[all][operator][policy] Operator feedback on 'Consistent and Secure RBAC" (new design for RBAC)

Ghanshyam Mann gmann at ghanshyammann.com
Wed Jun 8 16:49:57 UTC 2022

 ---- On Wed, 08 Jun 2022 09:43:59 -0500 Dan Smith <dms at danplanet.com> wrote ----
 > Julia Kreger <juliaashleykreger at gmail.com> writes:
 > > Is that Nova's interpretation, specifically the delineation that
 > > non-project owned should only be viewable by system, or was system
 > > scope changed at some point? I interpreted it differently, but haven't
 > > circled back recently. I guess interpretation and evolution in
 > > specific pockets after initial implementation work started ultimately
 > > resulted in different perceptions.
 > Nope, not a Nova thing. Here's the relevant course correction from two
 > PTGs ago:
 > https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#direction-change
 > Mohammed is going to be there and primed to discuss this as well. I
 > think he's pretty well caught up on the current state of things. Having
 > your experience with what it means in Ironic, as well as his context
 > from the sticky implementation issues in the other projects should mean
 > we have pretty good coverage.

Yes. and it is more than just a single service use case especially when heat discussion[1]
came up and the scope complexity for heat/NVF users is brought up. We want to make
sure by introducing scope at the service level which is all good for us does not break
others users/tooling like heat, tacker, and deployment projects.

We discussed one solution for heat[2] which is sent on ML for feedback not still now response and that
is why operators' feedback is critical before we try to implement something that can break them.

[1] https://etherpad.opendev.org/p/rbac-zed-ptg#L104
[2] http://lists.openstack.org/pipermail/openstack-discuss/2022-May/028490.html


 > Thanks!
 > --Dan

More information about the openstack-discuss mailing list