-
Getting Started (38)
- Connecting to your OpenVPN server
- Setting up OpenVPN server on your instance
- Bluemix Private Cloud Components
- What Should I Do Prior to Detaching a Volume?
- Virtual python environments and you: A developer's primer
- Technical FAQ
- IBM Bluemix Private Cloud Building Blocks (Community Edition)
- Building Blocks for IBM Bluemix Private Cloud with Red Hat
- IBM Bluemix Private Cloud with Red Hat - Product Overview
- General Product Overview
- Resizing an Instance (Non-live)
- Set Up Network Connectivity Between Multiple Cloud Environments, Using the Private Network
- Customer Guide for Windows Activation
- View More ( 7 )
Common Technical Questions
- Adding or removing subscribers to a ticket
- How do I view my bill?
- How do I report an issue?
- How do I escalate a ticket?
- Bluemix Private Cloud Status Pages
- Transferring A Domain From Blue Box
- View More ( 2 )
Common Administrative Questions
- Box Panel User Guide
- Box Panel, Site Controller, and IBM Bluemix Private Cloud Local
- Building Up to OpenStack — QEMU and Your Cloud
- Building Up to OpenStack II -- Improving Cloud Performance
- Cloud 101 -- Optimized Load Balancing
- User's Guide to Cloud Images (IBM Bluemix Private Cloud with Red Hat)
- User's Guide to Cloud Images (Community Edition)
- IBM Bluemix Private Cloud Image Release Notes
- View More ( 4 )
User Guides
-
Troubleshooting (19)
- Instance in error status: libvirt error
- Why does it take 4-5 seconds to SSH to my instance?
- Why can't I SSH to an instance, or ping it?
- Error: 'Server doesn't support microversions' When Running Nova Commands
- Cloud Foundry: Invalid Availability Zone Error
- Attempt to Create a Router is Failing
- How Many Simultaneous Connections can HAProxy Handle?
- When using any of the OpenStack CLIs on Windows, I get authentication failure errors
- Why are all the floating IPs that were assigned to me not available?
- Why can't I delete my project/tenant from the Horizon dashboard?
- Error: No valid host was found
- Why Can't I See My New vCPUs Listed in Horizon?
- Error: Failure prepping block device
- Why Can’t I Delete A Security Group?
- Troubleshooting FAQ
- Why Can't I Ping Across My Tenant Networks?
- Why can't I use L2pop when I want my vIP instances to failover?
- View More ( 11 )
-
Open Stack (15)
- How to Launch an Instance from a Volume
- Importing a VHD image that uses linux volume management for its root directory
- OpenStack Network Concepts
- Creating an Instance with a Specific Fixed IP
- OpenStack Mitaka CLI Notes
- Why Choose OpenStack?
- OpenStack Storage Concepts
- Ursula and OpenStack
- How to Create An Instance With Static IP
- Quotas
- How to Isolate Tenants (Projects)
- External reference materials
- View More ( 3 )
User Docs
-
Horizon [GUI] (10)
- Creating Additional Networks in OpenStack Using the Horizon Panel
- Using Horizon for Snapshots
- Allocating and Attaching a Public (Floating) IP to an Instance
- Creating a volume from the Horizon dashboard
- Horizon for Administrators
- Launching an instance from the Horizon dashboard
- Launching an instance from the Horizon dashboard (OpenStack Newton release)
- How do I set a reverse DNS (PTR) record for an IBM Bluemix Private Cloud instance?
- Using Horizon
- Horizon Troubleshooting FAQ
-
Nova [Compute] (13)
- How do I set an initial username and password on a Windows instance in OpenStack?
- Instance Live Migration
- How to Create an Instance and Make it Available Publicly Using the Command Line
- What happens behind the scenes when I boot a virtual machine, and how can I make it boot faster?
- How Can I Restrict Floating IPs?
- Can I create an instance and add files to it using config drive?
- How can I create an instance with the Nova command line client?
- How can I define flavor vCPU topology?
- How to deploy an instance to a specific hypervisor node
- What is the maximum spec I can set for a flavor?
- Migrating an instance to a new cloud
- Metadata Service in OpenStack Neutron and Nova
- How can I get hypervisor statistics?
