<div dir="ltr">This has been informal discussions at various times around how differently privileged users might use Ironic for different things. It would be great if our API supported policy settings that corresponded to, let's say, a junior support engineer's read-only access, or a DC technician's need to perform maintenance on a server without granting them admin access to the whole cloud. Things like that... but nothing formal has been written yet.</div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Sep 11, 2015 at 1:01 PM, Dolph Mathews <span dir="ltr"><<a href="mailto:dolph.mathews@gmail.com" target="_blank">dolph.mathews@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><br><div class="gmail_quote"><span class="">On Fri, Sep 11, 2015 at 2:55 PM, Yee, Guang <span dir="ltr"><<a href="mailto:guang.yee@hpe.com" target="_blank">guang.yee@hpe.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Can you please elaborate on "granularity of policy support within Ironic."? Is there a blueprint/etherpad we can take a look?<br></blockquote><div><br></div></span><div>See the lack of granularity expressed by Ironic's current policy file:</div><div><br></div><div>  <a href="https://github.com/openstack/ironic/blob/5671e7c2df455f97ef996c47c9c4f461a82e1c38/etc/ironic/policy.json" target="_blank">https://github.com/openstack/ironic/blob/5671e7c2df455f97ef996c47c9c4f461a82e1c38/etc/ironic/policy.json</a></div><div><div class="h5"><div> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
<br>
Guang<br>
<div><div><br>
<br>
-----Original Message-----<br>
From: Devananda van der Veen [mailto:<a href="mailto:devananda.vdv@gmail.com" target="_blank">devananda.vdv@gmail.com</a>]<br>
Sent: Friday, September 11, 2015 10:25 AM<br>
To: OpenStack Development Mailing List (not for usage questions)<br>
Subject: Re: [openstack-dev] [devstack][keystone][ironic] Use only Keystone v3 API in DevStack<br>
<br>
We (the Ironic team) have talked a couple times about keystone /v3 support and about improving the granularity of policy support within Ironic. No one stepped up to work on these specifically, and they weren't prioritized during Liberty ... but I think everyone agreed that we should get on with the keystone v3 relatively soon.<br>
<br>
If Ironic is the only integrated project that doesn't support v3 yet, then yea, we should get on that as soon as M opens.<br>
<br>
-Devananda<br>
<br>
On Fri, Sep 11, 2015 at 9:45 AM, Davanum Srinivas <<a href="mailto:davanum@gmail.com" target="_blank">davanum@gmail.com</a>> wrote:<br>
> Hi,<br>
><br>
> Short story/question:<br>
> Is keystone /v3 support important to the ironic team? For Mitaka i guess?<br>
><br>
> Long story:<br>
> The previous discussion - guidance from keystone team on magnum<br>
> (<a href="http://markmail.org/message/jchf2vj752jdzfet" rel="noreferrer" target="_blank">http://markmail.org/message/jchf2vj752jdzfet</a>) motivated me to dig<br>
> into the experimental job we have in devstack for full keystone v3 api<br>
> and ended up with this review.<br>
><br>
> <a href="https://review.openstack.org/#/c/221300/" rel="noreferrer" target="_blank">https://review.openstack.org/#/c/221300/</a><br>
><br>
> So essentially that rips out v2 keystone pipeline *except* for ironic jobs.<br>
> as ironic has some hard-coded dependencies to keystone /v2 api. I've<br>
> logged a bug here:<br>
> <a href="https://bugs.launchpad.net/ironic/+bug/1494776" rel="noreferrer" target="_blank">https://bugs.launchpad.net/ironic/+bug/1494776</a><br>
><br>
> Note that review above depends on Jamie's tempest patch which had some<br>
> hard coded /v2 dependency as well<br>
> (<a href="https://review.openstack.org/#/c/214987/" rel="noreferrer" target="_blank">https://review.openstack.org/#/c/214987/</a>)<br>
><br>
> follow up question:<br>
> Does anyone know of anything else that does not work with /v3?<br>
><br>
> Thanks,<br>
> Dims<br>
><br>
> --<br>
> Davanum Srinivas :: <a href="https://twitter.com/dims" rel="noreferrer" target="_blank">https://twitter.com/dims</a><br>
><br>
> ______________________________________________________________________<br>
</div></div>> ____ OpenStack Development Mailing List (not for usage questions)<br>
<div><div>> Unsubscribe:<br>
> <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
><br>
<br>
__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br>
__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
</div></div></blockquote></div></div></div><br></div></div>
<br>__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br></div>