This is an update on the progress made within the Policy Popup team[1] so far this cycle.
[1] https://wiki.openstack.org/wiki/Consistent_and_Secure_Default_Policies_Popup...
Why This Is Important =====================
Separating system, domain, and project-scope APIs and providing meaningful default roles is critical to facilitating secure cloud deployments and to fulfilling OpenStack's vision as a fully self-service infrastructure provider[2]. Until all projects have completed this policy migration, the "reader" role that exists in keystone is dangerously misleading, and the `[oslo_policy]/enforce_scope` option has limited usefulness as long as projects lack uniformity in how an administrator can use scoped APIs.
[2] https://governance.openstack.org/tc/reference/technical-vision.html#self-ser...
Project Progress ================
Nova ----
- Ussuri spec has merged[3] - 28 changes implementing the spec have been merged[4] - 39 additional changes have been proposed and are awaiting review[5]
[3] https://review.opendev.org/686058 [4] https://review.opendev.org/#/q/topic:bp/policy-defaults-refresh+status:merge... [5] https://review.opendev.org/#/q/topic:bp/policy-defaults-refresh+status:open
Cyborg ------
- Ussuri spec has merged[6] and a tracking story has been created[7] - 2 changes to implement the spec have been proposed and are awaiting review[8]
[6] https://review.opendev.org/699099 [7] https://storyboard.openstack.org/#!/story/2007024 [8] https://review.opendev.org/#/q/project:openstack/cyborg+topic:policy-popup+s...
Barbican --------
- A table has been created outlining the required policy changes[9] - No patches merged or proposed yet
[9] https://wiki.openstack.org/wiki/Barbican/Policy
Neutron -------
- No planning document - No patches merged or proposed yet
Manila ------
- No planning document - No patches merged or proposed yet
Cinder ------
- No planning document - No patches merged or proposed yet
How You Can Help ================
If you are a contributor for these teams, please update the popup team wiki page[10] as your project starts to plan and implement policy changes.
If you are a cloud operator, please help review the proposed policy rule changes to sanity-check the new scope and role defaults and to help influence these decisions.
[10] https://wiki.openstack.org/wiki/Consistent_and_Secure_Default_Policies_Popup...
Reminders =========
- Reach out at any time to the keystone team if you have questions on this popup team's goals.
- Colleen still seeking to be replaced as co-chair, please let me know if you're interested.