diff options
author | Marcin Wilk <marcin.wilk@canonical.com> | 2022-04-04 09:37:33 +0000 |
---|---|---|
committer | Marcin Wilk <marcin.wilk@canonical.com> | 2022-04-25 07:57:30 +0000 |
commit | 3856cbf10d4d19b9d7797d600ef096b0c04aaedb (patch) | |
tree | a17417bff8ceda3e43eabb67e29e287bc1f1f19c | |
parent | 65e3e33b6b8be4d1a5b7c85456f3048244e4eb75 (diff) | |
download | keystone-3856cbf10d4d19b9d7797d600ef096b0c04aaedb.tar.gz |
Add service_type config info for access rules
The service_type config param is crucial to successfully use
application credentials with access rules.
Closes-Bug: #1950464
Change-Id: I98d1cfcbd229f2939d900861f453efa996466c32
-rw-r--r-- | doc/source/user/application_credentials.rst | 43 |
1 files changed, 41 insertions, 2 deletions
diff --git a/doc/source/user/application_credentials.rst b/doc/source/user/application_credentials.rst index eff86f7b3..5455a04e7 100644 --- a/doc/source/user/application_credentials.rst +++ b/doc/source/user/application_credentials.rst @@ -174,8 +174,47 @@ Access Rules ============ In addition to delegating a subset of roles to an application credential, you -may also delegate more fine-grained access control by using access rules. For -example, to create an application credential that is constricted to creating +may also delegate more fine-grained access control by using access rules. + +.. note:: + + Application credentials with access rules require additional configuration + of each service that will use it. See below for details. + +If application credentials with access rules are required, an OpenStack +service using keystonemiddleware to authenticate with keystone, needs to +define ``service_type`` in its configuration file. Following is an example for the +cinder V3 service: + +.. code-block:: ini + + [keystone_authtoken] + service_type = volumev3 + +For other OpenStack sevices, their types can be obtained using the OpenStack +client. For example: + +.. code-block:: console + + $ openstack service list -c Name -c Type + +-----------+-----------+ + | Name | Type | + +-----------+-----------+ + | glance | image | + | cinderv3 | volumev3 | + | cinderv2 | volumev2 | + | keystone | identity | + | nova | compute | + | neutron | network | + | placement | placement | + +-----------+-----------+ + +.. note:: + + Updates to the configuration files of a service require restart of the appropriate + services for the changes to take effect. + +In order to create an example application credential that is constricted to creating servers in nova, the user can add the following access rules: .. code-block:: console |