[User-committee] FW: [openstack-dev] [TripleO][keystone] Pt. 2 of Passing along some field feedback [public cloud providers]
Rochelle Grober
rochelle.grober at huawei.com
Fri Jun 30 23:48:32 UTC 2017
Hey folks.
This looked like something that might be important for public cloud providers and of interest to operators and folks in the user community.
Read-only roles can be very useful in large installations, especially multi-tenant and multi-ops-team environments.
--Rocky
-----Original Message-----
From: Lance Bragstad [mailto:lbragstad at gmail.com]
Sent: Wednesday, June 28, 2017 7:24 PM
To: OpenStack Development Mailing List (not for usage questions) <openstack-dev at lists.openstack.org>
Subject: Re: [openstack-dev] [TripleO][keystone] Pt. 2 of Passing along some field feedback
On 06/28/2017 03:20 PM, Ben Nemec wrote:
>
>
> On 06/28/2017 02:47 PM, Lance Bragstad wrote:
>>
>>
>> On 06/28/2017 02:29 PM, Fox, Kevin M wrote:
>>> I think everyone would benefit from a read-only role for keystone
>>> out of the box. Can we get this into keystone rather then in the
>>> various distro's?
>> Yeah - I think that would be an awesome idea. John Garbutt had some
>> good work on this earlier in the cycle. Most of it was documented in
>> specs [0] [1]. FWIW - this will be another policy change that is
>> going to have cross-project effects. It's implementation or impact
>> won't be isolated to keystone if we want read-only roles out-of-the-box.
>>
>> [0] https://review.openstack.org/#/c/427872/19
>> [1] https://review.openstack.org/#/c/428454/
>
> Cool, I will point our folks at those specs. I know doing a custom
> read-only role has been pretty painful, so I expect they would be very
> happy if this functionality could become standard.
Absolutely - it would be awesome to provide some standard roles out of the box (at least for the sake of interoperability). I'm happy to help in any way I can. We also have the weekly policy meeting that's focused on nailing down cross-project issues with policy [0].
[0] http://eavesdrop.openstack.org/#Keystone_Policy_Meeting
>
> Thanks for the replies.
>
> -Ben
>
> ______________________________________________________________________
> ____
>
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe:
> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature.asc
URL: <http://lists.openstack.org/pipermail/user-committee/attachments/20170630/495f514c/attachment.sig>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ATT00001.txt
URL: <http://lists.openstack.org/pipermail/user-committee/attachments/20170630/495f514c/attachment.txt>
More information about the User-committee
mailing list