[Openstack-operators] Granular roles and policy.json modifications

Michael Richardson michaelr at catalyst.net.nz
Fri Feb 5 06:08:43 UTC 2016

> On 04/02/16 05:51, Michael Richardson wrote:
>> Hi all,
>> Is anyone using granular roles or groups, with fewer permissions granted
>> than
>> _member_ ? If so, have you found a nice, simple (within the context of
>> OpenStack) method or scheme for:-
>> a) modifying the default "admin_or_owner" rules, which would otherwise
>> match
>> any role as long as the tenant is correct,
>> b) handling the ubiquitous empty rules, (e.g. "<rule>":""), which also
>> allow a
>> free pass, if reached.
>> By way of background, at the Mitaka Summit a call was made [0] for
>> operators
>> to record changes they were making to their policy files.  Most of the
>> examples given [1] are either for roles with permissions elevated above
>> _member_ (e.g. ProjectAdmin), or where the wider permissions also
>> granted
>> (e.g. by a) and b), above) would not be a concern.
>> Cheers,
>> Michael
> On Fri, February 5, 2016 12:26 am, Tom Fifield wrote:
> Just wanted to chime in and say, maybe this should be on the agenda of
> the upcoming ops meetup as well ...

That would be brilliant.  Regrettably, it'll be difficult for me to be
there in person, though IRC and etherpads travel well.

On a related note, https://review.openstack.org/#/c/245629 may help to
some degree (in the fullness of time!).

Michael Richardson
Catalyst IT Limited

More information about the OpenStack-operators mailing list