[openstack-dev] [Climate] How we agree to determine that an user has admin rights ?

Yuriy Taraday yorik.sar at gmail.com
Thu Nov 21 09:04:22 UTC 2013

On Thu, Nov 21, 2013 at 12:37 PM, Sylvain Bauza <sylvain.bauza at bull.net>wrote:

>  Hi Yuriy, Dolph et al.
> I'm implementing a climate.policy.check_is_admin(ctx) which will look at
> policy.json entry 'context_is_admin' for knowing which roles do have
> elevated rights for Climate.
> This check must be called when creating a context for knowing if we can
> allow extra rights. The is_admin flag is pretty handsome because it can be
> triggered upon that check.
> If we say that one is bad, how should we manage that ?
> -Sylvain

There should be no need for is_admin and some special policy rule like
Every action that might require granular access control (for controllers it
should be every action at all, I guess) should call enforce() from
openstack.common.policy to check appropriate rule in policy.json.
Rules for actions that require user to be admin should contain a reference
to some basic rule like "admin_required" in Keystone (see

We should not check from code if the user is an admin. We should always ask
openstack.common.policy if the user have access to the action.


Kind regards, Yuriy.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20131121/364ddf41/attachment.html>

More information about the OpenStack-dev mailing list