I've just configured foreman-compute so that I can integrate our Openstack
environment into puppet/foreman. This part was easy enough. I am using my
(admin) account for the compute resource, so I can see all the tenants. The
problem is, when I grant users in foreman specific privileges to create new
hosts they also see all the tenants, not just the ones that they have
access to in Openstack. Is there a way to have user credentials passed from
Foreman directly to Openstack via the foreman-compute plugin so that users
ONLY see the tenants they are assigned to in Openstack? In both cases they
are using their AD/LDAP credentials so I assume this should be
straightforward but I can't find any information on this anywhere.
You should take a look at http://theforeman.org/manuals/1.5/index.html#4.1.2RolesandPermissions
Compute Resources are globally shared but it's possible to configure
permissions for your users so that each of your users have one Compute
Resource with their credentials. That should restrict them as they won't
see other tenants if they are connecting to Openstack with credentials
valid for the tenants they are assigned to
···
On Tue, Aug 12, 2014 at 2:13 AM, Julian Barnett wrote:
I’ve just configured foreman-compute so that I can integrate our Openstack
environment into puppet/foreman. This part was easy enough. I am using my
(admin) account for the compute resource, so I can see all the tenants. The
problem is, when I grant users in foreman specific privileges to create new
hosts they also see all the tenants, not just the ones that they have
access to in Openstack. Is there a way to have user credentials passed from
Foreman directly to Openstack via the foreman-compute plugin so that users
ONLY see the tenants they are assigned to in Openstack? In both cases they
are using their AD/LDAP credentials so I assume this should be
straightforward but I can’t find any information on this anywhere.