[ptg] Secure RBAC and Policy Xena PTG sessoins

Lance Bragstad lbragstad at gmail.com
Wed Apr 7 18:53:57 UTC 2021


Hey all,

Several projects are working through RBAC overhauls and naturally sessions
are cropping up for the PTG.

I tried bouncing around to various policy sessions during the Wallaby PTG,
but I didn't plan things out very well. As a result, I missed sessions, had
duplicate conversations with multiple groups, and ended up being more
reactive than I'd like.

To prevent that, Ghanshyam and I have condensed all the policy/RBAC
sessions we know about in a single etherpad [0].

I know most projects are still firming up their schedules, but I've written
down the session times that we know of and organized them chronologically.
My hope is that this will help us group similar discussions and reach
broader consensus on topics easier and quicker.

For example, keystone and nova have a cross-project session on Thursday to
discuss how nova should handle consuming system-scoped tokens for
project-specific operations. This topic certainly isn't exclusive to nova.
It'll impact just about every other service and approaching it consistently
will be huge for end users and operators. Another good example of this
would be the glance refactor to integrate system-scope support we're going
to talk about on Wednesday (cinder and barbican are potentially facing very
similar refactors). Each session in the etherpad [0] has topics, so if a
topic sounds relevant to your service, please feel free to drop into those
discussions.

A rough outline is that:

- Monday we're going to focus on QA and general policy problems (e.g.,
converting tempest to use system-scope, the JSON->YAML community goal,
overall status from Wallaby, etc)
- Tuesday we're going to find ways to adopt system-scope in cinder
- Wednesday we're going to work through system-scope adoption, the meta
definitions API, and test coverage in glance
- Thursday we're going to discuss what the experience should be like for
operators using system-scoped tokens to do project-specific operations with
nova (e.g., rebooting instances)

I'm contemplating hosting a 30 minute recap session on Friday that attempts
to summarize everything from the week regarding RBAC discussions. If that
sounds useful, I'll ask Kristi if I can use one of the keystone sessions
for that recap.

I know, this feels like a lot of focus for one thing and I appreciate
everyone's help working through this stuff. But, I'm hopeful that better
organization throughout the PTG week will result in less confusion about
what we plan to do in Xena with RBAC so we can deliver something useful to
users and operators.

Thanks,

Lance

[0] https://etherpad.opendev.org/p/policy-popup-xena-ptg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20210407/3fc89d69/attachment.html>


More information about the openstack-discuss mailing list