[all][operator][policy] Operator feedback on 'Consistent and Secure RBAC" (new design for RBAC)

Julia Kreger juliaashleykreger at gmail.com
Thu Jun 9 08:55:27 UTC 2022


On Wed, Jun 8, 2022 at 9:53 AM Ghanshyam Mann <gmann at ghanshyammann.com> wrote:
>
>  ---- On Wed, 08 Jun 2022 09:48:04 -0500 Sean Mooney <smooney at redhat.com> wrote ----

[trim]

>  > so the dicusion of RBAC is not finalised but a direction has been chosen and there is a certin amount of moment behind it now.
>  > parts of the design can still change an evlonve but other parts are more concrate like the reader role.
>


> True, our overall goal is to ship improvement without breaking any use case. For example, 'scope' can be good
> for just nova admin/users but from heat, tacker users these might be breaking change more than improvement
> so we want to make sure what operators think by considering all use cases.
>
> -gmann

So, one thought. Ironic views system scope as *critical* for our usage
based upon the consensus we built before the direction change, because
the system fundamentally is the owner/manager of $things. We can and
likely should extend that out to project admin (granted, I suspect at
least one ironic admin will reply with a strong -1 to such a change...
:\. ) given the direction change. We also have had some operators jump
on it, but... again, entirely different models of usage/interaction
given the base state. If system scope were to suddenly disappear or be
completely redefined, it would be a hard break for us at this point.

>
>  > >
>  > > Granted, I get that the system scope ideas were breaking for some
>  > > projects in specific use patterns since not everything would be the
>  > > same nor possible (which is actually a good thing, context of use and
>  > > all), but it was in theory perfect for a lot of the external audit
>  > > tooling use cases which arise in so many different ways.
>  > >
>  > > Anyway, off to the next $thing with my scattered brain.
>  > >
>  > > On Wed, Jun 8, 2022 at 6:53 AM Dan Smith <dms at danplanet.com> wrote:
>  > > >
>  > > > > the system level of scope does not allow you to see everything across the system
>  > > > > it only allows you to see the non project related resouces
>  > > > >
>  > > > > so you can see the flavors and host aggreates but not the instances as instances are project scoped.
>  > > > > and project scoped resouces like ports, instances, images and volumes cannot be accessed with a system scope
>  > > > > token if you enabel scope enforcement.
>  > > > >
>  > > > > that is one of the things we want to get clarity on form operators.
>  > > > > is the disticntion between system level resouces and project level resouces useful.
>  > > >
>  > > > Yep, exactly this. Given the amount of breakage it brings for things
>  > > > like Heat and Tacker, as well as the potential workflow annoyance for
>  > > > human admins, I really want to measure whether any operators see a
>  > > > benefit here. The persona roles, things like a standardized service
>  > > > role, and getting out of this current situation of having two sets of
>  > > > defaults are priorities for me.
>  > > >
>  > > > --Dan
>  > >
>  >
>  >
>  >



More information about the openstack-discuss mailing list