[all][operator][policy] Operator feedback on 'Consistent and Secure RBAC" (new design for RBAC)

Julia Kreger juliaashleykreger at gmail.com
Thu Jun 9 15:00:57 UTC 2022


On Thu, Jun 9, 2022 at 6:30 AM Dan Smith <dms at danplanet.com> wrote:
>
> > So, one thought. Ironic views system scope as *critical* for our usage
> > based upon the consensus we built before the direction change, because
> > the system fundamentally is the owner/manager of $things. We can and
> > likely should extend that out to project admin (granted, I suspect at
> > least one ironic admin will reply with a strong -1 to such a change...
> > :\. ) given the direction change. We also have had some operators jump
> > on it, but... again, entirely different models of usage/interaction
> > given the base state. If system scope were to suddenly disappear or be
> > completely redefined, it would be a hard break for us at this point.
>
> I don't think system scope would (or could) disappear at this point, so
> I don't think there's much to worry about.

Whew! That is a weight off my shoulders!

>  I think it's totally
> reasonable to say that there are certain things that a user would never
> interact with directly, which are entirely system-scoped. This might be
> things like ironic and maybe even placement. You could also make the
> argument that a good chunk of keystone's API is system-only.

Definitely.

> If people
> are already using ironic with scopes turned on, it proves the point that
> it's isolated enough that it doesn't suffer from all the other problems
> that caused the direction change.
>
> --Dan

Really, starting out as an admin-only service and then later adding
multi-tenancy support which only got turned on by default with SRBAC
meant we never had to deal with the can of worms that were initially
encountered with system scope.



More information about the openstack-discuss mailing list