---- On Sun, 25 Dec 2022 21:07:04 -0800 manpreet kaur wrote ---
Hi Ogawa san and Tacker team, This mailer is regarding the SRBAC implementation happening in Tacker. In the Tacker release 2023.1 virtual PTG [1], it was decided by the Tacker community to partially implement the project personas (project-reader role) in the current release. And in upcoming releases, we will implement the remaining project-member role.
To address the above requirement, I have prepared a specification [2] and pushed the same in Gerrit for community review.
Ghanshyam san reviewed the specification and shared TC's opinion and suggestion to implement both the project-reader and project-member roles. The complete persona implementation will depreciate the 'owner' rule, and help in restricting any other role to accessing project-based resources.
Yeah, this was a problem in many projects where 'owner' rules were checking only prtoject_id and not the 'member' role. Due to that any role in the project (foo, reader etc) can behave as the 'owner' of the project and perform all the operations within the project scope. This behaviour was actually a bug in our policy. To make the project reader work as expected, we need to fix the existing 'owner' rule to add a 'member' role along with project_id so that 'owner' (project_members) will be different than project_reader. We have fixed it in nova, neutron and many other projects in same way.
Additionally, intact legacy admin (current admin), works in the same way so that we do not break things and introduce the project personas which should be additional things to be available for operators to adopt.
+1, this was the case which came up during RBAC feedback from operators and NFV users. To make sure we do not break the NFV deployment, we are keeping legacy admin behavior/permission the same as it is today. -gmann
Current Status: Incorporated the new requirement and uploaded a new patch set to address the review comment.
Note: The Tacker spec freeze date is 28th Dec 2022, there might be some delay in merging the specification in shared timelines.
[1] https://etherpad.opendev.org/p/tacker-antelope-ptg#L186[2] https://review.opendev.org/c/openstack/tacker-specs/+/866956
Thanks & Regards,Manpreet Kaur