[Openstack] [Keystone] Dynamic RBAC policy please?
Bruno L
teolupus.ext at gmail.com
Thu Feb 18 21:38:53 UTC 2016
Hi everyone,
I thought I'd pass on feedback from a Catalyst Cloud customer showing how
desperate people are for dynamic RBAC.
---
Subject: "kill me now"
"Sometimes Openstack just seems half-baked. None of the ACL / IAM we need
for an enterprise solution is actually there, so I'm resorting to splitting
things across multiple accounts, but then I run into problems when I want
something like private ..."
---
I don't know how other cloud service providers feel about this topic, but
here in New Zealand we have several customers (in particular large ones)
needing more granular access control. Ultimately customers want to be able
to define their own roles and policies, ideally to a very granular level
(eg: Application X role allows user to perform all actions on compute
instance with ID 1234).
We are aware of the work proposed by Adam Young from RedHat (
https://review.openstack.org/#/c/279379/) and think he is absolutely on the
right track. We are even keen to help with the development work related to
this blueprint.
My main concern here is that such a change requires coordinated effort
across all projects to adopt the new dynamic RBAC mechanism. The key word
here is "coordinated", because from a governance point of view I think
OpenStack is lacking a few mid-cycle meetings where all PTLs and TCs agree
on a handful of cross-project blueprints that are essential to advance
OpenStack and ensure that all project teams working on them.
Keen to hear your thoughts about this matter.
Cheers,
Bruno
Catalyst Cloud
http://www.catalyst.net.nz/catalyst-cloud
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20160219/c4cde264/attachment.html>
More information about the Openstack
mailing list