On 09/06/2022 11:11, Christian Rohmann wrote: > And there are quite few of those relations even with the most commonly > used services. > Cinder -> nova, nova-> cincer, nova->ironic, .... nova-> neutron, .... > > Are such canned RBAC rules for "special" inter service users on the > backlog somewhere? Or am I totally misconceiving the issue here? > > I know there is > https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#isolate-system-specific-api-policies > and also the question for feedback at > https://etherpad.opendev.org/p/rbac-operator-feedback, but that all > seems to focus on the impact of roles used by humans / users and not > about service roles at all. I just noticed that Christian Berendt does a forum talk on "Deprivilization of the internal service accounts" TODAY at 2:40pm - 3:10pm at A05 on apparently that exact question :-) Regards Christian