To do things at cloud scale, you need to design for cloud scale. The access control mechanism in Keystone was built with large scale in mind, but earlier implementations made it hard or implossible to use. We're working to fix that.
Current work in Keystone is moving to an Role Based Access Control (RBAC) check based on the URL of the resource requested. This will allow such sought after features as:
1. A read only role for audit purposes
2. Delegation of a single API to a service user
3. Discover what role is required to perform an action
4. Split a role into smaller roles
This talk is an over view of the mechanism, the method, and the madness of RBAC in OpenStack.
- How to create a new role,
- how to integrate that new role into an OpenStack deployement
- How to link the Role to an API
- How to set up default access for new Services