[ops][heat][rbac] Call for feedback: Splitting stack to "system" stack and "project" stack

Takashi Kajinami tkajinam at redhat.com
Tue May 24 14:13:17 UTC 2022

This is a reminder of the feedback request.
We are trying to gather feedback until the next policy pop-up meeting (June
so I'd appreciate your (public or private) inputs !

On Wed, May 11, 2022 at 12:13 AM Takashi Kajinami <tkajinam at redhat.com>

> Hello,
> tl;dr
> We are looking for some feedback from anyone developing their tool/software
> creating/managing heat stacks, about the new requirement we are
> considering.
> Recently we've been discussing the issue with Heat and Secure RBAC work[1].
> The current target of SRBAC work requires the appropriate scope according
> to the resources.
>  - Project resources like instance, volume or network can be created by
> project-scoped token
>  - Project resources like flavor, user, project or role can be created by
> system-scoped token
> This is causing a problem with heat stacks which have both project
> resources
> and system resources, because heat currently uses the single token provided
> by the user in a single stack API call.
> As part of discussions we have discussed the "split stack" concept, which
> requires
> creating separate stacks per scope. This means If you want to create
> project resources
> and system resources by Heat, you should create two separate heat stacks
> and call
> heat stack api separately using different credentials.
> While we still need to investigate the feasibility of this option (eg. how
> smooth we can
> make the migration), we'd like to hear any feedback about the impact of
> the "split stack" concept
> on any external toolings depending on Heat, because this would require
> some workflow/architecture
> change in the toolings. If we hear many negative feedback/concerns then we
> would examine
> different approaches.
> Thank you,
> Takashi
> [1]
> https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20220524/6a39eea6/attachment.htm>

More information about the openstack-discuss mailing list