> On 04/02/16 05:51, Michael Richardson wrote: >> Hi all, >> >> Is anyone using granular roles or groups, with fewer permissions granted >> than >> _member_ ? If so, have you found a nice, simple (within the context of >> OpenStack) method or scheme for:- >> >> a) modifying the default "admin_or_owner" rules, which would otherwise >> match >> any role as long as the tenant is correct, >> b) handling the ubiquitous empty rules, (e.g. "<rule>":""), which also >> allow a >> free pass, if reached. >> >> By way of background, at the Mitaka Summit a call was made [0] for >> operators >> to record changes they were making to their policy files. Most of the >> examples given [1] are either for roles with permissions elevated above >> _member_ (e.g. ProjectAdmin), or where the wider permissions also >> granted >> (e.g. by a) and b), above) would not be a concern. >> >> Cheers, >> Michael > > On Fri, February 5, 2016 12:26 am, Tom Fifield wrote: > Just wanted to chime in and say, maybe this should be on the agenda of > the upcoming ops meetup as well ...
That would be brilliant. Regrettably, it'll be difficult for me to be there in person, though IRC and etherpads travel well. On a related note, https://review.openstack.org/#/c/245629 may help to some degree (in the fullness of time!). -- Michael Richardson Catalyst IT Limited _______________________________________________ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators