Does Openstack have the notion of tenant admin?
Hi,
Does Openstack have the notion of tenant admin?
If not, can a role be created to simulate such notion?
Regards.
https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail Virus-free.www.avast.com https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
On Tue, 2023-05-23 at 13:19 +0100, wodel youchi wrote:
Hi,
Does Openstack have the notion of tenant admin?
no it does not.
there is global admin or you can use member.
If not, can a role be created to simulate such notion?
not really you could use custom policy to simulate it but the real qustion you have to ask/answer is what woudl a teant admin be able to do that a project member cant.
you woudl then need to create custom policy rules for all service to enable that persona and assocate that with a custom role. finally you would have to assging that role to the relevent tenant admins.
Regards.
https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail Virus-free.www.avast.com https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
There is a plan to introduce a "project manager" role next year or so. See https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rba... (if you are in a hurry, scroll down to "phase 3").
-----Original Message----- From: Sean Mooney smooney@redhat.com Sent: Tuesday, May 23, 2023 9:31 PM To: wodel youchi wodel.youchi@gmail.com; OpenStack Discuss openstack-discuss@lists.openstack.org Subject: Re: Does Openstack have the notion of tenant admin?
On Tue, 2023-05-23 at 13:19 +0100, wodel youchi wrote:
Hi,
Does Openstack have the notion of tenant admin?
no it does not.
there is global admin or you can use member.
If not, can a role be created to simulate such notion?
not really you could use custom policy to simulate it but the real qustion you have to ask/answer is what woudl a teant admin be able to do that a project member cant.
you woudl then need to create custom policy rules for all service to enable that persona and assocate that with a custom role. finally you would have to assging that role to the relevent tenant admins.
Regards.
https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_ campaign=sig-email&utm_content=webmail Virus-free.www.avast.com https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_ campaign=sig-email&utm_content=webmail <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
On 2023-05-23 13:31:29 +0100 (+0100), Sean Mooney wrote:
On Tue, 2023-05-23 at 13:19 +0100, wodel youchi wrote:
Does Openstack have the notion of tenant admin?
no it does not.
there is global admin or you can use member.
If not, can a role be created to simulate such notion?
not really
you could use custom policy to simulate it but the real qustion you have to ask/answer is what woudl a teant admin be able to do that a project member cant.
[...]
Developers have been working recently on adding a read-only "reader" role to their respective services as an initial phase of the Consistent and Secure Default RBAC goal[*], so you might think of it as people who need to be able to make changes to project resources (project members) are conceptually akin to your tenant admin idea while people who only need to be able to look at status and settings for project resources (project readers) are limited to just those capabilities and cannot make changes.
In phase 3, the plan (as it stands now) is to add a project "manager" role which will gain exclusive control of lower level resource API methods, further limiting the current project member role.
[*] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rba...
On Tue, 2023-05-23 at 14:15 +0000, Jeremy Stanley wrote:
On 2023-05-23 13:31:29 +0100 (+0100), Sean Mooney wrote:
On Tue, 2023-05-23 at 13:19 +0100, wodel youchi wrote:
Does Openstack have the notion of tenant admin?
no it does not.
there is global admin or you can use member.
If not, can a role be created to simulate such notion?
not really
you could use custom policy to simulate it but the real qustion you have to ask/answer is what woudl a teant admin be able to do that a project member cant.
[...]
Developers have been working recently on adding a read-only "reader" role to their respective services as an initial phase of the Consistent and Secure Default RBAC goal[*], so you might think of it as people who need to be able to make changes to project resources (project members) are conceptually akin to your tenant admin idea while people who only need to be able to look at status and settings for project resources (project readers) are limited to just those capabilities and cannot make changes.
In phase 3, the plan (as it stands now) is to add a project "manager" role which will gain exclusive control of lower level resource API methods, further limiting the current project member role.
not nessisarly. limiting the scope of project member was not the intent of adding project manager. the orginal intent was to allow proejct-manger to do more pivladge oepration that would normally requrie admin.
At least for nova i dont think we plan to remove any permissions form user with project member today. we were considering allow project manager to have addtional capablity however.
a project member can lock an instance but an admin can overriede that. a project member cannot unlock an instance that an admin has locked.
we could add the ablity for proejct managers to unlock an instance that a project member has locked or to lock the instance such that a project member cannot unlock it.
an admin would still be able to override a project manager as it can with project memeber today.
i would consier the removal of permisisons to do thing form proejct member and requireign project manager to be a breaking api change. there might be specific cases where we may decided its justifed but unless we are plannign to do a new major version fo the nova api im expectign project manager to be a purly additive cahnge.
adding new capablitys that woudl previously have been admin only be default. for exampel the ablity to cold migrate a vm or live migrate it perhaps.
but i do not expect use to restict what project member can do.
live migration is the example usecase although there have been other discussed in the past https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rba...
any changes in this regard will likely require per project specs to detail exactly what will and will not change.
for example keystone might desire to allow project managers to delegate any of the roles they have to other users in a project or give a project manager the ability to add or remove a user form the project.
if that was a change that was desirable i woudl expect to see a keystone spec that would detail exactly how that will be done.
similarly i expect any usage of project manager in nova to be accompanied by a spec to describe that. while we have examples we do not have any detailed proposals for nova at this time.
[*] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rba...
On 2023-05-23 16:32:33 +0100 (+0100), Sean Mooney wrote: [...]
limiting the scope of project member was not the intent of adding project manager. the orginal intent was to allow proejct-manger to do more pivladge oepration that would normally requrie admin.
[...]
Thanks! That nuance wasn't clear to me from the goal document, but with the examples you cited it makes perfect sense and it's awesome that it will enable deployments to expose additional features to users that way which they can't access today.
participants (4)
-
berndbausch@gmail.com
-
Jeremy Stanley
-
Sean Mooney
-
wodel youchi