On 06/28/2017 02:29 PM, Fox, Kevin M wrote: > I think everyone would benefit from a read-only role for keystone out of the > box. Can we get this into keystone rather then in the various distro's? Yeah - I think that would be an awesome idea. John Garbutt had some good work on this earlier in the cycle. Most of it was documented in specs  . FWIW - this will be another policy change that is going to have cross-project effects. It's implementation or impact won't be isolated to keystone if we want read-only roles out-of-the-box.
 https://review.openstack.org/#/c/427872/19  https://review.openstack.org/#/c/428454/ > > Thanks, > Kevin > ________________________________________ > From: Ben Nemec [openst...@nemebean.com] > Sent: Wednesday, June 28, 2017 12:06 PM > To: OpenStack Development Mailing List (not for usage questions) > Subject: [openstack-dev] [TripleO] Pt. 2 of Passing along some field feedback > > A few weeks later than I had planned, but here's the other half of the > field feedback I mentioned in my previous email: > > * They very emphatically want in-place upgrades to work when moving from > non-containerized to containerized. I think this is already the plan, > but I told them I'd make sure development was aware of the desire. > > * There was also great interest in contributing back some of the custom > templates that they've had to write to get advanced features working in > the field. Here again we recommended that they start with an RFE so > things could be triaged appropriately. I'm hoping we can find some > developer time to help polish and shepherd these things through the > review process. > > * Policy configuration was discussed, and I pointed them at some recent > work we have done around that: > https://docs.openstack.org/developer/tripleo-docs/advanced_deployment/api_policies.html > I'm not sure it fully addressed their issues, but I suggested they > take a closer look and provide feedback on any ways it doesn't meet > their needs. > > The specific use case they were looking at right now was adding a > read-only role. They did provide me with a repo containing their > initial work, but unfortunately it's private to Red Hat so I can't share > it here. > > * They wanted to be able to maintain separate role files instead of one > monolithic roles_data.yaml. Apparently they have a pre-deploy script > now that essentially concatenates some individual files to get this > functionality. I think this has already been addressed by > https://review.openstack.org/#/c/445687 > > * They've also been looking at ways to reorganize the templates in a > more intuitive fashion. At first glance the changes seemed reasonable, > but they were still just defining the layout. I don't know that they've > actually tried to use the reorganized templates yet and given the number > of relative paths in tht I suspect it may be a bigger headache than they > expect, but I thought it was interesting. There may at least be > elements of this work that we can use to make the templates easier to > understand for deployers. > > Thanks. > > -Ben > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Description: OpenPGP digital signature
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev