Open Stack

On 12/01/2015 01:23 AM, 1021710773 wrote:
> Every Developers,
>
>     Hello. I here would like to ask some questions about policy rules.
>     Now the policy rules of openstack in keystone and other projects 
> are set in policy.json, in other words, the policy rules are equal
> to each projects. And the common ways to enforce are in decorative 
> function like protected(). And in keystone project, it manage the 
> users, projects,  roles and other resources. Now, some particular 
> projects(tenants) may have its own enforce rules, not just like the 
> policy.json, and in that ways, could we update the usual decorative 
> function of enforce to realize the authentification of projects? And 
> now, the policy model appears in keystone project. Could we use it to 
> create association between projects and policy?


That request has come up in the past.  At this point, I don't think we 
have a path to "Tenant specific policy" but we have a couple features in 
Mitaka that might be close:  Implied Roles and Domain specific roles.

See the specs:

Implied roles has merged:

http://git.openstack.org/cgit/openstack/keystone-specs/tree/specs/mitaka/implied-roles.rst

Domain specific roles was just given the thumbs up and will likely merge 
soon.



>     Hope to hear from you. Thanks!
>
>
> Weiwei Yang
> ------------------------------------------------------------------------
> yangweiwei at cmss.chinamobile.com
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20151201/73faf0b5/attachment.html>