OpenStack Compute (nova)

Review usage of oslo-privsep library on Nova

Registered by Sylvain Bauza

Nova's usage of the privsep library is too broad. A single global permission
profile with all needed capabilities is defined for all functions that interact
with privsep to use. While this works, it is not the best usage of the library
as functions are getting a set of rights they do not need and thus should not
receive. This spec seeks to fix this situation by defining a more specialized
usage of the library.

Blueprint information

Status:
Not started
Approver:
Balazs Gibizer
Priority:
Undefined
Drafter:
Jorge San Emeterio
Direction:
Approved
Assignee:
Jorge San Emeterio
Definition:
Approved
Series goal:
Accepted for antelope
Implementation:
Deferred
Milestone target:
None

Related branches

Sprints

Whiteboard

[20230116 bauzas] Spec approved for 2023.1 cycle https://review.opendev.org/c/openstack/nova-specs/+/865432

Gerrit topic: https://review.opendev.org/#/q/topic:privsep-usage-review

Addressed by: https://review.opendev.org/c/openstack/nova/+/872010
    WIP: Moving privsep profiles to nova/__init__.py

Addressed by: https://review.opendev.org/c/openstack/nova/+/871729
    Dividing global privsep profile

Addressed by: https://review.opendev.org/c/openstack/nova/+/875497
    WIP: Creating an example of the refactor privileged functions will go through.

[20230307 bauzas] Deferred as implementation not merged in 2023.1

(?)

Work Items

Nearby

This blueprint contains Public information 
Everyone can see this information.
Edit subscription

Subscribers

No subscribers.