<div dir="ltr">I suppose it's ok - just rebase from Swann's commit to have is_admin param to use.</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Nov 20, 2013 at 3:21 PM, Sylvain Bauza <span dir="ltr"><<a href="mailto:sylvain.bauza@bull.net" target="_blank">sylvain.bauza@bull.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div>Hi Yuriy,<br>
<br>
Le 20/11/2013 11:56, Yuriy Taraday a écrit :<br>
</div><div><div class="h5">
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_extra">Looking at implementations in Keystone
and Nova, I found the only use for is_admin but it is
essential.</div>
<div class="gmail_extra"><br>
</div>
<div class="gmail_extra">Whenever in code you need to run a
piece of code with admin privileges, you can create a new
context with is_admin=True keeping all other parameters as
is, run code requiring admin access and then revert context
back.</div>
<div class="gmail_extra">My first though was: "Hey, why don't
they just add 'admin' role then?". But what if in current
deployment admin role is named like 'TheVerySpecialAdmin'?
What if user has tweaked policy.json to better suite one's
needs?</div>
<div class="gmail_extra"><br>
</div>
<div class="gmail_extra">So my current understanding is (and I
suggest to follow this logic):</div>
<div class="gmail_extra">- 'admin' role in context.roles can
vary, it's up to cloud admin to set necessary value in
policy.json;</div>
<div class="gmail_extra">- 'is_admin' flag is used to elevate
privileges from code and it's name is fixed;</div>
<div class="gmail_extra">- policy check should assume that user
is admin if either special role is present or is_admin flag is
set.<br>
</div>
</div>
</blockquote>
<br>
<br></div></div>
Yes indeed, that's something coming into my mind. Looking at Nova, I
found a "context_is_admin" policy in policy.json allowing you to say
which role is admin or not [1] and is matched in policy.py [2],
which itself is called when creating a context [3].<br>
<br>
I'm OK copying that, any objections to it ?<br>
<br>
<br>
[1]
<a href="https://github.com/openstack/nova/blob/master/etc/nova/policy.json#L2" target="_blank">https://github.com/openstack/nova/blob/master/etc/nova/policy.json#L2</a><br>
[2]
<a href="https://github.com/openstack/nova/blob/master/nova/policy.py#L116" target="_blank">https://github.com/openstack/nova/blob/master/nova/policy.py#L116</a><br>
[3]
<a href="https://github.com/openstack/nova/blob/master/nova/context.py#L102" target="_blank">https://github.com/openstack/nova/blob/master/nova/context.py#L102</a>
</div>
<br>_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div dir="ltr"><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)"><p style="font-size:small;margin:0px;font-family:Helvetica">
Best regards,</p><p style="font-size:small;margin:0px;font-family:Helvetica">Dina Belova</p><p style="font-size:small;margin:0px;font-family:Helvetica">Software Engineer</p><p style="font-size:small;margin:0px;font-family:Helvetica">
Mirantis Inc.</p></div></div>
</div>