[openstack-dev] [Climate] How we agree to determine that an user has admin rights ?
Dolph Mathews
dolph.mathews at gmail.com
Wed Nov 20 17:57:42 UTC 2013
On Wed, Nov 20, 2013 at 10:52 AM, Yuriy Taraday <yorik.sar at gmail.com> wrote:
> Hello, Dolph.
>
> On Wed, Nov 20, 2013 at 8:42 PM, Dolph Mathews <dolph.mathews at gmail.com>wrote:
>
>>
>> On Wed, Nov 20, 2013 at 10:24 AM, Yuriy Taraday <yorik.sar at gmail.com>wrote:
>>
>>>
>>> context.is_admin should not be checked directly from code, only through
>>> policy rules. It should be set only if we need to elevate privileges from
>>> code. That should be the meaning of it.
>>>
>>
>> is_admin is a short sighted and not at all granular -- it needs to die,
>> so avoid imitating it.
>>
>
> I suggest keeping it in case we need to elevate privileges from code.
>
Can you expand on this point? It sounds like you want to ignore the
deployer-specified authorization configuration...
> In this case we can't rely on roles so just one flag should work fine.
> As I said before, we should avoid setting or reading is_admin directly
> from code. It should be set only in context.elevated and read only by
> "admin_required" policy rule.
>
> Does this sound reasonable?
>
> --
>
> Kind regards, Yuriy.
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
--
-Dolph
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20131120/649f9222/attachment.html>
More information about the OpenStack-dev
mailing list