[openstack-dev] [all][policy][keystone] Better Policy Model and Representing Capabilites

Adam Young ayoung at redhat.com
Tue Oct 14 19:25:46 UTC 2014


There are two distinct permissions to be managed:

1.  What can the user do.
2.  What actions can this token be used to do.

2. is a subset of 1.


Just because I, Adam Young, have the ability to destroy the golden image 
I have up on glance does not mean that I want to delegate that ability 
every time I use a token.

But that is exactly the mechanism we have today.

As a user, I should not be locked in to only delegating roles. A role 
may say "you can read or modify an image" but I want to only delegate 
the "Read" part when creating a new VM:  I want Nova to be able to read 
the image I specify.


Hence, I started a spec around "capabilities"  which are I think, a 
different check than for RBAC.

https://review.openstack.org/#/c/123726/







More information about the OpenStack-dev mailing list