Secure RBAC work

Lance Bragstad lbragstad at
Wed Dec 9 20:04:57 UTC 2020

Hey everyone,

I wanted to take an opportunity to clarify some work we have been doing
upstream, specifically modifying the default policies across projects.

These changes are the next phase of an initiative that’s been underway
since Queens to fix some long-standing security concerns in OpenStack [0].
For context, we have been gradually improving policy enforcement for years.
We started by improving policy formats, registering default policies into
code [1], providing better documentation for policy writers, implementing
necessary identity concepts in keystone [2], developing support for those
concepts in libraries [3][4][5][6][7][8], and consuming all of those
changes to provide secure default policies in a way operators can consume
and roll out to their users [9][10].

All of this work is in line with some high-level documentation we started
writing about three years ago [11][12][13].

There are a handful of services that have implemented the goals that define
secure RBAC by default, but a community-wide goal is still out-of-reach. To
help with that, the community formed a pop-up team with a focused objective
and disbanding criteria [14].

The work we currently have in progress [15] is an attempt to start applying
what we have learned from existing implementations to other projects. The
hope is that we can complete the work for even more projects in Wallaby.
Most deployers looking for this functionality won't be able to use it
effectively until all services in their deployment support it.

I hope this helps clarify or explain the patches being proposed.

As always, I'm happy to elaborate on specific concerns if folks have them.


















-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the openstack-discuss mailing list