Hi magnum team

I would like to make short report regarding the progress and trigger followup discussion

Right now, with patch series https://review.opendev.org/c/openstack/magnum/+/874945

The patchset is a follow of tc goals: Consistent and Secure Default RBAC[1]

We have now:

* Implementation of Secure RBAC in project member and project reader for most APIs. And also add project scope check for APIs which is not design to run across multiple projects.

* Unit test and functional test ready and passed for above features.

The change of secure RBAC is currently default to false, so it will not affect on current running environments. And we should enable it in the following cycle. So what it does when not enable those configs are only provided deprecation warning.

When enabled, we will requires project_reader role for perform any non-admin GET requests and project_member role for any other non-admin requests(PATCH, DELETE, POST, etc). And will also requires project scope token to allow perform those APIs.

One of the patch we can discuss is to explicit set admin authorization to APIs in https://review.opendev.org/c/openstack/magnum/+/875625
This IMO, is an idea change to make sure we don't break admin operations on all APIs to avoid bugs like https://bugs.launchpad.net/neutron/+bug/1997089 , but if there are any other concerns, I would love to learn about it.

The patch sets are ready, I think as we already in new developing cycle, would really like if anyone can help to review and landing them.
 Most of projects are already have these implementation in place, so now would be a good time for magnum to catch up with that goal.