On Wed, 2022-06-08 at 07:49 +0200, Julia Kreger wrote:
On Tue, Jun 7, 2022 at 8:10 PM Ghanshyam Mann <gmann@ghanshyammann.com> wrote:
Hello Everyone,
As you might know, we are redesigning the OpenStack default RBAC. The new design target two things:
1. 'new defaults (reader role)' 2. "Scope" concept
It is hard to explain the details in email but the below doc is a good place to start understanding this: - https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rba...
We as a community think 1st target (reader role) is a good thing to do and it will definitely be useful in many cases.
But we need feedback on the "Scope" concept. To understand what it is and how it can impact your existing use case/deployment, please ref the documentation mentioned in the etherpad[1] (if there is any question about its design/usage we are planning, feel free to reply here or contact us in #openstack-tc IRC channel).
* If you are an operator, we really need your feedback if the 'Scope' concept is a useful thing for your deployment/use-case or not.
* If you are attending events have operators also attending (for example, project operator feedback (like nova[2]), forum sessions in berlin summit, ops meetup or any local operator event), please communicate about the required feedback.
* Due to various reasons, many of us involved in RBAC work are not travelling to Berlin and we have this topic to be discussed in Berlin ops meetup[3] but we require someone knowing RBAC new design moderate this topic. Please reach out to us if you would like to help.
I previously volunteered to facilitate this at the operators meet up and given others have had to drop out, I discussed it with the ops meetup leaders and will be facilitating a session with the interested operators on Friday.
I know from previous discussions I’ve had, there was quite an interest in the system level of scope access to be able to see everything across a system, so I suspect there is tons of value there, but our developer perception is obvious different if we’re questioning it at this point.
the system level of scope does not allow you to see everything across the system it only allows you to see the non project related resouces so you can see the flavors and host aggreates but not the instances as instances are project scoped. and project scoped resouces like ports, instances, images and volumes cannot be accessed with a system scope token if you enabel scope enforcement. that is one of the things we want to get clarity on form operators. is the disticntion between system level resouces and project level resouces useful.
Central Etherpad to collect feedback (this can be used to collect from various forums/places):
* https://etherpad.opendev.org/p/rbac-operator-feedback
[1] https://etherpad.opendev.org/p/rbac-operator-feedback [2] https://etherpad.opendev.org/p/nova-berlin-meet-and-greet [3]https://etherpad.opendev.org/p/ops-meetup-berlin-2022-planning#L74
-gmann