OpenStack Compute (nova)

Policy Service Role Default

Registered by Ghanshyam Mann

Ideally all internal service-to-service APIs should not be accessible
by admin or end user by default. From policy defaults it should be
clear which APIs are supposed to be used by admin or end user and
which is for internal service-to-service APIs communication.

This is community-wide goal to isolate service-to-service APIs to the 'service' role

Details: https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#phase-2

Blueprint information

Status:
Not started
Approver:
sean mooney
Priority:
Undefined
Drafter:
Ghanshyam Mann
Direction:
Approved
Assignee:
Ghanshyam Mann
Definition:
Approved
Series goal:
Accepted for bobcat
Implementation:
Deferred
Milestone target:
None

Related branches

Sprints

Whiteboard

[20221115 bauzas] Spec approved https://review.opendev.org/c/openstack/nova-specs/+/864379

Gerrit topic: https://review.opendev.org/#/q/topic:bp/policy-service-role-default

Addressed by: https://review.opendev.org/c/openstack/nova/+/864594
    Add service role in nova policy

[20230307 bauzas] Deferred as implementation not merged in 2023.1

Addressed by: https://review.opendev.org/c/openstack/nova-specs/+/881880
    Re-propose "Policy service role spec"

[20230707 bauzas] Spec approved for Bobcat https://review.opendev.org/c/openstack/nova-specs/+/881880

Gerrit topic: https://review.opendev.org/#/q/topic:service-role

Addressed by: https://review.opendev.org/c/openstack/nova/+/892633
    Add service role in server_external_events API

Addressed by: https://review.opendev.org/c/openstack/nova/+/892635
    Add service role in assisted_volume_snapshots APIs

[20230905 bauzas] Deferred as implementation not merged in 2023.2

(?)

Work Items

Nearby

This blueprint contains Public information 
Everyone can see this information.
Edit subscription

Subscribers

No subscribers.