This is an automated email from the ASF dual-hosted git repository. rohit pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/cloudstack-docs-admin.git
The following commit(s) were added to refs/heads/master by this push: new 079eac0 accounts: update docs on dynamic roles 079eac0 is described below commit 079eac046ac9f912ca916c114f7e3a26843eb69b Author: Rohit Yadav <ro...@apache.org> AuthorDate: Wed Jan 24 12:36:34 2018 +0100 accounts: update docs on dynamic roles Signed-off-by: Rohit Yadav <ro...@apache.org> --- source/accounts.rst | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/source/accounts.rst b/source/accounts.rst index 50725bc..4f41647 100644 --- a/source/accounts.rst +++ b/source/accounts.rst @@ -132,11 +132,15 @@ out of the system, all root admin accounts are allowed all APIs. The dynamic-roles feature is enabled by default only for all new CloudStack installations since version `4.9.x <https://cwiki.apache.org/confluence/display/CLOUDSTACK/Dynamic+Role+Based+API+Access+Checker+for+CloudStack>`_. -After an upgrade, existing deployments can be migrated to use this feature by -running a migration tool by the CloudStack admin. The migration tool is located -at ``/usr/share/cloudstack-common/scripts/util/migrate-dynamicroles.py``. +In 4.11.x and above, existing deployment without any commands.properties file +will be automatically migrated to dynamic roles. Admins may also enable dynamic +roles by setting the global setting 'dynamic.apichecker.enabled' to true. -During migration, this tool enables an internal flag in the database, +After an upgrade, admins can also use this migration tool to migrate old rules +from commands.properties file(s): +``/usr/share/cloudstack-common/scripts/util/migrate-dynamicroles.py``. + +During migration, this tool enables the global setting in the database and copies existing static role-based rules from provided commands.properties file (typically at ``/etc/cloudstack/management/commands.properties``) to the database and renames the commands.properties file (typically to @@ -159,17 +163,21 @@ Options: Host or IP of the MySQL server, default: 3306 -f FILE The commands.properties file, default: /etc/cloudstack/management/commands.properties +-D + Use the default role-rule permissions, and only enable dynamic roles -d Dry run and debug operations this tool will perform -Example: +Examples: sudo python /usr/share/cloudstack-common/scripts/util/migrate-dynamicroles.py -u cloud -p cloud -h localhost -p 3006 -f /etc/cloudstack/management/commands.properties +sudo python /usr/share/cloudstack-common/scripts/util/migrate-dynamicroles.py -u cloud -p cloud -h localhost -p 3006 -D + If you've multiple management servers, remove or rename the commands.properties -file on all management servers typically in /etc/cloudstack/management path, -after running the migration tool for the first management server +file on the management servers typically in /etc/cloudstack/management path, +after running the migration tool for the first management server. Dedicating Resources to Accounts and Domains -- To stop receiving notification emails like this one, please contact ro...@apache.org.