<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">Well, I'm guessing the best way is the
contrary, Swann needing to rebase from the change I proposed about
policies. The latter is still as draft, committing myself to
finish it by today.<br>
<br>
-Sylvain<br>
<br>
Le 20/11/2013 12:42, Dina Belova a écrit :<br>
</div>
<blockquote
cite="mid:CACsCO2xhvi1KmYOEVp8JOMjZsG11dBpH7VjNpqqd_ZYw2RvvLQ@mail.gmail.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<div dir="ltr">I suppose it's ok - just rebase from Swann's commit
to have is_admin param to use.</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Wed, Nov 20, 2013 at 3:21 PM,
Sylvain Bauza <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:sylvain.bauza@bull.net" target="_blank">sylvain.bauza@bull.net</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div>Hi Yuriy,<br>
<br>
Le 20/11/2013 11:56, Yuriy Taraday a écrit :<br>
</div>
<div>
<div class="h5">
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_extra">Looking at
implementations in Keystone and Nova, I found
the only use for is_admin but it is essential.</div>
<div class="gmail_extra"><br>
</div>
<div class="gmail_extra">Whenever in code you need
to run a piece of code with admin privileges,
you can create a new context with is_admin=True
keeping all other parameters as is, run code
requiring admin access and then revert context
back.</div>
<div class="gmail_extra">My first though was:
"Hey, why don't they just add 'admin' role
then?". But what if in current deployment admin
role is named like 'TheVerySpecialAdmin'? What
if user has tweaked policy.json to better suite
one's needs?</div>
<div class="gmail_extra"><br>
</div>
<div class="gmail_extra">So my current
understanding is (and I suggest to follow this
logic):</div>
<div class="gmail_extra">- 'admin' role in
context.roles can vary, it's up to cloud admin
to set necessary value in policy.json;</div>
<div class="gmail_extra">- 'is_admin' flag is used
to elevate privileges from code and it's name is
fixed;</div>
<div class="gmail_extra">- policy check should
assume that user is admin if either special role
is present or is_admin flag is set.<br>
</div>
</div>
</blockquote>
<br>
<br>
</div>
</div>
Yes indeed, that's something coming into my mind. Looking
at Nova, I found a "context_is_admin" policy in
policy.json allowing you to say which role is admin or not
[1] and is matched in policy.py [2], which itself is
called when creating a context [3].<br>
<br>
I'm OK copying that, any objections to it ?<br>
<br>
<br>
[1] <a moz-do-not-send="true"
href="https://github.com/openstack/nova/blob/master/etc/nova/policy.json#L2"
target="_blank">https://github.com/openstack/nova/blob/master/etc/nova/policy.json#L2</a><br>
[2] <a moz-do-not-send="true"
href="https://github.com/openstack/nova/blob/master/nova/policy.py#L116"
target="_blank">https://github.com/openstack/nova/blob/master/nova/policy.py#L116</a><br>
[3] <a moz-do-not-send="true"
href="https://github.com/openstack/nova/blob/master/nova/context.py#L102"
target="_blank">https://github.com/openstack/nova/blob/master/nova/context.py#L102</a>
</div>
<br>
_______________________________________________<br>
OpenStack-dev mailing list<br>
<a moz-do-not-send="true"
href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
<a moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"
target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div dir="ltr">
<div
style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">
<p style="font-size:small;margin:0px;font-family:Helvetica">
Best regards,</p>
<p style="font-size:small;margin:0px;font-family:Helvetica">Dina
Belova</p>
<p style="font-size:small;margin:0px;font-family:Helvetica">Software
Engineer</p>
<p style="font-size:small;margin:0px;font-family:Helvetica">
Mirantis Inc.</p>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
OpenStack-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
</blockquote>
<br>
</body>
</html>