[Forum] Feedback - Proposed Forum Schedule

Colleen Murphy colleen at gazlene.net
Wed Mar 20 16:26:17 UTC 2019

On Wed, Mar 20, 2019, at 5:14 PM, Ben Nemec wrote:
> On 3/20/19 10:21 AM, Mohammed Naser wrote:
> > On Wed, Mar 20, 2019 at 10:40 AM Matt Riedemann <mriedemos at gmail.com> wrote:
> >>
> >> On 3/18/2019 4:40 PM, melanie witt wrote:
> >>> I wanted to run the idea by operators and users to get feedback.
> >>
> >> Let me be frank and ask if we (nova) have specific operators and users
> >> that are clamoring for these changes and if so, do they plan on not only
> >> attending the session but engaging in the development of these pretty
> >> massive shifts in how nova works? I know we've been talking about this
> >> stuff for a long time, but the demand just doesn't feel like it's there
> >> from the operators community, and as a development team we're already
> >> spread thin.
> > 
> > I think implementing the new RBAC stuff is pretty important.  We've had
> > countless requests on things like a "read-only" user which is not currently
> > achievable without quite a significant overhaul of the existing policies.
> Yep, we have multiple customers who have asked for this and up until now 
> the only way we've been able to do it is to rewrite most of the policy 
> rules for every service. That's extremely error-prone and difficult to 
> maintain.
> Also, doesn't this work address the longstanding complaint about there 
> being no way to scope an admin account to a single project?
> I know at one point we had someone who was doing work upstream to 
> improve this, but I think that kind of tailed off. It seems like there 
> is a compelling business case for us to have someone work on this, but 
> the business and I have disagreed on the definition of "compelling" 
> before, so I make no promises. :-)

Yes, part of this discussion is about addressing that scope-to-not-everything problem, which we want to address with system scope. But that involves redefining service APIs to understand the difference between system and project scope, and re-training operators and users to use the correct scope for the correct context. So it's a useful conversation to have with both developers and operators in the room.


More information about the openstack-discuss mailing list