[openstack-dev] [Keystone] policy has no effect because of hard coded assert_admin?
dolph.mathews at gmail.com
Fri Dec 13 12:33:35 UTC 2013
On Thu, Dec 12, 2013 at 11:03 PM, Qiu Yu <unicell at gmail.com> wrote:
> On Fri, Dec 13, 2013 at 2:40 AM, Morgan Fainberg <m at metacloud.com> wrote:
>> As Dolph stated, V3 is where the policy file protects. This is one of
>> the many reasons why I would encourage movement to using V3 Keystone over
>> The V2 API is officially deprecated in the Icehouse cycle, I think that
>> moving the decorator potentially could cause more issues than not as stated
>> for compatibility. I would be very concerned about breaking compatibility
>> with deployments and maintaining the security behavior with the
>> encouragement to move from V2 to V3. I am also not convinced passing the
>> context down to the manager level is the right approach. Making a move on
>> where the protection occurs likely warrants a deeper discussion (perhaps in
> Thanks for the background info. However, after a quick go-through keystone
> V3 API and existing BPs. Two questions still confuse me regarding policy
> #1 Seems V3 policy api  has nothing to do with the policy rules. It
> seems to be dealing with access / secret keys only. So it might be used for
> access key authentication and related control in my understanding.
> Is there any use case / example regarding V3 policy api? Does it even
> related to policy rules in json file?
The v3 policy API is intended to replace policy.json by centralizing the
persistence and management of policy rule sets.
> #2 Found this slides online by Adam Young. And in page 27, he mentioned
> "isAdmin" currently in nova belongs to keystone actually.
> Would be really appreciated for some pointers. ML discussion or bp (I
> don't find any so far), etc.
>  http://api.openstack.org/api-ref-identity.html#Policy_Calls
>  http://www.slideshare.net/kamesh001/openstack-keystone
> Qiu Yu
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OpenStack-dev