1 Reply Latest reply on Jul 10, 2020 8:58 AM by Dima Seliverstov

    OpenStack ro_admin

    Mikhail Khromykh
      Share This:

      Hey.

       

       

      I need to access OpenStack metrics.

       

       

      from the documentation, the necessary level of rights is admin \ ro_admin.

       

       

      In OpenStack (We are connecting to APIv3 https:// *********: 5000 /v3), there is no such role as ro_admin, so we created the user mon:

       

       

       

       

       

       

      An example of creating rules by role / user:

       

      "owner": "user_id:%(user_id)s"

      "service_admin_or_token_subject": "rule:service_or_admin or rule:token_subject"

      "service_or_admin": "rule:admin_required or rule:service_role"

      "service_role": "role:service"

      "token_subject": "user_id:%(target.token.user_id)s"

       

      And this is adding roles for a specific API:

      "identity:list_trusts": ""

      "identity:list_user_projects": "rule:admin_or_owner"

      "identity:list_users_in_group": "rule:admin_required"

      "identity:list_users": "rule:admin_required"

      "identity:remove_endpoint_from_project": "rule:admin_required"

      "identity:remove_endpoint_group_from_project": "rule:admin_required"

      "identity:remove_user_from_group": "rule:admin_required"

      "identity:revocation_list": "rule:service_or_admin"

      "identity:revoke_grant": "rule:admin_required"

      "identity:revoke_system_grant_for_group": "rule:admin_required"

      "identity:revoke_system_grant_for_user": "rule:admin_required"

      "identity:revoke_token": "rule:admin_or_token_subject"

      "identity:update_consumer": "rule:admin_required"

      "identity:update_credential": "rule:admin_required"

      "identity:update_domain_config": "rule:admin_required"

      "identity:update_domain_role": "rule:admin_required"

      "identity:update_domain": "rule:admin_required"

      "identity:update_endpoint_group": "rule:admin_required"

      "identity:update_endpoint": "rule:admin_required"

      "identity:update_group": "rule:admin_required"

      "identity:update_identity_provider": "rule:admin_required"

      "identity:update_limits": "rule:admin_required"

      "identity:update_mapping": "rule:admin_required"

      "identity:update_policy": "rule:admin_required"

      "identity:update_project": "rule:admin_required"

      "identity:update_project_tags": "rule:admin_required"

      "identity:update_protocol": "rule:admin_required"

      "identity:update_region": "rule:admin_required"

      "identity:update_registered_limits": "rule:admin_required"

       

       

      however, the extractor crashes with an error:

      StackTrace: com.bmc.bco.openstack.exception.OpenStackException: Problem checking user grants during connection phase

              at com.bmc.bco.openstack.util.ParseOpenStackResponse.obtainNameV3(ParseOpenStackResponse.java:234)

              at com.bmc.bco.openstack.util.ParseOpenStackResponse.parseConnectResponseV3(ParseOpenStackResponse.java:142)

              at com.bmc.bco.openstack.OSClient.connect(OSClient.java:227)

              at com.bmc.bco.openstack.OSCollectorService.serviceImpl(OSCollectorService.java:153)

              at com.neptuny.scheduler.task.AbstractService.serviceRun(AbstractService.java:383)

              at com.neptuny.scheduler.task.AbstractService$ServiceThread.run(AbstractService.java:657)

              at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)

              at java.base/java.util.concurrent.FutureTask.runAndReset(Unknown Source)

              at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(Unknown Source)

              at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)

              at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

              at java.base/java.lang.Thread.run(Unknown Source)

      Caused by: com.bmc.bco.openstack.exception.OpenStackException: Configured user mon should have  any of the following roles assigned (admin,ro_admin) for the tenant

              at com.bmc.bco.openstack.util.ParseOpenStackResponse.obtainNameV3(ParseOpenStackResponse.java:228)

              ... 11 more

       

       

      Какие права нужны учетной записи на стороне OpenStack?