[Forum] Feedback - Proposed Forum Schedule

Ben Nemec openstack at nemebean.com
Wed Mar 20 16:43:16 UTC 2019

On 3/20/19 11:29 AM, Lance Bragstad wrote:
> On 3/20/19 11:13 AM, Ben Nemec wrote:
>> On 3/20/19 10:21 AM, Mohammed Naser wrote:
>>> On Wed, Mar 20, 2019 at 10:40 AM Matt Riedemann <mriedemos at gmail.com>
>>> wrote:
>>>> On 3/18/2019 4:40 PM, melanie witt wrote:
>>>>> I wanted to run the idea by operators and users to get feedback.
>>>> Let me be frank and ask if we (nova) have specific operators and users
>>>> that are clamoring for these changes and if so, do they plan on not
>>>> only
>>>> attending the session but engaging in the development of these pretty
>>>> massive shifts in how nova works? I know we've been talking about this
>>>> stuff for a long time, but the demand just doesn't feel like it's there
>>>> from the operators community, and as a development team we're already
>>>> spread thin.
>>> I think implementing the new RBAC stuff is pretty important.  We've had
>>> countless requests on things like a "read-only" user which is not
>>> currently
>>> achievable without quite a significant overhaul of the existing
>>> policies.
> I can only speak for keystone, but we're about half way there. We have
> support for default roles (including `reader`) across many parts of the
> API and we've fixed scope types in a few places, too. There is still
> more work to do, but we always figured we would be one of the service to
> take the plunge on this front. I think that's a good thing though and we
> can share what speed bumps we've hit, if other services find that useful
> (this sounds like a PTG topic).
>> Yep, we have multiple customers who have asked for this and up until
>> now the only way we've been able to do it is to rewrite most of the
>> policy rules for every service. That's extremely error-prone and
>> difficult to maintain.
> ++
>> Also, doesn't this work address the longstanding complaint about there
>> being no way to scope an admin account to a single project?
> Correct, it gets us closer to solving that problem.
>> I know at one point we had someone who was doing work upstream to
>> improve this, but I think that kind of tailed off. It seems like there
>> is a compelling business case for us to have someone work on this, but
>> the business and I have disagreed on the definition of "compelling"
>> before, so I make no promises. :-)
> I suppose we have a couple of options. We can keep both sessions and
> make one to go through the migration (for all service). The other could
> go into how operators adopt what's been done upstream for `reader`
> roles. Colleen suggested something similar in the keystone meeting this
> week.

+1. It sounds like there is sufficient discussion material here to fill 
two sessions. I suppose if the operators nack the feature we might have 
a problem, but I don't anticipate that for the reasons I mentioned above.

More information about the openstack-discuss mailing list