[Openstack-operators] Dynamic Policy for Access Control

Joseph Bajin josephbajin at gmail.com
Tue Feb 24 01:50:51 UTC 2015 

What do you mean by that?  Like a "network" role for network admins that
only can modify backend neutron functions?



On Mon, Feb 23, 2015 at 12:01 PM, matt <matt at nycresistor.com> wrote:

> Interesting to me would be isolation of physical resource by roles.
>
> Necessary in FISMA / ITAR and PCI world.
>
> On Mon, Feb 23, 2015 at 11:41 AM, Tim Bell <Tim.Bell at cern.ch> wrote:
>
>>
>> > -----Original Message-----
>> > From: Adam Young [mailto:ayoung at redhat.com]
>> > Sent: 23 February 2015 16:45
>> > To: openstack-operators at lists.openstack.org
>> > Subject: [Openstack-operators] Dynamic Policy for Access Control
>> >
>> > "Admin can do everything!"  has been a common lament, heard for multiple
>> > summits.  Its more than just a development issue.  I'd like to fix
>> that.  I think we
>> > all would.
>> >
>> >
>> > I'm looking to get some Operator input on the Dynamic Policy issue. I
>> wrote up a
>> > general overview last fall, after the Kilo summit:
>> >
>> > https://adam.younglogic.com/2014/11/dynamic-policy-in-keystone/
>> >
>> >
>> > Some of what I am looking at is:  what are the general roles that
>> Operators
>> > would like to have by default when deploying OpenStack?
>> >
>>
>> As I described in
>> http://openstack-in-production.blogspot.ch/2015/02/delegation-of-roles.html,
>> we've got (mapped  per-project to an AD group)
>>
>> - operator (start/stop/reboot/console)
>> - accounting (read ceilometer data for reporting)
>>
>> > I've submitted a talk about policy for the Summit:
>> >
>> https://www.openstack.org/vote-vancouver/presentation/dynamic-policy-for-
>> > access-control
>> >
>> > If you want, please vote for it, but even if it does not get selected,
>> I'd like to
>> > discuss Policy with the operators at the summit, as input to  the
>> Keystone
>> > development effort.
>> >
>>
>> Sounds like a good topic for the ops meetup track.
>>
>> > Feedback greatly welcome.
>> >
>> > _______________________________________________
>> > OpenStack-operators mailing list
>> > OpenStack-operators at lists.openstack.org
>> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>>
>> _______________________________________________
>> OpenStack-operators mailing list
>> OpenStack-operators at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>>
>
>
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20150223/97db1ea8/attachment.html>

More information about the OpenStack-operators mailing list