[openstack-dev] [Climate] How we agree to determine that an user has admin rights ?

Yuriy Taraday yorik.sar at gmail.com
Wed Nov 20 10:56:57 UTC 2013


Looking at implementations in Keystone and Nova, I found the only use for
is_admin but it is essential.

Whenever in code you need to run a piece of code with admin privileges, you
can create a new context with  is_admin=True keeping all other parameters
as is, run code requiring admin access and then revert context back.
My first though was: "Hey, why don't they just add 'admin' role then?". But
what if in current deployment admin role is named like
'TheVerySpecialAdmin'? What if user has tweaked policy.json to better suite
one's needs?

So my current understanding is (and I suggest to follow this logic):
- 'admin' role in context.roles can vary, it's up to cloud admin to set
necessary value in policy.json;
- 'is_admin' flag is used to elevate privileges from code and it's name is
fixed;
- policy check should assume that user is admin if either special role is
present or is_admin flag is set.

-- 

Kind regards, Yuriy.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20131120/762b6ab4/attachment.html>


More information about the OpenStack-dev mailing list