In theory the new Keystone role model supports a model closer to the model that we've set up with custom policies. Let's see which of our customizations we can remove in favor of standard upstream models.
|Open||Andrew||T276018 Investigate new roles and policies in openstack Xena|
|Resolved||Andrew||T274385 rework novaadmin and novaobserver project memberships|
|Resolved||Andrew||T279845 Openstack policy tests|
It looks like the reader/member/admin model is in Keystone Train but didn't make it to nova until Ussuri. So there are limited things we can do with this immediately.
I'm going to rename 'observer' to 'reader' so that we've taken at least one step in the right direction before the upgrade to U.
The next thing we can do to converge on Ussuri standards is to locate all the "" policies in our policy.yaml files that correspond to an upstream default of 'owner' or 'admin_or_owner'. The effect of a "" policy is to provide access to any project member which is ~ the same as what 'owner' means in the upstream defaults and what will become 'reader' access in future releases.
I'm marking this as blocked so it can wait for future OpenStack upgrades. It will be a lot easier to simplify our policies when we have existing upstream policies in code to compare with.