2

I am aware of how the permission system works in AWS: By giving an EC2 instance a specific IAM role, it is possible to give all programs running on that specific EC2 instance some set of permissions for accessing other AWS services (e.g. permission to delete an EBS volume).

Is there something similar for Openstack? If you would like a program that is running on an Openstack server to be able to programmatically make changes through the Openstack API:s, how do you solve that?

The scenario I am thinking of is this: You create a new Rackspace OnMetal cloud server together with an extra Rackspace Cloud Block Storage volume, and copy a big input data file to it with scp. You log in to the server with ssh and start a long running compute job. It would be great if the compute job by itself would be able to copy the result files to Rackspace Cloud Files and then unmount and delete the Rackspace Cloud Block Storage volume that was used as temporary storage during the computation.

Erik Sjölund
  • 10,690
  • 7
  • 46
  • 74

1 Answers1

2

Rackspace's Role Based Access Control (RBAC) system is similar to AWS IAM roles. It lets you create users that restricted to specific APIs and capabilities. For example, a readonly cloud files user, or a cloud block storage administrator.

You could create a new user that only has access to the areas required for this compute job, e.g. cloud block storage and cloud files. Then your job would use that user's apikey to request a token and call the cloud block storage and cloud files api.

You did not mention a specific language but I recommend using an SDK, as it will handle the API specifics and quirks and get you up and running more quickly.

Carolyn Van Slyck
  • 594
  • 2
  • 11
  • I see, so a "user" is not necessarily bound to a physical person. That opens up new technical solutions. – Erik Sjölund Jan 14 '16 at 14:51
  • And if you're working from the command line, you'll want to use the [rack](https://developer.rackspace.com/docs/rack-cli/) CLI. There's a [guide for Cloud Files](https://developer.rackspace.com/docs/rack-cli/services/files/). – Everett Toews Jan 15 '16 at 03:30
  • In the Rackspace web interface, I chose "User management" and then "Create user". Under "Contact Information" I now need to specify "Contact type", "First Name", "Last Name" and "Email Address". Is there any convention for which values to provide if the user account is not a real person? – Erik Sjölund Jan 15 '16 at 12:55
  • Thinking a bit more. I guess I'll just provide my own contact details there, although I'm creating a non-person user account. – Erik Sjölund Jan 15 '16 at 13:28
  • Yes, I just put in my own contact details when making additional users. – Carolyn Van Slyck Jan 15 '16 at 16:52