My apologies for not seeing this sooner as the topic is of great interest. My comments below inline..
On Mon, 2015-02-23 at 16:41 +0000, Tim Bell wrote: > > -----Original Message----- > > From: Adam Young [mailto:ayo...@redhat.com] > > Sent: 23 February 2015 16:45 > > To: openstack-operators@lists.openstack.org > > Subject: [Openstack-operators] Dynamic Policy for Access Control > > > > "Admin can do everything!" has been a common lament, heard for multiple > > summits. Its more than just a development issue. I'd like to fix that. I > > think we > > all would. > > > > > > I'm looking to get some Operator input on the Dynamic Policy issue. I wrote > > up a > > general overview last fall, after the Kilo summit: > > > > https://adam.younglogic.com/2014/11/dynamic-policy-in-keystone/ I agree with everything in that post. I would add the following comments: 1. I doubt this will change, but to be clear, we cannot lose the ability to create custom roles and limit the capabilities of the standard roles. For example, if I wanted to limit the ability to make images public or limit the ability to associate a floating IP. 2. This work should not be done in vacuum. Ideally, Horizon support for assigning roles to users and editing policy should be released at the same time or not long after. I realize that this is easier said than done, but it will be important in order for the feature to get used. > > > > > > Some of what I am looking at is: what are the general roles that Operators > > would like to have by default when deploying OpenStack? > > > > As I described in > http://openstack-in-production.blogspot.ch/2015/02/delegation-of-roles.html, > we've got (mapped per-project to an AD group) > > - operator (start/stop/reboot/console) > - accounting (read ceilometer data for reporting) > > > I've submitted a talk about policy for the Summit: > > https://www.openstack.org/vote-vancouver/presentation/dynamic-policy-for- > > access-control > > > > If you want, please vote for it, but even if it does not get selected, I'd > > like to > > discuss Policy with the operators at the summit, as input to the Keystone > > development effort. > > > > Sounds like a good topic for the ops meetup track. > > > Feedback greatly welcome. > > > > _______________________________________________ > > OpenStack-operators mailing list > > OpenStack-operators@lists.openstack.org > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators > > _______________________________________________ > OpenStack-operators mailing list > OpenStack-operators@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators _______________________________________________ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
