<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <div class="moz-cite-prefix">Well, I'm guessing the best way is the
      contrary, Swann needing to rebase from the change I proposed about
      policies. The latter is still as draft, committing myself to
      finish it by today.<br>
      <br>
      -Sylvain<br>
      <br>
      Le 20/11/2013 12:42, Dina Belova a écrit :<br>
    </div>
    <blockquote
cite="mid:CACsCO2xhvi1KmYOEVp8JOMjZsG11dBpH7VjNpqqd_ZYw2RvvLQ@mail.gmail.com"
      type="cite">
      <meta http-equiv="Content-Type" content="text/html;
        charset=ISO-8859-1">
      <div dir="ltr">I suppose it's ok - just rebase from Swann's commit
        to have is_admin param to use.</div>
      <div class="gmail_extra"><br>
        <br>
        <div class="gmail_quote">On Wed, Nov 20, 2013 at 3:21 PM,
          Sylvain Bauza <span dir="ltr"><<a moz-do-not-send="true"
              href="mailto:sylvain.bauza@bull.net" target="_blank">sylvain.bauza@bull.net</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div text="#000000" bgcolor="#FFFFFF">
              <div>Hi Yuriy,<br>
                <br>
                Le 20/11/2013 11:56, Yuriy Taraday a écrit :<br>
              </div>
              <div>
                <div class="h5">
                  <blockquote type="cite">
                    <div dir="ltr">
                      <div class="gmail_extra">Looking at
                        implementations in Keystone and Nova, I found
                        the only use for is_admin but it is essential.</div>
                      <div class="gmail_extra"><br>
                      </div>
                      <div class="gmail_extra">Whenever in code you need
                        to run a piece of code with admin privileges,
                        you can create a new context with  is_admin=True
                        keeping all other parameters as is, run code
                        requiring admin access and then revert context
                        back.</div>
                      <div class="gmail_extra">My first though was:
                        "Hey, why don't they just add 'admin' role
                        then?". But what if in current deployment admin
                        role is named like 'TheVerySpecialAdmin'? What
                        if user has tweaked policy.json to better suite
                        one's needs?</div>
                      <div class="gmail_extra"><br>
                      </div>
                      <div class="gmail_extra">So my current
                        understanding is (and I suggest to follow this
                        logic):</div>
                      <div class="gmail_extra">- 'admin' role in
                        context.roles can vary, it's up to cloud admin
                        to set necessary value in policy.json;</div>
                      <div class="gmail_extra">- 'is_admin' flag is used
                        to elevate privileges from code and it's name is
                        fixed;</div>
                      <div class="gmail_extra">- policy check should
                        assume that user is admin if either special role
                        is present or is_admin flag is set.<br>
                      </div>
                    </div>
                  </blockquote>
                  <br>
                  <br>
                </div>
              </div>
              Yes indeed, that's something coming into my mind. Looking
              at Nova, I found a "context_is_admin" policy in
              policy.json allowing you to say which role is admin or not
              [1] and is matched in policy.py [2], which itself is
              called when creating a context [3].<br>
              <br>
              I'm OK copying that, any objections to it ?<br>
              <br>
              <br>
              [1] <a moz-do-not-send="true"
href="https://github.com/openstack/nova/blob/master/etc/nova/policy.json#L2"
                target="_blank">https://github.com/openstack/nova/blob/master/etc/nova/policy.json#L2</a><br>
              [2] <a moz-do-not-send="true"
                href="https://github.com/openstack/nova/blob/master/nova/policy.py#L116"
                target="_blank">https://github.com/openstack/nova/blob/master/nova/policy.py#L116</a><br>
              [3] <a moz-do-not-send="true"
href="https://github.com/openstack/nova/blob/master/nova/context.py#L102"
                target="_blank">https://github.com/openstack/nova/blob/master/nova/context.py#L102</a>
            </div>
            <br>
            _______________________________________________<br>
            OpenStack-dev mailing list<br>
            <a moz-do-not-send="true"
              href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
            <a moz-do-not-send="true"
              href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"
              target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
            <br>
          </blockquote>
        </div>
        <br>
        <br clear="all">
        <div><br>
        </div>
        -- <br>
        <div dir="ltr">
          <div
style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">
            <p style="font-size:small;margin:0px;font-family:Helvetica">
              Best regards,</p>
            <p style="font-size:small;margin:0px;font-family:Helvetica">Dina
              Belova</p>
            <p style="font-size:small;margin:0px;font-family:Helvetica">Software
              Engineer</p>
            <p style="font-size:small;margin:0px;font-family:Helvetica">
              Mirantis Inc.</p>
          </div>
        </div>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
OpenStack-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>