[openstack-dev] [Climate] How we agree to determine that an user has admin rights ?
Yuriy Taraday
yorik.sar at gmail.com
Wed Nov 20 16:24:34 UTC 2013
On Wed, Nov 20, 2013 at 3:21 PM, Sylvain Bauza <sylvain.bauza at bull.net>wrote:
>
> Yes indeed, that's something coming into my mind. Looking at Nova, I found
> a "context_is_admin" policy in policy.json allowing you to say which role
> is admin or not [1] and is matched in policy.py [2], which itself is called
> when creating a context [3].
>
> I'm OK copying that, any objections to it ?
>
I would suggest not to copy this stuff from Nova. There's a lot of legacy
there and it's based on old openstack.common.policy version. We should rely
on openstack.common.policy alone, no need to add more checks here.
> [1] https://github.com/openstack/nova/blob/master/etc/nova/policy.json#L2
>
This rule is here just to support
> [2] https://github.com/openstack/nova/blob/master/nova/policy.py#L116
>
this, which is used only
> [3] https://github.com/openstack/nova/blob/master/nova/context.py#L102
>
here. This is not what I would call a consistent usage of policies.
>
If we need to check access rights to some method, we should use an
appropriate decorator or helper method and let it check appropriate policy
rule that would contain "rule:admin_required", just like in Keystone:
https://github.com/openstack/keystone/blob/master/etc/policy.json.
context.is_admin should not be checked directly from code, only through
policy rules. It should be set only if we need to elevate privileges from
code. That should be the meaning of it.
--
Kind regards, Yuriy.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20131120/76c02fac/attachment.html>
More information about the OpenStack-dev
mailing list