Role-based Access

AppFormix has role-based access for system configuration and data visibility. AppFormix integrates with Keystone for identity. The roles by which a user is a member of projects determine that user's capabilities in AppFormix.

AppFormix has three categories of user permissions. Each category is configured with a set of Keystone roles that are permitted to access the functionality in that category. If a user is a member of a project with a role that matches one of the roles configured for a category, then the user will gain access to the functionality associated with that user category.

Configuration

During installation, users may configure the set of roles for each user category. The following Ansible variables configure the roles. Define these variables in an inventory file for the controller host or in group variables for the appformix_controller group (e.g., in the file group_vars/appformix_controller).

Granting AppFormix permissions to "Read Only" OpenStack Users

It is possible to give users access to AppFormix without granting OpenStack privileges to those users. This is achieved by creating a Keystone Role and Project in OpenStack such that users can interact with OpenStack APIs only in a read-only manner.

As an example, the following steps create "appformix-admin" user that has AppFormix Administrator role and "appformix-infra" user that has Infrastructure View role. Both accounts do not have any quota by which to create resources in OpenStack. Other accounts, roles, and projects may be created in a similar manner.

  1. Create a new Keystone role for users that will have administrator role in AppFormix, e.g. "AppFormixAdmin".

    $ openstack role create AppFormixAdmin
    
  2. Create a new Keystone role for users that will have infrastructure view role in AppFormix, e.g. "AppFormixInfra".

    $ openstack role create AppFormixInfra
    
  3. Create a new project in OpenStack, e.g. "ReadOnly".

    $ openstack project create ReadOnly
    
  4. Set all quotas for the "ReadOnly" project to "0". This is most easily accomplished using Horizon dashboard.

  5. For users that should have administrator privilege in AppFormix, create a user in the "ReadOnly" Project with the "AppFormixAdmin" role.

    $ openstack user create --password-prompt \
        --description "Read-only OpenStack user for AppFormix administrator" \
        appformix-admin
    $ openstack role add --project ReadOnly --user appformix-admin AppFormixAdmin
    

    For users that should have infrastructure view privilege in AppFormix, create a user, and add the user to the "ReadOnly" Project with the "AppFormixInfra" role.

    $ openstack user create --password-prompt \
        --description "Read-only OpenStack user for AppFormix infrastructure view" \
        appformix-infra
    $ openstack role add --project ReadOnly --user appformix-infra AppFormixInfra
    
  6. Configure the mapping from Keystone roles to AppFormix roles.

    Define the appformix_administrator_roles Ansible variable to include the Keystone roles that will have administrator privilege in AppFormix. Note, the admin role is required for AppFormix Platform to access OpenStack.

    Define the appformix_infrastructure_view_roles Ansible variable to include the Keystone roles that will have administrator privilege in AppFormix.

    These variables can be defined in an inventory file for the controller host or in group variables for the appformix_controller group (e.g., in the file group_vars/appformix_controller).

    appformix_administrator_roles:
        - 'admin'
        - 'AppFormixAdmin'
    
    appformix_infrastructure_view_roles:
        - 'AppFormixInfra'