<div dir="ltr">What do you mean by that?  Like a "network" role for network admins that only can modify backend neutron functions? <div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Feb 23, 2015 at 12:01 PM, matt <span dir="ltr"><<a href="mailto:matt@nycresistor.com" target="_blank">matt@nycresistor.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>Interesting to me would be isolation of physical resource by roles.<br><br></div>Necessary in FISMA / ITAR and PCI world.<br></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Feb 23, 2015 at 11:41 AM, Tim Bell <span dir="ltr"><<a href="mailto:Tim.Bell@cern.ch" target="_blank">Tim.Bell@cern.ch</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span><br>
> -----Original Message-----<br>
> From: Adam Young [mailto:<a href="mailto:ayoung@redhat.com" target="_blank">ayoung@redhat.com</a>]<br>
> Sent: 23 February 2015 16:45<br>
> To: <a href="mailto:openstack-operators@lists.openstack.org" target="_blank">openstack-operators@lists.openstack.org</a><br>
> Subject: [Openstack-operators] Dynamic Policy for Access Control<br>
><br>
> "Admin can do everything!"  has been a common lament, heard for multiple<br>
> summits.  Its more than just a development issue.  I'd like to fix that.  I think we<br>
> all would.<br>
><br>
><br>
> I'm looking to get some Operator input on the Dynamic Policy issue. I wrote up a<br>
> general overview last fall, after the Kilo summit:<br>
><br>
> <a href="https://adam.younglogic.com/2014/11/dynamic-policy-in-keystone/" target="_blank">https://adam.younglogic.com/2014/11/dynamic-policy-in-keystone/</a><br>
><br>
><br>
> Some of what I am looking at is:  what are the general roles that Operators<br>
> would like to have by default when deploying OpenStack?<br>
><br>
<br>
</span>As I described in <a href="http://openstack-in-production.blogspot.ch/2015/02/delegation-of-roles.html" target="_blank">http://openstack-in-production.blogspot.ch/2015/02/delegation-of-roles.html</a>, we've got (mapped  per-project to an AD group)<br>
<br>
- operator (start/stop/reboot/console)<br>
- accounting (read ceilometer data for reporting)<br>
<span><br>
> I've submitted a talk about policy for the Summit:<br>
> <a href="https://www.openstack.org/vote-vancouver/presentation/dynamic-policy-for-" target="_blank">https://www.openstack.org/vote-vancouver/presentation/dynamic-policy-for-</a><br>
> access-control<br>
><br>
> If you want, please vote for it, but even if it does not get selected, I'd like to<br>
> discuss Policy with the operators at the summit, as input to  the Keystone<br>
> development effort.<br>
><br>
<br>
</span>Sounds like a good topic for the ops meetup track.<br>
<div><div><br>
> Feedback greatly welcome.<br>
><br>
> _______________________________________________<br>
> OpenStack-operators mailing list<br>
> <a href="mailto:OpenStack-operators@lists.openstack.org" target="_blank">OpenStack-operators@lists.openstack.org</a><br>
> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators</a><br>
<br>
_______________________________________________<br>
OpenStack-operators mailing list<br>
<a href="mailto:OpenStack-operators@lists.openstack.org" target="_blank">OpenStack-operators@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators</a><br>
</div></div></blockquote></div><br></div>
</div></div><br>_______________________________________________<br>
OpenStack-operators mailing list<br>
<a href="mailto:OpenStack-operators@lists.openstack.org">OpenStack-operators@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators</a><br>
<br></blockquote></div><br></div>