[Openstack-operators] Dynamic Policy for Access Control
Marc Heckmann
marc.heckmann at ubisoft.com
Tue Apr 7 15:36:27 UTC 2015
My apologies for not seeing this sooner as the topic is of great
interest. My comments below inline..
On Mon, 2015-02-23 at 16:41 +0000, Tim Bell wrote:
> > -----Original Message-----
> > From: Adam Young [mailto:ayoung at redhat.com]
> > Sent: 23 February 2015 16:45
> > To: openstack-operators at lists.openstack.org
> > Subject: [Openstack-operators] Dynamic Policy for Access Control
> >
> > "Admin can do everything!" has been a common lament, heard for multiple
> > summits. Its more than just a development issue. I'd like to fix that. I think we
> > all would.
> >
> >
> > I'm looking to get some Operator input on the Dynamic Policy issue. I wrote up a
> > general overview last fall, after the Kilo summit:
> >
> > https://adam.younglogic.com/2014/11/dynamic-policy-in-keystone/
I agree with everything in that post.
I would add the following comments:
1. I doubt this will change, but to be clear, we cannot lose the ability
to create custom roles and limit the capabilities of the standard roles.
For example, if I wanted to limit the ability to make images public or
limit the ability to associate a floating IP.
2. This work should not be done in vacuum. Ideally, Horizon support for
assigning roles to users and editing policy should be released at the
same time or not long after. I realize that this is easier said than
done, but it will be important in order for the feature to get used.
> >
> >
> > Some of what I am looking at is: what are the general roles that Operators
> > would like to have by default when deploying OpenStack?
> >
>
> As I described in http://openstack-in-production.blogspot.ch/2015/02/delegation-of-roles.html, we've got (mapped per-project to an AD group)
>
> - operator (start/stop/reboot/console)
> - accounting (read ceilometer data for reporting)
>
> > I've submitted a talk about policy for the Summit:
> > https://www.openstack.org/vote-vancouver/presentation/dynamic-policy-for-
> > access-control
> >
> > If you want, please vote for it, but even if it does not get selected, I'd like to
> > discuss Policy with the operators at the summit, as input to the Keystone
> > development effort.
> >
>
> Sounds like a good topic for the ops meetup track.
>
> > Feedback greatly welcome.
> >
> > _______________________________________________
> > OpenStack-operators mailing list
> > OpenStack-operators at lists.openstack.org
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
More information about the OpenStack-operators
mailing list