[ops][heat][rbac] Call for feedback: Splitting stack to "system" stack and "project" stack

Takashi Kajinami tkajinam at redhat.com
Tue May 10 15:13:57 UTC 2022


Hello,

tl;dr
We are looking for some feedback from anyone developing their tool/software
creating/managing heat stacks, about the new requirement we are
considering.


Recently we've been discussing the issue with Heat and Secure RBAC work[1].

The current target of SRBAC work requires the appropriate scope according
to the resources.
 - Project resources like instance, volume or network can be created by
project-scoped token
 - Project resources like flavor, user, project or role can be created by
system-scoped token

This is causing a problem with heat stacks which have both project resources
and system resources, because heat currently uses the single token provided
by the user in a single stack API call.


As part of discussions we have discussed the "split stack" concept, which
requires
creating separate stacks per scope. This means If you want to create
project resources
and system resources by Heat, you should create two separate heat stacks
and call
heat stack api separately using different credentials.

While we still need to investigate the feasibility of this option (eg. how
smooth we can
make the migration), we'd like to hear any feedback about the impact of the
"split stack" concept
on any external toolings depending on Heat, because this would require some
workflow/architecture
change in the toolings. If we hear many negative feedback/concerns then we
would examine
different approaches.

Thank you,
Takashi

[1]
https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20220511/149b3373/attachment.htm>


More information about the openstack-discuss mailing list