Hi, Dnia środa, 17 kwietnia 2024 03:58:44 CEST Ghanshyam Mann pisze:
---- On Fri, 12 Apr 2024 01:35:21 -0700 Sławek Kapłoński wrote ---
Hi,
I started looking at the S-RBAC today and for the phase 3 [1] especially. My question is - do we have agreement how this MANAGER will look like? In the linked document there is only info that keystone's spec [2] will have to be changed but I'm not sure if this is final now and if we can/should start thinking and implementing policies for the MANAGER role or not yet.
[1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rba... [2] https://review.opendev.org/c/openstack/keystone-specs/+/818603
Sorry for the late response, somehow I missed this email.
'Manager' role is good to start adding in APIs, the keystone bootstrap implied role has been implemented[1] so I do not think we need any further updates. About usage, it is more of a privilege between project admin and project member role and it is up to services to decide what all APIs need to default to the Manager role. For example, reset the server state. I will say something we want the admin to share the responsibility of managing the resources but keeping APIs default to admin only which can be more destructive to the cloud.
[1] https://review.opendev.org/c/openstack/keystone/+/822601
-gmann
-- Slawek Kaplonski Principal Software Engineer Red Hat
Thx for info. That's what I was looking for :) -- Slawek Kaplonski Principal Software Engineer Red Hat