-
Neutron [Networking] (22)
- How Can I Check My Network IP Availability?
- How can you isolate project networks connected to a shared router?
- How can I find the time a floating IP was associated or disassociated from an instance?
- Load Balancing Methods
- Multi-tier Router Configuration Within Your IBM Bluemix Private Cloud
- How do I set up DNS records pointing to OpenStack instances?
- Routing Internal Traffic Between Projects
- Add a Specific Fixed Private IP to an Instance
- Configuring DNS for Instances
- Configuring multiple network interfaces for your own cloud images
- How to configure a highly-available IP
- Creating virtual networks on IBM Bluemix Private Cloud
- When creating port failed, how could I do ?
- How Can I See My IPs?
- How Can I Update DNS?
- VPN, VLAN, and Direct Link
- Using BYOFIP Connectivity Between IBM Bluemix Private Cloud and a Customer Site
- Introduction to Load Balancer as a Service (LBaaS)
- Using the CLI to Set Up Security Groups
- IBM Blue Box Network Use Cases
- Where Are the First Two IPs?
-
Glance [Images] (6)
-
Cinder [Block Storage] (13)
- What causes read-only Cinder volumes and how can I fix them?
- Cinder Volume Stuck
- Alternative Method For Block Storage Volume Encryption (using an Ubuntu Guest VM)
- Creating Encrypted Volumes with Cinder is Not Supported
- Managing Block Storage
- Creating a volume with the command line
- Is creating a volume from an instance snapshot supported?
- How Can I Resize a Cinder Volume?
- Which Cinder Volume Types are supported in Cloud Instance?
- How to Move from Ephemeral Disk to Cinder Storage
- Can I enable volume full clone more than copy-on-write clone?
- How to Force a Snapshot on an Attached Volume
- What do I do if the Cinder client returns 'ERROR: Unable to establish connection' message and fails to connect?
-
Keystone [Identity] (8)
- OpenID Connect Federation on IBM Bluemix Private Cloud
- Keystone SAML Federation on IBM Bluemix Private Cloud
- Role-Based Access Control
- Managing Users and Projects
- Keystone to Keystone (K2K) Federation on IBM Bluemix Private Cloud
- Projects and Security Groups
- Custom Domains within Keystone V3
- Getting Started with Keystone Federated Identity
-
Heat [Orchestration] (7)
-
Ceilometer [Telemetry] (1)
Role-Based Access Control
- by Blue Box Support ● March 11th, 2016
-
Tags:
keystone
users
roles
failover
RBAC
cloud_admin
migration
live migration
cold migration
affinity
Role-Based Access Control (RBAC) and access to OpenStack services
Currently, these roles are defined:
• admin
: allows full access across all projects. (Reserved for IBM Bluemix operations team)
• cloud_admin
: allows cloud-level access control. This role lets you perform API execution tasks, irrespective of your project.
• project_admin
: allows project-level access control.
• _member_
: allows the user to use the resources (such as instances and volumes) that are allocated for the project.
• heat_stack_owner
: lets you deploy a Heat stack (always used along with other roles).
None of these roles provides the level of granularity required to restrict access only to a particular OpenStack service.
However, assuming that you are interested in automating updates to Neutron port binding as part of your load balancer failover solution, this may be possible by creating an ID with the member role in the desired tenant. Looking at /etc/neutron/policy.json
, it appears that a port can be updated by any member of the tenant (as defined in the “is_owner” rule):
If you would like to see more granular roles in a future release, we can open a feature request to our product team.
Known Problem with Horizon Can Create Confusion for Cloud Admins
A Cloud Admin may see a “Live Migration” option when looking at instances in the Admin panel of Horizon. However, the Live Migration functionality is policy restricted to the “admin” role, which IBM Bluemix retains and does not provide to customers. Horizon will present an error if a non-admin attempts to live migrate an instance.
This is a small UI/UX problem in Horizon, in that it offers to do things that Policy will prevent.
Both live and cold migration are not supported for customer use, in part due to unreliability. It is possible these features will become more reliable in a future release of OpenStack, in which case they will be re-evaluated.
The alternative, which works well, is to snapshot and re-provision the instances using anti-affinity groups. See /help-documentation/nova/deploy-to-specific-hypervisor/ for more information on doing this.