[Openstack-operators] Granular roles and policy.json modifications

Michael Richardson michaelr at catalyst.net.nz
Wed Feb 3 21:51:53 UTC 2016

Hi all,

Is anyone using granular roles or groups, with fewer permissions granted than 
_member_ ? If so, have you found a nice, simple (within the context of 
OpenStack) method or scheme for:-

a) modifying the default "admin_or_owner" rules, which would otherwise match 
any role as long as the tenant is correct,
b) handling the ubiquitous empty rules, (e.g. "<rule>":""), which also allow a 
free pass, if reached.

By way of background, at the Mitaka Summit a call was made [0] for operators 
to record changes they were making to their policy files.  Most of the 
examples given [1] are either for roles with permissions elevated above 
_member_ (e.g. ProjectAdmin), or where the wider permissions also granted 
(e.g. by a) and b), above) would not be a concern.


[0] http://lists.openstack.org/pipermail/openstack-operators/2015-October/008547.html
[1] https://etherpad.openstack.org/p/mitaka-ops-policy-modifications

Michael Richardson
Catalyst IT Limited

More information about the OpenStack-operators mailing list