4 SUSE® OpenStack Cloud: Service Admin Role Segregation in the Identity Service #
4.1 Overview #
Under the default OpenStack user policies, a user can have either member privilege or admin privilege. Admin privilege is assigned by creating a user account with the role of admin. However, the default admin role is too broad and often grants users more privilege than they need, giving them access to additional tasks and resources that they should not have.
Ideally, each user account should only be assigned privileges necessary to perform tasks they are required to perform. According to the widely accepted principle of least privilege, a user who needs to perform administrative tasks should have a user account with the privileges required to perform only those administrative tasks and no others. This prevents the granting of too much privilege while retaining the individual accountability of the user.
Service Administrator Roles is an alternative to the current one-size-fits-all admin role model and can help you institute different privileges for different administrators.
4.2 Pre-Installed Service Admin Role Components #
The main components of Service Administrator Roles are:
- nova_adminrole in the identity service (Keystone) and support in- nova_policy.json
- neutron_adminrole in the identity service and support in- neutron_policy.json
- cinder_adminrole in the identity service and support in- cinder_policy.json
- swiftoperatorrole in the identity service, defined in the- keystoneauthsection of the- proxy-server.conffile.
- glance_adminrole in the identity service and support in- glance_policy.jsonWarning: Changing- glance_policy.jsonmay Introduce a Security Issue- A security issue is described in the OpenStack Security Note OSSN-0075 https://wiki.openstack.org/wiki/OSSN/OSSN-0075. It refers to a scenario where a malicious tenant is able to reuse deleted Glance image IDs to share malicious images with other tenants in a manner that is undetectable to the victim tenant. - The default policy - glance_policy.jsonthat is shipped with SUSE OpenStack Cloud prevents this by ensuring only admins can deactivate/reactivate images:- "deactivate": "role:admin" "reactivate": "role:admin" - It is suggested to not change these settings. If you do change them, please refer to the OSSN-0075 https://wiki.openstack.org/wiki/OSSN/OSSN-0075. This reference has details about on the exact scope of the security issue. - The OpenStack - adminuser has broad capabilities to administer the cloud, including Nova, Neutron, Cinder, Swift, and Glance. This is maintained to ensure backwards compatilibity, but if separation of duties is desired among administrative staff then the OpenStack roles may be partitioned across different administrators. For example, it is possible to have a set of network administrators with the- neutron_adminrole, a set of storage administrators with the- cinder_adminand/or- swiftoperatorroles, and a set of compute administrators with the- nova_adminand- glance_adminroles.
4.3 Features and Benefits #
Service Administrator Roles offer the following features and benefits:
- Support separation of duties through more granular roles 
- Are enabled by default 
- Are backwards compatible 
- Have predefined service administrator roles in the identity service 
- Have predefined - policy.jsonfiles with corresponding service admin roles to facilitate quick and easy deployment
4.4 Roles #
The following are the roles defined in SUSE OpenStack Cloud 8. These roles serve as a way to group common administrative needs at the OpenStack service level. Each role represents administrative privilege into each service. Multiple roles can be assigned to a user. You can assign a Service Admin Role to a user once you have determined that the user is authorized to perform administrative actions and access resources in that service.
Pre-Installed Service Admin Roles
The following service admin roles exist by default:
- nova_admin role
- Assign this role to users whose job function it is to perform Nova compute-related administrative tasks. 
- neutron_admin role
- Assign this role to users whose job function it is to perform Neutron networking-related administrative tasks. 
- cinder_admin role
- Assign this role to users whose job function it is to perform Cinder storage-related administrative tasks. 
- glance_admin role
- Assign this role to users whose job function it is to perform Glance image service-related administrative tasks. 
For configuration steps, see Book “User Guide”, Chapter 4 “Cloud Admin Actions with the Command Line”.