Hi, I started looking at the S-RBAC today and for the phase 3 [1] especially. My question is - do we have agreement how this MANAGER will look like? In the linked document there is only info that keystone's spec [2] will have to be changed but I'm not sure if this is final now and if we can/should start thinking and implementing policies for the MANAGER role or not yet. [1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rba... [2] https://review.opendev.org/c/openstack/keystone-specs/+/818603 -- Slawek Kaplonski Principal Software Engineer Red Hat
Hi, I can only hint you towards this spec for the domain-scoped manager: https://review.opendev.org/c/openstack/keystone-specs/+/903172 greetings Josephine (Luzi) Am 12.04.24 um 10:35 schrieb Sławek Kapłoński:
Hi,
I started looking at the S-RBAC today and for the phase 3 [1] especially. My question is - do we have agreement how this MANAGER will look like? In the linked document there is only info that keystone's spec [2] will have to be changed but I'm not sure if this is final now and if we can/should start thinking and implementing policies for the MANAGER role or not yet.
[1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rba...
[2] https://review.opendev.org/c/openstack/keystone-specs/+/818603
--
Slawek Kaplonski
Principal Software Engineer
Red Hat
Hi, Dnia piątek, 12 kwietnia 2024 07:07:16 EDT Josephine Seifert pisze:
Hi,
I can only hint you towards this spec for the domain-scoped manager: https://review.opendev.org/c/openstack/keystone-specs/+/903172
Thx but I think that this is something different and much younger then original idea about MANAGER role
greetings Josephine (Luzi)
Am 12.04.24 um 10:35 schrieb Sławek Kapłoński:
Hi,
I started looking at the S-RBAC today and for the phase 3 [1] especially. My question is - do we have agreement how this MANAGER will look like? In the linked document there is only info that keystone's spec [2] will have to be changed but I'm not sure if this is final now and if we can/should start thinking and implementing policies for the MANAGER role or not yet.
[1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rba...
[2] https://review.opendev.org/c/openstack/keystone-specs/+/818603
--
Slawek Kaplonski
Principal Software Engineer
Red Hat
-- Slawek Kaplonski Principal Software Engineer Red Hat
---- On Mon, 15 Apr 2024 14:43:36 -0700 Sławek Kapłoński wrote ---
Hi,
Dnia piątek, 12 kwietnia 2024 07:07:16 EDT Josephine Seifert pisze:
Hi,
I can only hint you towards this spec for the domain-scoped manager: https://review.opendev.org/c/openstack/keystone-specs/+/903172
Thx but I think that this is something different and much younger then original idea about MANAGER role
This is new idea to solve the domain level tasks and applies to keystone only but original Manager is at project level to share the task between admin and member role. -gmann
greetings Josephine (Luzi)
Am 12.04.24 um 10:35 schrieb Sławek Kapłoński:
Hi,
I started looking at the S-RBAC today and for the phase 3 [1] especially. My question is - do we have agreement how this MANAGER will look like? In the linked document there is only info that keystone's spec [2] will have to be changed but I'm not sure if this is final now and if we can/should start thinking and implementing policies for the MANAGER role or not yet.
[1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rba...
[2] https://review.opendev.org/c/openstack/keystone-specs/+/818603
--
Slawek Kaplonski
Principal Software Engineer
Red Hat
-- Slawek Kaplonski Principal Software Engineer Red Hat
---- On Fri, 12 Apr 2024 01:35:21 -0700 Sławek Kapłoński wrote ---
Hi,
I started looking at the S-RBAC today and for the phase 3 [1] especially. My question is - do we have agreement how this MANAGER will look like? In the linked document there is only info that keystone's spec [2] will have to be changed but I'm not sure if this is final now and if we can/should start thinking and implementing policies for the MANAGER role or not yet.
[1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rba... [2] https://review.opendev.org/c/openstack/keystone-specs/+/818603
Sorry for the late response, somehow I missed this email. 'Manager' role is good to start adding in APIs, the keystone bootstrap implied role has been implemented[1] so I do not think we need any further updates. About usage, it is more of a privilege between project admin and project member role and it is up to services to decide what all APIs need to default to the Manager role. For example, reset the server state. I will say something we want the admin to share the responsibility of managing the resources but keeping APIs default to admin only which can be more destructive to the cloud. [1] https://review.opendev.org/c/openstack/keystone/+/822601 -gmann
-- Slawek Kaplonski Principal Software Engineer Red Hat
Hi, Dnia środa, 17 kwietnia 2024 03:58:44 CEST Ghanshyam Mann pisze:
---- On Fri, 12 Apr 2024 01:35:21 -0700 Sławek Kapłoński wrote ---
Hi,
I started looking at the S-RBAC today and for the phase 3 [1] especially. My question is - do we have agreement how this MANAGER will look like? In the linked document there is only info that keystone's spec [2] will have to be changed but I'm not sure if this is final now and if we can/should start thinking and implementing policies for the MANAGER role or not yet.
[1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rba... [2] https://review.opendev.org/c/openstack/keystone-specs/+/818603
Sorry for the late response, somehow I missed this email.
'Manager' role is good to start adding in APIs, the keystone bootstrap implied role has been implemented[1] so I do not think we need any further updates. About usage, it is more of a privilege between project admin and project member role and it is up to services to decide what all APIs need to default to the Manager role. For example, reset the server state. I will say something we want the admin to share the responsibility of managing the resources but keeping APIs default to admin only which can be more destructive to the cloud.
[1] https://review.opendev.org/c/openstack/keystone/+/822601
-gmann
-- Slawek Kaplonski Principal Software Engineer Red Hat
Thx for info. That's what I was looking for :) -- Slawek Kaplonski Principal Software Engineer Red Hat
participants (3)
-
Ghanshyam Mann
-
Josephine Seifert
-
Sławek Kapłoński