[openstack-dev] [cross-project] RBAC Policy Basics
osanai.hisashi at jp.fujitsu.com
Fri Jun 19 05:08:03 UTC 2015
Thank you for the information RBAC Policy Basics.
Thursday, June 18, 2015 1:47 AM, Adam Young wrote:
> However, we have found a need to have a global override. This is a way a cloud admin that can go into any API anywhere and fix things.
> This means that Glance, Neutron, Nova, and Keystone should be able to share a policy file.
What situations does a shared policy file require?
For example, there are policy files for Nova and Cinder and they have same targets such as
"context_is_admin", "admin_or_owner" and "default".
(1) load both policy.json files on a server process then the targets will be overridden by 2nd loaded policy.json.
A cloud admin changes the 2nd policy.json only.
(2) A cloud admin changes the targets in different policy.json files at one time.
Did you mention about case(2)?
"admin_or_owner": "is_admin:True or project_id:%(project_id)s",
BTW, I sent the following email in this list. I think I found right person who
can answer my question? :-)
- HTTP_X_SERVICE_ROLES handling in _checks.py
Thanks in advance,
More information about the OpenStack-dev