Xena PTG Policy Summary

Lance Bragstad lbragstad at gmail.com
Wed Apr 28 19:49:59 UTC 2021

Hey all,

Last week we spent a lot of time discussing RBAC, where everything stands,
and where we need to go to offer a consistent experience for operators and

We kept track of all the sessions in a single etherpad, which also served
as a place for daily summaries [0]. There is a lot of information in there,
but we started working through the action items and correlating them to
bugs or opening new bugs. Hopefully this helps us track progress through

One of the biggest outcomes from last week was the discussion about how
system users should interact with project-owned resources. For context,
administrators have always been able to do things for project users because
they both have project-scoped tokens. That's no longer going to be the case
as services adopt system-scope. We came up with an interesting way to solve
the problem and we compared it to other approaches. This all starts at
about line 136 in the etherpad [0]. Ultimately, we think it will be the
least invasive approach, we have a specification up for review [1], and a
PoC in flight [2].

Please look over the summary and links to any actionables for your project.
We can use this thread to discuss any questions if you have them.

Thanks again for all the dedication and focus on policy last week. I know
the discussions aren't easy and it's a tough problem to work through, but
landing something this big across OpenStack services will be a huge win for
operators and users.


[0] https://etherpad.opendev.org/p/policy-popup-xena-ptg
[1] https://review.opendev.org/c/openstack/keystone-specs/+/787640
[2] https://review.opendev.org/c/openstack/keystonemiddleware/+/787822
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20210428/69ae6037/attachment.html>

More information about the openstack-discuss mailing list