On Wed, Mar 20, 2019, at 5:14 PM, Ben Nemec wrote:
On 3/20/19 10:21 AM, Mohammed Naser wrote:
On Wed, Mar 20, 2019 at 10:40 AM Matt Riedemann <mriedemos@gmail.com> wrote:
On 3/18/2019 4:40 PM, melanie witt wrote:
I wanted to run the idea by operators and users to get feedback.
Let me be frank and ask if we (nova) have specific operators and users that are clamoring for these changes and if so, do they plan on not only attending the session but engaging in the development of these pretty massive shifts in how nova works? I know we've been talking about this stuff for a long time, but the demand just doesn't feel like it's there from the operators community, and as a development team we're already spread thin.
I think implementing the new RBAC stuff is pretty important. We've had countless requests on things like a "read-only" user which is not currently achievable without quite a significant overhaul of the existing policies.
Yep, we have multiple customers who have asked for this and up until now the only way we've been able to do it is to rewrite most of the policy rules for every service. That's extremely error-prone and difficult to maintain.
Also, doesn't this work address the longstanding complaint about there being no way to scope an admin account to a single project?
I know at one point we had someone who was doing work upstream to improve this, but I think that kind of tailed off. It seems like there is a compelling business case for us to have someone work on this, but the business and I have disagreed on the definition of "compelling" before, so I make no promises. :-)
Yes, part of this discussion is about addressing that scope-to-not-everything problem, which we want to address with system scope. But that involves redefining service APIs to understand the difference between system and project scope, and re-training operators and users to use the correct scope for the correct context. So it's a useful conversation to have with both developers and operators in the room. Colleen