[openstack-dev] [Climate] How we agree to determine that an user has admin rights ?
yorik.sar at gmail.com
Wed Nov 20 16:52:41 UTC 2013
On Wed, Nov 20, 2013 at 8:42 PM, Dolph Mathews <dolph.mathews at gmail.com>wrote:
> On Wed, Nov 20, 2013 at 10:24 AM, Yuriy Taraday <yorik.sar at gmail.com>wrote:
>> context.is_admin should not be checked directly from code, only through
>> policy rules. It should be set only if we need to elevate privileges from
>> code. That should be the meaning of it.
> is_admin is a short sighted and not at all granular -- it needs to die, so
> avoid imitating it.
I suggest keeping it in case we need to elevate privileges from code. In
this case we can't rely on roles so just one flag should work fine.
As I said before, we should avoid setting or reading is_admin directly from
code. It should be set only in context.elevated and read only by
"admin_required" policy rule.
Does this sound reasonable?
Kind regards, Yuriy.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OpenStack-dev