[openstack-dev] [keystone] [nova] [oslo] oslo.policy requests from the Nova team

Kevin L. Mitchell kevin.mitchell at rackspace.com
Tue Jun 2 22:48:34 UTC 2015

On Tue, 2015-06-02 at 16:16 -0600, David Lyle wrote:
> The Horizon project also uses the nova policy.json file to do role
> based access control (RBAC) on the actions a user can perform. If the
> defaults are hidden in the code, that makes those checks a lot more
> difficult to perform. Horizon will then get to duplicate all the hard
> coded defaults in our code base. Fully understanding UI is not
> everyone's primary concern, I will just point out that it's a terrible
> user experience to have 10 actions listed on an instance that will
> only fail when actually attempted by making the API call.

For the record, the discussion at the summit also touched on the
discoverability of the policy affecting a given user/API.  I don't
believe we considered the ordering between that and the defaults feature
we suggested, but I believe we can code a defaults mechanism to
dynamically generate an output file in the interim (as is done for
configuration now), which may improve the situation from Horizon's
standpoint, until the discoverability piece is in place.

Kevin L. Mitchell <kevin.mitchell at rackspace.com>

More information about the OpenStack-dev mailing list