On Wed, Jun 8, 2022 at 9:53 AM Ghanshyam Mann <gmann@ghanshyammann.com> wrote:
---- On Wed, 08 Jun 2022 09:48:04 -0500 Sean Mooney <smooney@redhat.com> wrote ----
[trim]
so the dicusion of RBAC is not finalised but a direction has been chosen and there is a certin amount of moment behind it now. parts of the design can still change an evlonve but other parts are more concrate like the reader role.
True, our overall goal is to ship improvement without breaking any use case. For example, 'scope' can be good for just nova admin/users but from heat, tacker users these might be breaking change more than improvement so we want to make sure what operators think by considering all use cases.
-gmann
So, one thought. Ironic views system scope as *critical* for our usage based upon the consensus we built before the direction change, because the system fundamentally is the owner/manager of $things. We can and likely should extend that out to project admin (granted, I suspect at least one ironic admin will reply with a strong -1 to such a change... :\. ) given the direction change. We also have had some operators jump on it, but... again, entirely different models of usage/interaction given the base state. If system scope were to suddenly disappear or be completely redefined, it would be a hard break for us at this point.
Granted, I get that the system scope ideas were breaking for some projects in specific use patterns since not everything would be the same nor possible (which is actually a good thing, context of use and all), but it was in theory perfect for a lot of the external audit tooling use cases which arise in so many different ways.
Anyway, off to the next $thing with my scattered brain.
On Wed, Jun 8, 2022 at 6:53 AM Dan Smith <dms@danplanet.com> wrote:
the system level of scope does not allow you to see everything across the system it only allows you to see the non project related resouces
so you can see the flavors and host aggreates but not the instances as instances are project scoped. and project scoped resouces like ports, instances, images and volumes cannot be accessed with a system scope token if you enabel scope enforcement.
that is one of the things we want to get clarity on form operators. is the disticntion between system level resouces and project level resouces useful.
Yep, exactly this. Given the amount of breakage it brings for things like Heat and Tacker, as well as the potential workflow annoyance for human admins, I really want to measure whether any operators see a benefit here. The persona roles, things like a standardized service role, and getting out of this current situation of having two sets of defaults are priorities for me.
--Dan