[Openstack-operators] [keystone] RBAC usage at production
jlk at bluebox.net
Tue Dec 29 19:48:55 UTC 2015
We are still using mysql backend for Keystone.
We are using a customization for Horizon that's public
and then we have crafted policy files that are public as well (e.g.
Lastly we have middleware for keystone (not public) that does some
filtering of what various roles can see, which in effect keeps "admin" role
from being able to see "cloud_admin" things.
On Tue, Dec 29, 2015 at 12:28 AM, Oğuz Yarımtepe <oguzyarimtepe at gmail.com>
> Using a middleware is what we are doing also. Can you give more details
> about your structure? Our middleware is like the Rackspace OpenRepose. What
> do you use for role definitions? Are you using any backend for Keystone
> like LDAP?
> On Thu, Dec 10, 2015 at 9:55 PM, Jesse Keating <jlk at bluebox.net> wrote:
>> We use RBAC, however we've done it based on roles and some middleware.
>> The policy files are essentially static.
>> - jlk
>> On Wed, Dec 9, 2015 at 12:39 AM, Oguz Yarimtepe <oguzyarimtepe at gmail.com>
>>> I am wondering whether there are people using RBAC at production. The
>>> policy.json file has a structure that requires restart of the service each
>>> time you edit the file. Is there and on the fly solution or tips about it?
>>> OpenStack-operators mailing list
>>> OpenStack-operators at lists.openstack.org
> Oğuz Yarımtepe
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OpenStack-operators