Open Stack

On 3/20/19 11:13 AM, Ben Nemec wrote:
>
>
> On 3/20/19 10:21 AM, Mohammed Naser wrote:
>> On Wed, Mar 20, 2019 at 10:40 AM Matt Riedemann <mriedemos at gmail.com>
>> wrote:
>>>
>>> On 3/18/2019 4:40 PM, melanie witt wrote:
>>>> I wanted to run the idea by operators and users to get feedback.
>>>
>>> Let me be frank and ask if we (nova) have specific operators and users
>>> that are clamoring for these changes and if so, do they plan on not
>>> only
>>> attending the session but engaging in the development of these pretty
>>> massive shifts in how nova works? I know we've been talking about this
>>> stuff for a long time, but the demand just doesn't feel like it's there
>>> from the operators community, and as a development team we're already
>>> spread thin.
>>
>> I think implementing the new RBAC stuff is pretty important.  We've had
>> countless requests on things like a "read-only" user which is not
>> currently
>> achievable without quite a significant overhaul of the existing
>> policies.

I can only speak for keystone, but we're about half way there. We have
support for default roles (including `reader`) across many parts of the
API and we've fixed scope types in a few places, too. There is still
more work to do, but we always figured we would be one of the service to
take the plunge on this front. I think that's a good thing though and we
can share what speed bumps we've hit, if other services find that useful
(this sounds like a PTG topic).

>
> Yep, we have multiple customers who have asked for this and up until
> now the only way we've been able to do it is to rewrite most of the
> policy rules for every service. That's extremely error-prone and
> difficult to maintain.

++

>
> Also, doesn't this work address the longstanding complaint about there
> being no way to scope an admin account to a single project?

Correct, it gets us closer to solving that problem.

>
> I know at one point we had someone who was doing work upstream to
> improve this, but I think that kind of tailed off. It seems like there
> is a compelling business case for us to have someone work on this, but
> the business and I have disagreed on the definition of "compelling"
> before, so I make no promises. :-)

I suppose we have a couple of options. We can keep both sessions and
make one to go through the migration (for all service). The other could
go into how operators adopt what's been done upstream for `reader`
roles. Colleen suggested something similar in the keystone meeting this
week.

>
>
>


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20190320/e3fe983a/attachment.sig>