[openstack-dev] [Climate] How we agree to determine that an user has admin rights ?

Sylvain Bauza sylvain.bauza at bull.net
Thu Nov 21 09:39:35 UTC 2013

Le 21/11/2013 10:04, Yuriy Taraday a écrit :
> On Thu, Nov 21, 2013 at 12:37 PM, Sylvain Bauza 
> <sylvain.bauza at bull.net <mailto:sylvain.bauza at bull.net>> wrote:
>     Hi Yuriy, Dolph et al.
>     I'm implementing a climate.policy.check_is_admin(ctx) which will
>     look at policy.json entry 'context_is_admin' for knowing which
>     roles do have elevated rights for Climate.
>     This check must be called when creating a context for knowing if
>     we can allow extra rights. The is_admin flag is pretty handsome
>     because it can be triggered upon that check.
>     If we say that one is bad, how should we manage that ?
>     -Sylvain
> There should be no need for is_admin and some special policy rule like 
> "context_is_admin".
> Every action that might require granular access control (for 
> controllers it should be every action at all, I guess) should call 
> enforce() from openstack.common.policy to check appropriate rule in 
> policy.json.
> Rules for actions that require user to be admin should contain a 
> reference to some basic rule like "admin_required" in Keystone (see 
> https://github.com/openstack/keystone/blob/master/etc/policy.json).
> We should not check from code if the user is an admin. We should 
> always ask openstack.common.policy if the user have access to the action.
> -- 
> Kind regards, Yuriy.

Thanks for all your thoughts, really appreciated. OK, I will discuss 
with Swann and see what needs to be modified accordingly.

I'll deliver a new patchset for https://review.openstack.org/#/c/57200/ 
(policies) based on Context patch from Swann and having is_admin, and 
then I'll iterate removing the necessary parts.

(Btw, that's bad I spent a few days implementing policies without clear 
guidelines and copying Nova stuff with latest Oslo policies, we 
definitely need developer documentation for that...)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20131121/0f23cc8e/attachment.html>

More information about the OpenStack-dev mailing list