We need to make sure that the distinctions between user, projectadmin and admin are properly enforced. I'm sure the wikitech policies are correct, but the policy files for keystone, horizon and nova (and maybe glance and designate) could use a review and an audit.
Description
Description
Details
Details
| Project | Branch | Lines +/- | Subject | |
|---|---|---|---|---|
| operations/puppet | production | +37 -36 | Update designate policy.conf | |
| operations/puppet | production | +59 -0 | Add a customized glance policy file. | |
| operations/puppet | production | +255 -254 | nova policy.json updates |
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Open | None | T138150 Purge stale data from LDAP | |||
| Resolved | Andrew | T148781 Clean up ldap host entries and references | |||
| Resolved | Krenair | T108625 Remove reliance on ldap $::projectid from shinkengen | |||
| Resolved | Andrew | T42022 Add icinga checks for all nova, glance, and keystone related services | |||
| Open | None | T90784 Monitor nova-scheduler log for lost contact with compute nodes | |||
| Resolved | Andrew | T104575 Don't rely on wikitech API for production services | |||
| Resolved | Andrew | T104588 Give 'novaobserver' keystone account rights to read everything, everywhere, write or change nothing | |||
| Declined | None | T115026 Support a multi-domain model in keystone | |||
| Resolved | Andrew | T115027 switch to keystone api v3 | |||
| Resolved | Andrew | T115029 Move project membership/assignment from ldap to keystone mysql | |||
| Resolved | Andrew | T126765 Lock down access for new keystone role model |
Event Timeline
Comment Actions
Change 270781 had a related patch set uploaded (by Andrew Bogott):
nova policy.json updates
Comment Actions
Change 270783 had a related patch set uploaded (by Andrew Bogott):
Add a customized glance policy file.
Comment Actions
Change 270809 had a related patch set uploaded (by Andrew Bogott):
Update designate policy.conf