Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Contrail Insights Role-Based Access

Contrail Insights has role-based access for system configuration and data visibility. Contrail Insights integrates with Keystone for identity. The roles by which a user is a member of projects determine that user's capabilities in Contrail Insights.

Contrail Insights has three categories of user permissions. Each category is configured with a set of Keystone roles that are permitted to access the functionality in that category. If a user is a member of a project with a role that matches one of the roles configured for a category, then the user will gain access to the functionality associated with that user category.

Table 1: Contrail Insights User Permissions Categories

Category

Description

Contrail Insights Administrator

Users in this category can configure system settings in Contrail Insights, such as:

  • Data retention policy.

  • Host and instance SLA policies.

  • Chargeback rate cards and departments.

Users can also view and operate all entities in an environment, as described in the following Infrastructure View category.

Infrastructure View

Users in this category can view and operate all entities in an environment: hosts, projects, instances, aggregates, and infrastructure services. Users can perform the following actions:

  • Configure alarms.

  • Configure composite alarms.

  • Configure notification services.

  • Start, stop, and migrate instances. This capability is available for OpenStack. Nova API is invoked using a user token and OpenStack authorizes the user request.

  • Generate reports.

Read-Only Infrastructure View

Users in this category can view the same entities as the Infrastructure View category but they cannot perform any of the actions listed in Infrastructure View. For example, a user in this category cannot configure an alarm. User can view an report generated by another Administrator or Infrastructure View user but a user in this category cannot generate a report.

Tenant View

A user that is not in any of the above categories will by default have access in the Tenant View category (if enabled). Users in this category can view all project and instances for which the user is a member. User can create alarms and generate reports for instances that are visible.

Configure Roles

During installation, you can configure the set of roles for each user category. The following Ansible variables configure the roles. Define these variables in an inventory file for the Platform Host or in group variables for the appformix_controller group. (For example, in the file group_vars/appformix_controller).

appformix_administrator_roles

List of Keystone roles that comprise the Contrail Insights Administrator user category.
appformix_infrastructure_view_roles

List of Keystone roles that comprise the Infrastructure View user category.
appformix_read_only_infrastructure_view_roles

List of Keystone roles that comprise the Read-Only Infrastructure View user category.

Granting Contrail Insights Permissions to Read-Only OpenStack Users

It is possible to give users access to Contrail Insights without granting OpenStack privileges to those users. This is achieved by creating a Keystone role and project in OpenStack such that users can interact with OpenStack APIs only in a read-only manner.

As an example, the following steps create an appformix-admin user that has a Contrail Insights Administrator role and an appformix-infra user that has Infrastructure View role. Both accounts do not have any quota by which to create resources in OpenStack. Other accounts, roles, and projects can be created in a similar manner.

To create an appformix-admin user that has a Contrail Insights Administrator role and an appformix-infra user that has Infrastructure View role:

  1. Create a new Keystone role for users that will have an administrator role in Contrail Insights. For example, AppFormixAdmin.

  2. Create a new Keystone role for users that will have an infrastructure view role in Contrail Insights. For example, AppFormixInfra.

  3. Create a new project in OpenStack. For example, ReadOnly.

  4. Set all quotas for the ReadOnly project to 0. This is most easily accomplished using the OpenStack Horizon dashboard.

  5. For users that should have administrator privilege in Contrail Insights, create a user in the ReadOnly project with the AppFormixAdmin role.

    For users that should have infrastructure view privilege in Contrail Insights, create a user, and add the user to the ReadOnly project with the AppFormixInfra role.

  6. Configure the mapping from Keystone roles to Contrail Insights roles.

    Define the appformix_administrator_roles Ansible variable to include the Keystone roles that will have administrator privilege in Contrail Insights.

    Note:

    The admin role is required for Contrail Insights Platform to access OpenStack.

    Define the appformix_infrastructure_view_roles Ansible variable to include the Keystone roles that will have administrator privilege in Contrail Insights.

    These variables can be defined in an inventory file for the Platform Host or in group variables for the appformix_controller group. For example, in the file group_vars/appformix_controller.

Related Documentation