May 8-11, 2017

Event Details

Per API Role Based Access Control

To do things at cloud scale, you need to design for cloud scale.  The access control mechanism in Keystone was built with large scale in mind, but earlier implementations made it hard or implossible to use.  We're working to fix that.

Current work in Keystone is moving to an  Role Based Access Control (RBAC) check based on the URL of the resource requested.  This will allow such sought after features as:

1. A read only role for audit purposes

2. Delegation of a single API to a service user

3. Discover what role is required to perform an action

4. Split a role into smaller roles

This talk is an over view of the mechanism, the method, and the madness of RBAC in OpenStack.

What can I expect to learn?
  • How to create a new role,
  • how to integrate that new role into an OpenStack deployement
  • How to link the Role to an API
  • How to set up default access for new Services
Wednesday, May 10, 4:30pm-5:10pm
Difficulty Level: Intermediate
Red Hat
Adam Young is a Cloud Solutions Architect at Red Hat, responsible for helping people develope their cloud strategies. He has been a long time core developer on Keystone, the authentication and authorization service for OpenStack. Adam has worked on various systems management tools, including the Identity Management component of Red Hat Enterprise Linux based on the FreeIPA technology. A 20 year... FULL PROFILE
Massachusetts Open Cloud
Kristi Nikolla is a Software Engineer at the Mass Open Cloud (MOC) where he leads the Mix&Match project and manages the authentication system. He is a core developer of the OpenStack Identity service (Keystone) and provides OpenStack and Python expertise in day to day operations of the MOC. FULL PROFILE