Consistent and Secure RBAC Cleanup
The "Consistent and Secure RBAC" community goal is being revised (again) after receiving feedback from operators at the OpenStack summit . What this means for Cinder is that the work we did in Xena and Yoga mostly satisfies the goal. What remains is to do some cleanup:
- Revise the comment and strategy outlined in [0]. We won't be adding scope_types to any of the rules, and we won't be using any checkstrings that contain a "system_scope:XXX" specification
- Verify that the policies-in-code behave as follows:
* the deprecated policies in effect when oslo.policy is configured with 'enforce_
* when oslo.policy is configured with 'enforce_
- Abandon the currently proposed policy matrix for Zed [1] and replace it with an updated version of the Yoga matrix (possibly restoring the legacy admin and legacy user columns from the Xena matrix, since that would give operators the entire picture of what you can expect based on your setting of enforce_
- Add cinder-
What we will *not* be doing:
- support for the project-manager persona
- isolating service API calls and implementing some kind of service role (it's still not clear exactly what would satisfy this)
[0] https:/
[1] https:/
Blueprint information
- Status:
- Started
- Approver:
- Rajat Dhasmana
- Priority:
- Undefined
- Drafter:
- Brian Rosmaita
- Direction:
- Approved
- Assignee:
- Brian Rosmaita
- Definition:
- Approved
- Series goal:
- Accepted for zed
- Implementation:
- Started
- Milestone target:
- zed-3
- Started by
- Brian Rosmaita
- Completed by
Related branches
Related bugs
Sprints
Whiteboard
https:/
Cinder tempest plugin tests