[openstack-dev] Policy's persistence layer
Flavio Percoco
flavio at redhat.com
Mon May 6 07:07:47 UTC 2013
On 03/05/13 15:30 -0700, Mark Washenberger wrote:
> I think the real motivator for me are use cases like Image Sharing.
> Glance currently has support for sharing an image with another
> user--you just add the other user's tenant id as a "member" on the
> image. This approach has advantages and disadvantages
> + simple and covers 80% of use cases for sharing in some form or
> another
> + its fast, because I can do authorization efficiently by joining the
> Images table with the Image Members table
> - No good way to verify the member tenant id is valid
> - No good way to be notified when the member tenant is removed
> - Can't specify permission in terms of a specific user, or a role
> - Can't specify permission on all / a group of images, have to do it
> individually
I guess, we could create Checkers that query keystone to verify some
of the above points.
> The holy grail for me would be for us to come up with a policy approach
> that retains the performance, efficiency, and consistency of storing
> policies virtually alongside the data the policy effects, but also
> provides a central place to list and create policies, with appropriate
> validation of entities like user_ids, tenants, and roles.
I'm not against at having an API for policies, even though I don't
think is something all project would benefit from. In my head I see this
improvement happening in two steps:
1) Improve current library adding such a persistence layer
2) Having an API (keystone, for example) exposing those
functionalities.
#1 is becoming a priority now, at least for Glance Image and Marconi.
I don't know exactly what the requirements of other projects are, but
I'd bet this is something they would like to have.
Also, having a centralized service for policies is something that
worries me a bit, performance and security wise.
That being said, I'd love to take keystone's implementation and
prepare it to be proposed for oslo-incubator.
Any thoughts about this?
Cheers,
FF
--
{ name: "Flavio Percoco",
gpg: "87112EC1",
internal: "8261386",
phone: "+390687502386",
irc: ["fpercoco", "flaper87"]}
More information about the OpenStack-dev
mailing list