[openstack-dev] [Climate] How we agree to determine that an user has admin rights ?

Yuriy Taraday yorik.sar at gmail.com
Thu Nov 21 05:18:09 UTC 2013

On Wed, Nov 20, 2013 at 9:57 PM, Dolph Mathews <dolph.mathews at gmail.com>wrote:
> On Wed, Nov 20, 2013 at 10:52 AM, Yuriy Taraday <yorik.sar at gmail.com>wrote:
>>  On Wed, Nov 20, 2013 at 8:42 PM, Dolph Mathews <dolph.mathews at gmail.com>wrote:
>>> is_admin is a short sighted and not at all granular -- it needs to die,
>>> so avoid imitating it.
>>  I suggest keeping it in case we need to elevate privileges from code.
> Can you expand on this point? It sounds like you want to ignore the
> deployer-specified authorization configuration...

No, we're not ignoring it. In Keystone we have two options to become an
admin: either have 'admin'-like role (set in policy.json by deployer) or
have 'is_admin' set (the only way in Keystone is to pass configured
admin_token). We don't have bootstrap problem in any other services, so we
don't need any admin_token. But we might need to run code that requires
admin privileges for user that don't have them. Other projects use
get_admin_context() or smth like that for this.
I suggest we keep the option to have such 'in-code sudo' using is_admin
that will be mentioned in policy.json, but limit is_admin usage to just


Kind regards, Yuriy.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20131121/a38b0de9/attachment.html>

More information about the OpenStack-dev mailing list