[policy][keystone][nova][cyborg][barbican][neutron][manila][cinder] Policy Popup team progress report

Colleen Murphy colleen at gazlene.net
Wed Mar 4 21:26:45 UTC 2020

This is an update on the progress made within the Policy Popup team[1] so far
this cycle.

[1] https://wiki.openstack.org/wiki/Consistent_and_Secure_Default_Policies_Popup_Team

Why This Is Important

Separating system, domain, and project-scope APIs and providing meaningful
default roles is critical to facilitating secure cloud deployments and to
fulfilling OpenStack's vision as a fully self-service infrastructure
provider[2]. Until all projects have completed this policy migration, the
"reader" role that exists in keystone is dangerously misleading, and the
`[oslo_policy]/enforce_scope` option has limited usefulness as long as projects
lack uniformity in how an administrator can use scoped APIs.

[2] https://governance.openstack.org/tc/reference/technical-vision.html#self-service

Project Progress


- Ussuri spec has merged[3]
- 28 changes implementing the spec have been merged[4]
- 39 additional changes have been proposed and are awaiting review[5]

[3] https://review.opendev.org/686058
[4] https://review.opendev.org/#/q/topic:bp/policy-defaults-refresh+status:merged
[5] https://review.opendev.org/#/q/topic:bp/policy-defaults-refresh+status:open


- Ussuri spec has merged[6] and a tracking story has been created[7]
- 2 changes to implement the spec have been proposed and are awaiting review[8]

[6] https://review.opendev.org/699099
[7] https://storyboard.openstack.org/#!/story/2007024
[8] https://review.opendev.org/#/q/project:openstack/cyborg+topic:policy-popup+status:open


- A table has been created outlining the required policy changes[9]
- No patches merged or proposed yet

[9] https://wiki.openstack.org/wiki/Barbican/Policy


- No planning document
- No patches merged or proposed yet


- No planning document
- No patches merged or proposed yet


- No planning document
- No patches merged or proposed yet

How You Can Help

If you are a contributor for these teams, please update the popup team wiki
page[10] as your project starts to plan and implement policy changes.

If you are a cloud operator, please help review the proposed policy rule
changes to sanity-check the new scope and role defaults and to help influence
these decisions.

[10] https://wiki.openstack.org/wiki/Consistent_and_Secure_Default_Policies_Popup_Team


- Reach out at any time to the keystone team if you have questions on this
  popup team's goals.

- Colleen still seeking to be replaced as co-chair, please let me know if
  you're interested.

More information about the openstack-discuss mailing list