AppFormix has role-based access for system configuration and data visibility. AppFormix integrates with Keystone for identity. The roles by which a user is a member of projects determine that user's capabilities in AppFormix.
AppFormix has three categories of user permissions. Each category is configured with a set of Keystone roles that are permitted to access the functionality in that category. If a user is a member of a project with a role that matches one of the roles configured for a category, then the user will gain access to the functionality associated with that user category.
AppFormix Administrator: Users in this category may configure system settings in AppFormix, such as data retention policy, host and instance SLA policies, and Chargeback rate cards and departments.
Infrastructure View: Users in this category may view all entities in an environment: hosts, projects, instances, aggregates, and infrastructure services.
Tenant View: Users in this category may view all project and instances for which the user is a member. A user that is not in AppFormix Admin or Infrastructure View categories will by default have access in the Tenant View category (if enabled).
During installation, users may configure the set of roles for each user
category. The following Ansible variables configure the roles. Define
these variables in an inventory file for the controller host or in group
variables for the
appformix_controller group (e.g., in the file
appformix_administrator_roles: list of Keystone roles that comprise the AppFormix Administrator user category.
appformix_infrastructure_view_roles: list of Keystone roles that comprise the Infrastrucure View user category.
Granting AppFormix permissions to "Read Only" OpenStack Users
It is possible to give users access to AppFormix without granting OpenStack privileges to those users. This is achieved by creating a Keystone Role and Project in OpenStack such that users can interact with OpenStack APIs only in a read-only manner.
As an example, the following steps create "appformix-admin" user that has AppFormix Administrator role and "appformix-infra" user that has Infrastructure View role. Both accounts do not have any quota by which to create resources in OpenStack. Other accounts, roles, and projects may be created in a similar manner.
Create a new Keystone role for users that will have administrator role in AppFormix, e.g. "AppFormixAdmin".
$ openstack role create AppFormixAdmin
Create a new Keystone role for users that will have infrastructure view role in AppFormix, e.g. "AppFormixInfra".
$ openstack role create AppFormixInfra
Create a new project in OpenStack, e.g. "ReadOnly".
$ openstack project create ReadOnly
Set all quotas for the "ReadOnly" project to "0". This is most easily accomplished using Horizon dashboard.
For users that should have administrator privilege in AppFormix, create a user in the "ReadOnly" Project with the "AppFormixAdmin" role.
$ openstack user create --password-prompt \ --description "Read-only OpenStack user for AppFormix administrator" \ appformix-admin $ openstack role add --project ReadOnly --user appformix-admin AppFormixAdmin
For users that should have infrastructure view privilege in AppFormix, create a user, and add the user to the "ReadOnly" Project with the "AppFormixInfra" role.
$ openstack user create --password-prompt \ --description "Read-only OpenStack user for AppFormix infrastructure view" \ appformix-infra $ openstack role add --project ReadOnly --user appformix-infra AppFormixInfra
Configure the mapping from Keystone roles to AppFormix roles.
appformix_administrator_rolesAnsible variable to include the Keystone roles that will have administrator privilege in AppFormix. Note, the
adminrole is required for AppFormix Platform to access OpenStack.
appformix_infrastructure_view_rolesAnsible variable to include the Keystone roles that will have administrator privilege in AppFormix.
These variables can be defined in an inventory file for the controller host or in group variables for the
appformix_controllergroup (e.g., in the file
appformix_administrator_roles: - 'admin' - 'AppFormixAdmin' appformix_infrastructure_view_roles: - 'AppFormixInfra'