On 04/02/16 05:51, Michael Richardson wrote:
Hi all,
Is anyone using granular roles or groups, with fewer permissions granted than
_member_ ? If so, have you found a nice, simple (within the context of
OpenStack) method or scheme for:-
a) modifying the default "admin_or_owner" rules, which would otherwise match
any role as long as the tenant is correct,
b) handling the ubiquitous empty rules, (e.g. "<rule>":""), which also allow a
free pass, if reached.
By way of background, at the Mitaka Summit a call was made [0] for operators
to record changes they were making to their policy files. Most of the
examples given [1] are either for roles with permissions elevated above
_member_ (e.g. ProjectAdmin), or where the wider permissions also granted
(e.g. by a) and b), above) would not be a concern.
Cheers,
Michael
Just wanted to chime in and say, maybe this should be on the agenda of
the upcoming ops meetup as well ...
_______________________________________________
OpenStack-operators mailing list
[email protected]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
