[all][operator][policy] Operator feedback on 'Consistent and Secure RBAC" (new design for RBAC)

Julia Kreger juliaashleykreger at gmail.com
Wed Jun 8 05:49:18 UTC 2022

On Tue, Jun 7, 2022 at 8:10 PM Ghanshyam Mann <gmann at ghanshyammann.com>

> Hello Everyone,
> As you might know, we are redesigning the OpenStack default RBAC. The new
> design target two things:
> 1. 'new defaults (reader role)'
> 2. "Scope" concept
> It is hard to explain the details in email but the below doc is a good
> place to start understanding this:
> -
> https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html
> We as a community think 1st target (reader role) is a good thing to do and
> it will definitely be useful
> in many cases.
> But we need feedback on the "Scope" concept. To understand what it is and
> how it can impact your existing
> use case/deployment, please ref the documentation mentioned in the
> etherpad[1] (if there is any question
> about its design/usage we are planning, feel free to reply here or contact
> us in #openstack-tc IRC channel).
> * If you are an operator, we really need your feedback if the 'Scope'
> concept is a useful thing for your deployment/use-case
>   or not.
> * If you are attending events have operators also attending (for example,
> project operator feedback (like nova[2]), forum sessions
>    in berlin summit, ops meetup or any local operator event), please
> communicate about the required feedback.
> * Due to various reasons, many of us involved in RBAC work are not
> travelling to Berlin and
>    we have this topic to be discussed in Berlin ops meetup[3] but we
> require someone knowing RBAC new design moderate
>    this topic. Please reach out to us if you would like to help.

I previously volunteered to facilitate this at the operators meet up and
given others have had to drop out, I discussed it with the ops meetup
leaders and will be facilitating a session with the interested operators on

I know from previous discussions I’ve had, there was quite an interest in
the system level of scope access to be able to see everything across a
system, so I suspect there is tons of value there, but our developer
perception is obvious different if we’re questioning it at this point.

> Central Etherpad to collect feedback (this can be used to collect from
> various forums/places):
> *  https://etherpad.opendev.org/p/rbac-operator-feedback
> [1] https://etherpad.opendev.org/p/rbac-operator-feedback
> [2] https://etherpad.opendev.org/p/nova-berlin-meet-and-greet
> [3]https://etherpad.opendev.org/p/ops-meetup-berlin-2022-planning#L74
> -gmann
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20220608/4691df7a/attachment.htm>

More information about the openstack-discuss mailing list