Open Stack

On Wed, 2022-06-08 at 07:49 +0200, Julia Kreger wrote:
> On Tue, Jun 7, 2022 at 8:10 PM Ghanshyam Mann <gmann at ghanshyammann.com>
> wrote:
> 
> > Hello Everyone,
> > 
> > As you might know, we are redesigning the OpenStack default RBAC. The new
> > design target two things:
> > 
> > 1. 'new defaults (reader role)'
> > 2. "Scope" concept
> > 
> > It is hard to explain the details in email but the below doc is a good
> > place to start understanding this:
> > -
> > https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html
> > 
> > We as a community think 1st target (reader role) is a good thing to do and
> > it will definitely be useful
> > in many cases.
> > 
> > But we need feedback on the "Scope" concept. To understand what it is and
> > how it can impact your existing
> > use case/deployment, please ref the documentation mentioned in the
> > etherpad[1] (if there is any question
> > about its design/usage we are planning, feel free to reply here or contact
> > us in #openstack-tc IRC channel).
> > 
> > * If you are an operator, we really need your feedback if the 'Scope'
> > concept is a useful thing for your deployment/use-case
> >   or not.
> > 
> > * If you are attending events have operators also attending (for example,
> > project operator feedback (like nova[2]), forum sessions
> >    in berlin summit, ops meetup or any local operator event), please
> > communicate about the required feedback.
> > 
> > * Due to various reasons, many of us involved in RBAC work are not
> > travelling to Berlin and
> >    we have this topic to be discussed in Berlin ops meetup[3] but we
> > require someone knowing RBAC new design moderate
> >    this topic. Please reach out to us if you would like to help.
> 
> 
> I previously volunteered to facilitate this at the operators meet up and
> given others have had to drop out, I discussed it with the ops meetup
> leaders and will be facilitating a session with the interested operators on
> Friday.
> 
> I know from previous discussions I’ve had, there was quite an interest in
> the system level of scope access to be able to see everything across a
> system, so I suspect there is tons of value there, but our developer
> perception is obvious different if we’re questioning it at this point.

the system level of scope does not allow you to see everything across the system
it only allows you to see the non project related resouces 

so you can see the flavors and host aggreates but not the instances as instances are project scoped.
and project scoped resouces like ports, instances, images and volumes cannot be accessed with a system scope
token if you enabel scope enforcement.

that is one of the things we want to get clarity on form operators.
is the disticntion between system level resouces and project level resouces useful.
> 
> 
> > 
> > Central Etherpad to collect feedback (this can be used to collect from
> > various forums/places):
> > 
> > *  https://etherpad.opendev.org/p/rbac-operator-feedback
> > 
> > 
> > [1] https://etherpad.opendev.org/p/rbac-operator-feedback
> > [2] https://etherpad.opendev.org/p/nova-berlin-meet-and-greet
> > [3]https://etherpad.opendev.org/p/ops-meetup-berlin-2022-planning#L74
> > 
> > 
> > -gmann
> > 
> >