member can access to all services as well:
If a User Has the member Role — What Can They Access?
🔑 Access is determined by two things:
-
✅ What role the user has (e.g.,
member,reader,admin) -
✅ In which project the role is granted
So, if a user has the member role in a project — like:
That user:
-
✅ Can access any service as long as the service respects the
memberrole -
❌ Does not need a separate user per service
member Role
The member role is intended for regular project users — like developers, operators, or end users who need to work with cloud resources.
✅ What member Can Do:
-
Launch/manage instances (Nova)
-
Create/delete volumes (Cinder)
-
Upload/download images (Glance)
-
Create/manage networks and ports (Neutron)
-
Access most features within the scope of their project
❌ What member Cannot Do:
-
View or modify other projects
-
Create new users, roles, or trusts
-
Access system-level or admin-only API endpoints
-
Manage service-level configuration or quota overrides
-
See resources owned by other projects
🔹 admin Role
The admin role gives elevated privileges within a project and (depending on policy config) can also allow system-level administration.
✅ What admin Can Do:
Everything member can do plus:
-
View/manage all resources in the project (regardless of owner)
-
Update quotas for the project
-
Access admin-only API extensions
-
Configure trusted images or flavors
-
Sometimes access cross-project or global data (depending on policy)
🔥 Optionally: System Scope
In newer OpenStack RBAC (if enabled), you can assign system-scoped admin role:
This gives the user full platform-level administrative privileges, across all projects.
No comments:
Post a Comment