The Keystone and oslo.policy based access control system is one of the most powerful mechanisms an operator can use to customize how their organization can interact with OpenStack. However, learning and managing it can be daunting. In this lab, the people that wrote and maintain this system want to help you understand how it works. This Lab will provide you with an OpenStack deployment to use to learn and practice the techniques to customize an access control policy for your own Cloud.
In this lab you will learn:
- How to modify that policy to add custom rules
- How to Unit test a custom policy using the oslo.policy command line tool
In this lab, you will customize policy to:
- Implement a read-only role for system auditing
- Create a role specific to the workflows of launching and destroying a virtual machine and Show how to create a application credential with only that role
- Split out the ability to manipulate networking from other self service operation
Self Service of infrastructure helps your organization scale. Anything people can do for themselves frees up central IT staff time. OpenStack has the promise to allow the tenants of the cloud the ability to manage their own resources. In order to realize that promise, you need to craft access policies that align users of the cloud with the acceptable operations that they should be able to perform.