...
The good news is that we have two proposals on the table for solving this issue. I've attempted to summarize these two approaches in a separate thread on the operator and dev mailing lists [3] [4]. Where I'd love to get feedback with respect to this specific policy problem, is how operators ideally want to manage global privileges in OpenStack? Do they want to have a single `admin_project` specified in configuration and all global assignments are derived from that project? Or do they want to us to introduce global role assignments [5]?
Comments...
Operation and Role Discoverability
...
I'd love feedback here.
Comments...
Enhancing Policy
Outside of the first two topics, this seems to be the catch all for everything else we could do to make policy/RBAC easier. I've had discussions with various members of other projects about standardizing a new set of roles across OpenStack and moving to those by default [7] [8]. If you've used GCE, they have a *ton* of roles setup for your account by default when you sign up. It'd be great to try and strive for something like that with OpenStack (I think this would be a huge interoperability win for OpenStack because it would eliminate the needs for most custom policies, I hope anyway). In addition to having better defaults, it would be nice to build on all this work to find a way to do per-resource policy. For example, if we're both members of the same project and I go on vacation, it would be great for me to setup a policy that let's you reboot my instance if it starts acting up (this is kind of similar to what AWS does with policy, which is lightyears from where we are today). I haven't been able to come up with a solution for this yet, but I would also classify it as a long-term policy goal at this point with all the other work we have to do.
...
I'd love to hear what long term things operators want from policy/RBAC in general so we can start thinking about those things now.
Comments...
Thanks for taking point on this, Gage. I appreciate you being the liaison here. Let me know if there is anything about this note that needs further clarification.
...