← Back to team overview

openstack team mailing list archive

Service RBAC policy.json documentation and usability

 

Consideration / food for thought...
I was recently standing up a grizzly based Cloud whereupon we were implementing a fairly simple role based scheme and wanted to provide some feedback on that experience with respect to setting up the policy.json files properly.

Long story short -- I found it a bit painful (time consuming, not mentally challenging) to fully understand all of the possible roles on a per service basis. I had hoped all roles per service would be provided/documented in the service's corresponding policy.json, but that was not the case.

For example (not to pick on nova):
* compute:get_spice_console
* compute:get_vnc_console
* compute:security_groups:remove_from_instance
...
Were not in  /etc/nova/policy.json to name a few...

At the end of the day identifying all the roles became a game of trial and error + source grep-foo.

Ideally all of the roles would've been documented in a centralized location to make this experience more user friendly. Maybe a py annotation in the source files which document the roles used by the class and are then consolidated into a centralized document during the doc build or something... I do realize some core projects document (a portion) their roles on the wiki page, but it does not seem to be a consistent process.

Maybe I'm missing something here, in which case I apologize in advance.

Thanks



Follow ups