Does Openstack have the notion of tenant admin?

Jeremy Stanley fungi at yuggoth.org
Tue May 23 14:15:15 UTC 2023


On 2023-05-23 13:31:29 +0100 (+0100), Sean Mooney wrote:
> On Tue, 2023-05-23 at 13:19 +0100, wodel youchi wrote:
> > Does Openstack have the notion of tenant admin?
> 
> no it does not.
> 
> there is global admin or you can use member.
> 
> > If not, can a role be created to simulate such notion?
> 
> not really
> 
> you could use custom policy to simulate it but the real qustion
> you have to ask/answer is what woudl a teant admin be able to do
> that a project member cant.
[...]

Developers have been working recently on adding a read-only "reader"
role to their respective services as an initial phase of the
Consistent and Secure Default RBAC goal[*], so you might think of it
as people who need to be able to make changes to project resources
(project members) are conceptually akin to your tenant admin idea
while people who only need to be able to look at status and settings
for project resources (project readers) are limited to just those
capabilities and cannot make changes.

In phase 3, the plan (as it stands now) is to add a project
"manager" role which will gain exclusive control of lower level
resource API methods, further limiting the current project member
role.

[*] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html

-- 
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: not available
URL: <https://lists.openstack.org/pipermail/openstack-discuss/attachments/20230523/313c0b27/attachment.sig>


More information about the openstack-discuss mailing list