On 09/06/2022 11:11, Christian Rohmann wrote:
And there are quite few of those relations even with the most commonly used services. Cinder -> nova, nova-> cincer, nova->ironic, .... nova-> neutron, ....
Are such canned RBAC rules for "special" inter service users on the backlog somewhere? Or am I totally misconceiving the issue here?
I know there is https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rba... and also the question for feedback at https://etherpad.opendev.org/p/rbac-operator-feedback, but that all seems to focus on the impact of roles used by humans / users and not about service roles at all.
I just noticed that Christian Berendt does a forum talk on "Deprivilization of the internal service accounts" TODAY at 2:40pm - 3:10pm at A05 on apparently that exact question :-) Regards Christian