> -----Original Message----- > From: Adam Young [mailto:ayoung at redhat.com] > Sent: 23 February 2015 16:45 > To: openstack-operators at lists.openstack.org > Subject: [Openstack-operators] Dynamic Policy for Access Control > > "Admin can do everything!" has been a common lament, heard for multiple > summits. Its more than just a development issue. I'd like to fix that. I think we > all would. > > > I'm looking to get some Operator input on the Dynamic Policy issue. I wrote up a > general overview last fall, after the Kilo summit: > > https://adam.younglogic.com/2014/11/dynamic-policy-in-keystone/ > > > Some of what I am looking at is: what are the general roles that Operators > would like to have by default when deploying OpenStack? > As I described in http://openstack-in-production.blogspot.ch/2015/02/delegation-of-roles.html, we've got (mapped per-project to an AD group) - operator (start/stop/reboot/console) - accounting (read ceilometer data for reporting) > I've submitted a talk about policy for the Summit: > https://www.openstack.org/vote-vancouver/presentation/dynamic-policy-for- > access-control > > If you want, please vote for it, but even if it does not get selected, I'd like to > discuss Policy with the operators at the summit, as input to the Keystone > development effort. > Sounds like a good topic for the ops meetup track. > Feedback greatly welcome. > > _______________________________________________ > OpenStack-operators mailing list > OpenStack-operators at lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators