[Openstack-operators] Dynamic Policy for Access Control

Tim Bell Tim.Bell at cern.ch
Mon Feb 23 16:41:14 UTC 2015


> -----Original Message-----
> From: Adam Young [mailto:ayoung at redhat.com]
> Sent: 23 February 2015 16:45
> To: openstack-operators at lists.openstack.org
> Subject: [Openstack-operators] Dynamic Policy for Access Control
> 
> "Admin can do everything!"  has been a common lament, heard for multiple
> summits.  Its more than just a development issue.  I'd like to fix that.  I think we
> all would.
> 
> 
> I'm looking to get some Operator input on the Dynamic Policy issue. I wrote up a
> general overview last fall, after the Kilo summit:
> 
> https://adam.younglogic.com/2014/11/dynamic-policy-in-keystone/
> 
> 
> Some of what I am looking at is:  what are the general roles that Operators
> would like to have by default when deploying OpenStack?
> 

As I described in http://openstack-in-production.blogspot.ch/2015/02/delegation-of-roles.html, we've got (mapped  per-project to an AD group)

- operator (start/stop/reboot/console)
- accounting (read ceilometer data for reporting)

> I've submitted a talk about policy for the Summit:
> https://www.openstack.org/vote-vancouver/presentation/dynamic-policy-for-
> access-control
> 
> If you want, please vote for it, but even if it does not get selected, I'd like to
> discuss Policy with the operators at the summit, as input to  the Keystone
> development effort.
> 

Sounds like a good topic for the ops meetup track.

> Feedback greatly welcome.
> 
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators



More information about the OpenStack-operators mailing list