[openstack-dev] [congress] For people attending the mid-cycle policy summit
Sean Roberts
seanroberts66 at gmail.com
Fri Sep 5 19:20:36 UTC 2014
We have a couple of requests for all of you planning to attend the 18-19th September Policy Mid-cycle summit.
1. We’re planning on starting with a series of talks describing the state of policy (current and possibly future) in different projects. We've confirmed people for talks on the following projects.
Nova
Neutron
Congress
Are there any other projects interested in giving a talk? It could just be a chalk-talk (on the whiteboard), if that makes it easier.
2. We’re planning to use the talks as level-setting for a discussion/workshop on how all our policy efforts might interoperate to better serve OpenStack users. We’d like to drive that discussion by working through one or more use cases that require us to all think about OpenStack policy from a holistic point of view.
Examples of the kinds of questions we envision trying to answer:
How would the OpenStack users communicate their policies to OpenStack?
Can OpenStack always enforce policies? What about monitoring? Auditing?
What is the workflow for how OpenStack takes the policies and implements/renders them?
What happens if there are conflicts between users? How are those conflicts surfaced/resolved?
What gaps are there? How do we plug them? What’s the roadmap?
Below is the start of a use case that we think will do the trick. Let’s work together to refine it over email before the summit, so we can hit the ground running. Please reply (to all) with suggestions/alternatives/etc.
a) Application-developer: My 2-tier PCI app (database tier and web tier) can be deployed either for production or for development.
When deployed for production, it needs
solid-state storage for the DB tier
all ports but 80 closed on the web tier
no network communication to DB tier except from the web tier
no VM in the DB tier can be deployed on the same hypervisor as another VM in the DB tier; same for the web tier
b) Cloud operator.
Applications deployed for production must have access to the internet.
Applications deployed for production must not be deployed in the DMZ cluster.
Applications deployed for production should scale based on load.
Applications deployed for development should have 1 VM instance per tier.
Every application must use VM images signed by an administrator
c) Compliance officer
No VM from a PCI app may be located on the same hypervisor as a VM from a non-PCI app.
~ sean
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140905/79927360/attachment.html>
More information about the OpenStack-dev
mailing list