[Openstack-operators] Dynamic Policy for Access Control
matt at nycresistor.com
Mon Feb 23 17:01:01 UTC 2015
Interesting to me would be isolation of physical resource by roles.
Necessary in FISMA / ITAR and PCI world.
On Mon, Feb 23, 2015 at 11:41 AM, Tim Bell <Tim.Bell at cern.ch> wrote:
> > -----Original Message-----
> > From: Adam Young [mailto:ayoung at redhat.com]
> > Sent: 23 February 2015 16:45
> > To: openstack-operators at lists.openstack.org
> > Subject: [Openstack-operators] Dynamic Policy for Access Control
> > "Admin can do everything!" has been a common lament, heard for multiple
> > summits. Its more than just a development issue. I'd like to fix
> that. I think we
> > all would.
> > I'm looking to get some Operator input on the Dynamic Policy issue. I
> wrote up a
> > general overview last fall, after the Kilo summit:
> > https://adam.younglogic.com/2014/11/dynamic-policy-in-keystone/
> > Some of what I am looking at is: what are the general roles that
> > would like to have by default when deploying OpenStack?
> As I described in
> we've got (mapped per-project to an AD group)
> - operator (start/stop/reboot/console)
> - accounting (read ceilometer data for reporting)
> > I've submitted a talk about policy for the Summit:
> > access-control
> > If you want, please vote for it, but even if it does not get selected,
> I'd like to
> > discuss Policy with the operators at the summit, as input to the
> > development effort.
> Sounds like a good topic for the ops meetup track.
> > Feedback greatly welcome.
> > _______________________________________________
> > OpenStack-operators mailing list
> > OpenStack-operators at lists.openstack.org
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OpenStack-operators