[rbac][nova][cinder] Canned roles for service users / inter-service communication (e.g. event submission)

Christian Rohmann christian.rohmann at inovex.de
Thu Jun 9 10:39:44 UTC 2022

On 09/06/2022 11:11, Christian Rohmann wrote:
> And there are quite few of those relations even with the most commonly 
> used services.
> Cinder -> nova, nova-> cincer, nova->ironic, .... nova-> neutron, ....
> Are such canned RBAC rules for "special" inter service users on the 
> backlog somewhere? Or am I totally misconceiving the issue here?
> I know there is 
> https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#isolate-system-specific-api-policies 
> and also the question for feedback at 
> https://etherpad.opendev.org/p/rbac-operator-feedback, but that all 
> seems to focus on the impact of roles used by humans / users and not 
> about service roles at all. 

I just noticed that Christian Berendt does a forum talk on 
"Deprivilization of the internal service accounts" TODAY at 2:40pm - 
3:10pm at A05 on apparently that exact question :-)



More information about the openstack-discuss mailing list