In theory the new Keystone role model supports a model closer to the model that we've set up with custom policies. Let's see which of our customizations we can remove in favor of standard upstream models.
Description
Description
Details
Details
Customize query in gerrit
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Open | Andrew | T276018 Investigate new roles and policies in openstack Xena | |||
| Resolved | Andrew | T274385 rework novaadmin and novaobserver project memberships | |||
| Resolved | Andrew | T279845 Openstack policy tests | |||
| Open | Andrew | T330759 Modernize openstack rbac | |||
| Resolved | BUG REPORT | bd808 | T331674 Some tool maintainers not showing in Striker UI following config change | ||
| Resolved | Andrew | T336670 openstack cli: clarify and document usage | |||
| Open | None | T336678 wmcs cookbooks: automate reset nova state of a VM | |||
| Open | Andrew | T337577 Replace use of openstack environment settings with clouds.yaml |
Event Timeline
Comment Actions
It looks like the reader/member/admin model is in Keystone Train but didn't make it to nova until Ussuri. So there are limited things we can do with this immediately.
I'm going to rename 'observer' to 'reader' so that we've taken at least one step in the right direction before the upgrade to U.
Comment Actions
Change 668789 had a related patch set uploaded (by Andrew Bogott; owner: Andrew Bogott):
[operations/puppet@production] cloud-vps rename 'observer' role to 'reader'
Comment Actions
Change 668789 merged by Andrew Bogott:
[operations/puppet@production] cloud-vps rename 'observer' role to 'reader'
Comment Actions
Mentioned in SAL (#wikimedia-cloud) [2021-03-05T21:40:49Z] <andrewbogott> replacing 'observer' role with 'reader' role in eqiad1 T276018
Comment Actions
The next thing we can do to converge on Ussuri standards is to locate all the "" policies in our policy.yaml files that correspond to an upstream default of 'owner' or 'admin_or_owner'. The effect of a "" policy is to provide access to any project member which is ~ the same as what 'owner' means in the upstream defaults and what will become 'reader' access in future releases.
Comment Actions
I'm marking this as blocked so it can wait for future OpenStack upgrades. It will be a lot easier to simplify our policies when we have existing upstream policies in code to compare with.
Comment Actions
Change 675204 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):
[operations/puppet@production] keystone policy.yaml: reformat yaml
Comment Actions
Change 675204 merged by Andrew Bogott:
[operations/puppet@production] keystone policy.yaml: reformat yaml
Comment Actions
Change 675205 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):
[operations/puppet@production] Keystone policy.yaml: apply changes from oslopolicy-policy-upgrade
Comment Actions
Change 675205 merged by Andrew Bogott:
[operations/puppet@production] Keystone policy.yaml: apply changes from oslopolicy-policy-upgrade
Comment Actions
I just overheard people in the Horizon irc channel talking about future support for scoped roles, so we probably don't want to adopt them just yet.
Comment Actions
Change 681101 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):
[operations/puppet@production] OpenStack Keystone: Remove some unneeded policy rules
Comment Actions
Change 681101 merged by Andrew Bogott:
[operations/puppet@production] OpenStack Keystone: Remove some unneeded policy rules