[all][operator][policy] Operator feedback on 'Consistent and Secure RBAC" (new design for RBAC)

Dan Smith dms at danplanet.com
Wed Jun 8 13:53:24 UTC 2022

> the system level of scope does not allow you to see everything across the system
> it only allows you to see the non project related resouces 
> so you can see the flavors and host aggreates but not the instances as instances are project scoped.
> and project scoped resouces like ports, instances, images and volumes cannot be accessed with a system scope
> token if you enabel scope enforcement.
> that is one of the things we want to get clarity on form operators.
> is the disticntion between system level resouces and project level resouces useful.

Yep, exactly this. Given the amount of breakage it brings for things
like Heat and Tacker, as well as the potential workflow annoyance for
human admins, I really want to measure whether any operators see a
benefit here. The persona roles, things like a standardized service
role, and getting out of this current situation of having two sets of
defaults are priorities for me.


More information about the openstack-discuss mailing list