[Openstack-operators] Granular roles and policy.json modifications

Tom Fifield tom at openstack.org
Thu Feb 4 11:26:06 UTC 2016

On 04/02/16 05:51, Michael Richardson wrote:
> Hi all,
> Is anyone using granular roles or groups, with fewer permissions granted than
> _member_ ? If so, have you found a nice, simple (within the context of
> OpenStack) method or scheme for:-
> a) modifying the default "admin_or_owner" rules, which would otherwise match
> any role as long as the tenant is correct,
> b) handling the ubiquitous empty rules, (e.g. "<rule>":""), which also allow a
> free pass, if reached.
> By way of background, at the Mitaka Summit a call was made [0] for operators
> to record changes they were making to their policy files.  Most of the
> examples given [1] are either for roles with permissions elevated above
> _member_ (e.g. ProjectAdmin), or where the wider permissions also granted
> (e.g. by a) and b), above) would not be a concern.
> Cheers,
> Michael

Just wanted to chime in and say, maybe this should be on the agenda of 
the upcoming ops meetup as well ...

More information about the OpenStack-operators mailing list