[openstack-dev] [keystone][security] Service User Permissions

Shawn McKinney smckinney at symas.com
Thu Jun 2 15:36:36 UTC 2016

> On Jun 2, 2016, at 10:03 AM, Adam Young <ayoung at redhat.com> wrote:
> To do all of this right, however, requires a degree of introspection that we do not have in OpenStack.  Trove needs to ask Nova "I want to do X, what role do I need?"  and there is no where in the system today that this information lives.
> So, while we could make something that works for service users as the problem is defined by Nova today, that would be, in a word, bad.  We need something that works for the larger OpenStack ecosystem, to include less trusted third party services, and still deal with the long running tasks.


If openstack supported RBAC (ANSI INCITS 359) you would be able to call (something like) this API:

List<String> permissionRoles(Permission  perm) throws SecurityException

Return a list of type String of all roles that have granted a particular permission.

RBAC Review APIs:

One of the advantages of pursuing published standards, you enjoy support for requirements across a broad spectrum of requirements, and perhaps for things you didn’t know was needed (at design time).

Hope this helps,


More information about the OpenStack-dev mailing list