If you have been given admin privileges on either a Domain or a Project in Horizon, then this page is for you!
The OLRC uses a role-based access control model using Keystone V3 for providing authorization to domains and projects.
There are three roles:
- admin: An administrator that can perform administrative operations such as creating projects and users. Inherits the member role.
- member: A user with the member role will have read/write access to the containers within the project they are scoped to. Inherits the reader role.
- reader: Same as member, but with read-only privileges.
Domain Administrators
A domain administrator has the permission to:
- Create other domain administrators.
- Create projects, groups and users.
- Delete projects, groups and users.
- Assign or revoke a user or group a role on any project.
When using Horizon, you must be using a project on which you also have the admin role. Change your project using the drop-down in the top left.
Project Administrators
A project administrator can:
- Assign or revoke roles to/from users on projects they are an administrator of.
Create a project
- Select Identity → Projects in the left side menu bar.
- Click “Create Project” in top-right.
- Give your project a name and optionally (but recommended), a description.
- You can optionally add users or groups to this project by selecting either “Project Members” or “Project Groups” respectively. see below for information on creating users and groups.
Once your project(s) have been created, you will want to extend access to staff members at your institution. If more than one staff member is going to access a particular project, or the same staff members are to access multiple projects, you may consider creating a group first, which allows you to more easily manage multiple users assigned to a project and assign groups to multiple projects. However, you can also create individual users and add them directly to projects.
Create a user
- Select Identity → Users in the left side menu bar.
- Click “Create User” in top-right.
- Fill in the fields, including the required username and a temporary password.
You must also choose a Primary Project for this user. The Primary Project is recommended because logging into Horizon will fail if a user is not assigned access to at least one project. However, if you intend to add a user to a project later on, or add a user to a group in the next step (see “Groups” below) then adding a Primary Project is not required. - Select a role (as described on the top of this page), which will determine the user’s level of access to the project.
- Send the new user their username and password, and ask them to change their password on first login.
Changing a password
Changing a password can be completed as follows:
-
- After logging in, click on your username on the top right corner and then “Settings.”
- Select “Change Password” in the left side menu.
- Change your password in the window by entering your current password and new password twice.
- After logging in, click on your username on the top right corner and then “Settings.”
Groups
Groups are collections of users. They simplify user management, because you can assign a group to one or many projects. Then you simply have to add users to the group to give them that set of permissions.
There are three steps involved:
- Create a group
- Add users to a group
- Assign a group and role to one or more projects
Create a group
- Select Identity → Groups in the left side menu.
- Click “Create Group” in top-right.
- Groups need only a name and description. We assign roles and add users later.
Add users to a group
- Select Identity → Groups in the left side menu.
- Find the group in the group listing and click “Manage Members”.
- Click “Add Users”.
- Use the checkboxes to select the users you want to add.
- Click the “Add Users” button at the top right of the window. The page will refresh and list the usernames of the accounts added to the group.
Assign a group and role to a project
- Select Identity → Projects in the left side menu.
- Find the project in the project listing that you wish to add a group to and select “Manage Members”.
- In the window that pops up, click on the “Project Groups” tab.
- Click the blue plus sign (+) next to the group(s) you want to add and choose the appropriate role on the right side menu (reader, admin or member as described above).
- Click “Save” to add the group to the project.
Limit public access by IP
An experimental feature is available to limit public access to a container or project by IP range. This will apply to containers which have public access enabled, and does not impact access through the standard Swift/Horizon methods.
IP restrictions can be set using the Swift CLI. You will need to ensure you have setup your Swift CLI environment before using this command.
To set IP restrictions, use the following command, replacing the IP range(s) and container name with your own:
swift post --meta "ip-allowlist: 10.10.10.0/24,20.20.0.0/16" <yourcontainer>
To remove the IP restrictions, use this command:
swift post --meta "ip-allowlist:" <yourcontainer>
The container is optional. If you send the command without a container, the IP restriction will apply to all public containers in the project.
It is possible to combine project-level and container-level restrictions for more complex access control. For example:
swift post --meta "ip-allowlist: iprangeA,iprangeB,iprangeC"
swift post --meta "ip-allowlist: iprangeA" container1
swift post --meta "ip-allowlist: iprangeB,iprangeC" container2
With the above commands, we have limited access to container1 to only IP range A, container2 to IP ranges B and C, but all other public containers in the project are restricted to ranges A, B and C.