The keystone and nova teams have made significant progress in transitioning service APIs to understand system scope - which makes it possible to use default policies to create a project admin who is not a global admin - and default roles - which makes it possible to use default policies to create an auditor user. Now that we have examples in place for how to update and test these policies, we need to discuss how to bring this to the rest of OpenStack. This session will be an opportunity for developers to discuss potential common problems (for example, hardcoded admin-role checks or testing strategies) or to ask questions (why do we even need system scope?), as well as for operators and users to bring forward concerns. The end result should be a draft for a community goal(s) for Ussuri or a list of blockers that need to be addressed before we propose a community goal. Etherpad: https://bit.ly/2lPG081
Attendees will discuss next steps for policy in OpenStack, including blockers for adoption and common problems.