Hey all,
Last week we spent a lot of time discussing RBAC, where everything stands, and where we need to go to offer a consistent experience for operators and users.
We kept track of all the sessions in a single etherpad, which also served as a place for daily summaries [0]. There is a lot of information in there, but we started working through the action items and correlating them to bugs or opening new bugs. Hopefully this helps us track progress through Xena.
One of the biggest outcomes from last week was the discussion about how system users should interact with project-owned resources. For context, administrators have always been able to do things for project users because they both have project-scoped tokens. That's no longer going to be the case as services adopt system-scope. We came up with an interesting way to solve the problem and we compared it to other approaches. This all starts at about line 136 in the etherpad [0]. Ultimately, we think it will be the least invasive approach, we have a specification up for review [1], and a PoC in flight [2].
Please look over the summary and links to any actionables for your project. We can use this thread to discuss any questions if you have them.
Thanks again for all the dedication and focus on policy last week. I know the discussions aren't easy and it's a tough problem to work through, but landing something this big across OpenStack services will be a huge win for operators and users.
Lance