openstack team mailing list archive
-
openstack team
-
Mailing list archive
-
Message #22735
Service RBAC policy.json documentation and usability
Consideration / food for thought...
I was recently standing up a grizzly based Cloud whereupon we were
implementing a fairly simple role based scheme and wanted to provide
some feedback on that experience with respect to setting up the
policy.json files properly.
Long story short -- I found it a bit painful (time consuming, not
mentally challenging) to fully understand all of the possible roles on a
per service basis. I had hoped all roles per service would be
provided/documented in the service's corresponding policy.json, but that
was not the case.
For example (not to pick on nova):
* compute:get_spice_console
* compute:get_vnc_console
* compute:security_groups:remove_from_instance
...
Were not in /etc/nova/policy.json to name a few...
At the end of the day identifying all the roles became a game of trial
and error + source grep-foo.
Ideally all of the roles would've been documented in a centralized
location to make this experience more user friendly. Maybe a py
annotation in the source files which document the roles used by the
class and are then consolidated into a centralized document during the
doc build or something... I do realize some core projects document (a
portion) their roles on the wiki page, but it does not seem to be a
consistent process.
Maybe I'm missing something here, in which case I apologize in advance.
Thanks
Follow ups