yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1637146] [NEW] Whitelisting (opt-in) users/projects/domains for PCI compliance

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Jesse Keating <omgjlk@xxxxxxxxxx>
Date: Thu, 27 Oct 2016 10:11:05 -0000
Reply-to: Bug 1637146 <1637146@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

As a cloud admin, I want to explicitly define which users should have
PCI compliance checks turned on. Currently, I can only blacklist certain
users, but I have use cases which require one special user (the super
duper admin) be held to a higher standard than the other users on a
cloud. I have other use cases where entire projects, or maybe even
domains, need to be held to a standard, but outside of those they should
not be held to the standard.

We provide individual private clouds to customers, and provide them a
lower level of admin access than super duper admin. Our own super duper
admin needs to adhere to PCI, but we do not feel it's appropriate to
enforce such requirements on the users our customers create for
themselves. That said, some customers may decide that some sets of the
users they create should require PCI compliance, but not all of them.
Because we do not control user creation, a blacklist is inappropriate as
it will constantly be behind.

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1637146

Title:
  Whitelisting (opt-in) users/projects/domains for PCI compliance

Status in OpenStack Identity (keystone):
  New

Bug description:
  As a cloud admin, I want to explicitly define which users should have
  PCI compliance checks turned on. Currently, I can only blacklist
  certain users, but I have use cases which require one special user
  (the super duper admin) be held to a higher standard than the other
  users on a cloud. I have other use cases where entire projects, or
  maybe even domains, need to be held to a standard, but outside of
  those they should not be held to the standard.

  We provide individual private clouds to customers, and provide them a
  lower level of admin access than super duper admin. Our own super
  duper admin needs to adhere to PCI, but we do not feel it's
  appropriate to enforce such requirements on the users our customers
  create for themselves. That said, some customers may decide that some
  sets of the users they create should require PCI compliance, but not
  all of them. Because we do not control user creation, a blacklist is
  inappropriate as it will constantly be behind.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1637146/+subscriptions