Assigning Minimum Openstack Non-Admin User Permissions for Commvault

You can create a new CVLT role on the Openstack project and provide minimum Openstack user permissions in the policy files.

Procedure

  1. Create a new CVLT role.

  2. Using the role CVLT, associate an Openstack user to the Openstack project that has the proxy and VMs to backup.

  3. Provide the following permissions in the respective service's policy files:

    For Example, you can add the following permission to the nova/policy.yaml file:

    os_compute_api:servers:create_image": "rule:system_admin_or_owner or role:CVLT

Note

A key pair belongs to an individual user, not to a project. If you want to share a key pair across multiple users, then you must import the key pair you are using. If your role is CVLT and you want to restore a VM which was created using a keypair that belongs to another user, then that keypair will not be listed during restore options from the Openstack client created for this user. You must either import the keypair or use another keypair you own to restore the VM.

Openstack Permissions

## NOVA
"os_compute_api:os-availability-zone:list"
"os_compute_api:os-flavor-extra-specs:index"
"os_compute_api:os-quota-sets:show"
"os_compute_api:servers:detail"
"os_compute_api:servers:detail:get_all_tenants"
"os_compute_api:servers:allow_all_filters"
"os_compute_api:servers:show"
"os_compute_api:servers:create"
"os_compute_api:servers:create:attach_volume"
"os_compute_api:servers:create:attach_network"
"os_compute_api:servers:create_image"
"os_compute_api:servers:create_image:allow_volume_backed"
"os_compute_api:servers:start"
"os_compute_api:os-volumes-attachments:index"
"os_compute_api:os-volumes-attachments:create"
"os_compute_api:os-volumes-attachments:show"
"os_compute_api:os-volumes-attachments:delete"
## CINDER
"volume:attachment_create"
"volume:attachment_update"
"volume:attachment_delete"
"volume:attachment_complete"
"volume:get_all_snapshots"
"volume:create_snapshot"
"volume:get_snapshot"
"volume:delete_snapshot"
"volume_extension:quotas:show"
"limits_extension:used_limits"
"volume_extension:type_get_all"
"volume_extension:volume_actions:upload_image"
"volume_extension:volume_actions:initialize_connection"
"volume_extension:volume_actions:terminate_connection"
"volume_extension:volume_actions:begin_detaching"
"volume_extension:volume_actions:attach"
"volume_extension:volume_actions:detach"
"volume:get_all_transfers"
"volume:get_volume_metadata"
"volume:create_volume_metadata"
"volume:update_volume_metadata"
"volume_extension:volume_image_metadata"
"volume:update_volume_admin_metadata"
"volume:create"
"volume:create_from_image"
"volume:get"
"volume:get_all"
"volume:update"
"volume:delete"
"volume:multiattach"
## Glance
"add_image"
"delete_image"
"get_image"
"get_images"
"modify_image"
"publicize_image"
"communitize_image"
"download_image"
"upload_image"
"delete_image_location"
"get_image_location"
"set_image_location"
## Neutron
"get_flavor"
"get_network"
"create_port"
"create_port:fixed_ips"
"create_port:fixed_ips:subnet_id"
"get_port"
"delete_port"
"get_security_group"
"get_subnet"
```

Loading...