values:no-auth
cloud-admin
cloud_admin_role
—The user with this role has full access to everything. By default, this is set to "admin". This role must be configured in Keystone.