[Openstack-operators] Dynamic Policy for Access Control

matt matt at nycresistor.com
Mon Feb 23 17:01:01 UTC 2015


Interesting to me would be isolation of physical resource by roles.

Necessary in FISMA / ITAR and PCI world.

On Mon, Feb 23, 2015 at 11:41 AM, Tim Bell <Tim.Bell at cern.ch> wrote:

>
> > -----Original Message-----
> > From: Adam Young [mailto:ayoung at redhat.com]
> > Sent: 23 February 2015 16:45
> > To: openstack-operators at lists.openstack.org
> > Subject: [Openstack-operators] Dynamic Policy for Access Control
> >
> > "Admin can do everything!"  has been a common lament, heard for multiple
> > summits.  Its more than just a development issue.  I'd like to fix
> that.  I think we
> > all would.
> >
> >
> > I'm looking to get some Operator input on the Dynamic Policy issue. I
> wrote up a
> > general overview last fall, after the Kilo summit:
> >
> > https://adam.younglogic.com/2014/11/dynamic-policy-in-keystone/
> >
> >
> > Some of what I am looking at is:  what are the general roles that
> Operators
> > would like to have by default when deploying OpenStack?
> >
>
> As I described in
> http://openstack-in-production.blogspot.ch/2015/02/delegation-of-roles.html,
> we've got (mapped  per-project to an AD group)
>
> - operator (start/stop/reboot/console)
> - accounting (read ceilometer data for reporting)
>
> > I've submitted a talk about policy for the Summit:
> >
> https://www.openstack.org/vote-vancouver/presentation/dynamic-policy-for-
> > access-control
> >
> > If you want, please vote for it, but even if it does not get selected,
> I'd like to
> > discuss Policy with the operators at the summit, as input to  the
> Keystone
> > development effort.
> >
>
> Sounds like a good topic for the ops meetup track.
>
> > Feedback greatly welcome.
> >
> > _______________________________________________
> > OpenStack-operators mailing list
> > OpenStack-operators at lists.openstack.org
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20150223/630f8faa/attachment.html>


More information about the OpenStack-operators mailing list