<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">Hi Yuriy, Dolph et al.<br>
<br>
I'm implementing a climate.policy.check_is_admin(ctx) which will
look at policy.json entry 'context_is_admin' for knowing which
roles do have elevated rights for Climate.<br>
<br>
This check must be called when creating a context for knowing if
we can allow extra rights. The is_admin flag is pretty handsome
because it can be triggered upon that check.<br>
<br>
If we say that one is bad, how should we manage that ?<br>
<br>
-Sylvain<br>
<br>
<br>
<br>
Le 21/11/2013 06:18, Yuriy Taraday a écrit :<br>
</div>
<blockquote
cite="mid:CABocrW72HDxdbzTT7j-jODosRk=-XKrP3Vj=05qGhxYa=1acqQ@mail.gmail.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">On Wed, Nov 20, 2013 at 9:57 PM,
Dolph Mathews <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:dolph.mathews@gmail.com" target="_blank">dolph.mathews@gmail.com</a>></span>
wrote:
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div class="im">On Wed, Nov 20, 2013 at 10:52 AM,
Yuriy Taraday <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:yorik.sar@gmail.com"
target="_blank">yorik.sar@gmail.com</a>></span>
wrote:
<blockquote class="gmail_quote" style="margin:0 0
0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div>On Wed, Nov 20, 2013 at 8:42 PM,
Dolph Mathews <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:dolph.mathews@gmail.com"
target="_blank">dolph.mathews@gmail.com</a>></span>
wrote:</div>
<blockquote class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div>
<div>is_admin is a short sighted
and not at all granular -- it
needs to die, so avoid
imitating it.</div>
</div>
</div>
</div>
</div>
</blockquote>
<div><br>
</div>
<div> I suggest keeping it in case we need
to elevate privileges from code.</div>
</div>
</div>
</div>
</blockquote>
<div><br>
</div>
</div>
<div>Can you expand on this point? It sounds like
you want to ignore the deployer-specified
authorization configuration...</div>
</div>
</div>
</div>
</blockquote>
<div><br>
</div>
<div style="">No, we're not ignoring it. In Keystone we have
two options to become an admin: either have 'admin'-like
role (set in policy.json by deployer) or have 'is_admin'
set (the only way in Keystone is to pass configured
admin_token). We don't have bootstrap problem in any other
services, so we don't need any admin_token. But we might
need to run code that requires admin privileges for user
that don't have them. Other projects use
get_admin_context() or smth like that for this.</div>
<div style="">I suggest we keep the option to have such
'in-code sudo' using is_admin that will be mentioned in
policy.json, but limit is_admin usage to just that.</div>
<div style=""><br>
</div>
</div>
-- <br>
<br>
<div>Kind regards, Yuriy.</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
OpenStack-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
</blockquote>
<br>
</body>
</html>