[ops][heat][rbac] Call for feedback: Splitting stack to "system" stack and "project" stack
tkajinam at redhat.com
Tue May 24 14:13:17 UTC 2022
This is a reminder of the feedback request.
We are trying to gather feedback until the next policy pop-up meeting (June
so I'd appreciate your (public or private) inputs !
On Wed, May 11, 2022 at 12:13 AM Takashi Kajinami <tkajinam at redhat.com>
> We are looking for some feedback from anyone developing their tool/software
> creating/managing heat stacks, about the new requirement we are
> Recently we've been discussing the issue with Heat and Secure RBAC work.
> The current target of SRBAC work requires the appropriate scope according
> to the resources.
> - Project resources like instance, volume or network can be created by
> project-scoped token
> - Project resources like flavor, user, project or role can be created by
> system-scoped token
> This is causing a problem with heat stacks which have both project
> and system resources, because heat currently uses the single token provided
> by the user in a single stack API call.
> As part of discussions we have discussed the "split stack" concept, which
> creating separate stacks per scope. This means If you want to create
> project resources
> and system resources by Heat, you should create two separate heat stacks
> and call
> heat stack api separately using different credentials.
> While we still need to investigate the feasibility of this option (eg. how
> smooth we can
> make the migration), we'd like to hear any feedback about the impact of
> the "split stack" concept
> on any external toolings depending on Heat, because this would require
> some workflow/architecture
> change in the toolings. If we hear many negative feedback/concerns then we
> would examine
> different approaches.
> Thank you,
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the openstack-discuss