[openstack-dev] [cross-project] RBAC Policy Basics

Osanai, Hisashi osanai.hisashi at jp.fujitsu.com
Fri Jun 19 05:08:03 UTC 2015


Thank you for the information RBAC Policy Basics.

Thursday, June 18, 2015 1:47 AM, Adam Young wrote:
> However, we have found a need to have a global override.  This is a way a cloud admin that can go into any API anywhere and fix things.
> This means that Glance, Neutron, Nova, and Keystone should be able to share a policy file.

What situations does a shared policy file require?

For example, there are policy files for Nova and Cinder and they have same targets such as
"context_is_admin", "admin_or_owner" and "default".

(1) load both policy.json files on a server process then the targets will be overridden by 2nd loaded policy.json.
    A cloud admin changes the 2nd policy.json only.
(2) A cloud admin changes the targets in different policy.json files at one time.

Did you mention about case(2)? 

Nova:   https://github.com/openstack/nova/blob/master/etc/nova/policy.json
Cinder: https://github.com/openstack/cinder/blob/master/etc/cinder/policy.json

"context_is_admin": "role:admin",
"admin_or_owner":  "is_admin:True or project_id:%(project_id)s",
"default": "rule:admin_or_owner",

BTW, I sent the following email in this list. I think I found right person who
can answer my question? :-)

- HTTP_X_SERVICE_ROLES handling in _checks.py

Thanks in advance,
Hisashi Osanai

More information about the OpenStack-dev mailing list