<div dir="ltr"><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Aug 12, 2014 at 10:30 AM, Yee, Guang <span dir="ltr"><<a href="mailto:guang.yee@hp.com" target="_blank">guang.yee@hp.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Kristy,<br>
<br>
Have you try the "[]" or "@" rule as mentioned here?<br></blockquote><div><br></div><div>That still requires valid authentication though, just not any specific authorization. I don't think we have a way to express truly public resources in oslo.policy.</div>
<div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
<a href="https://github.com/openstack/keystone/blob/master/keystone/openstack/common/
policy.py#L71" target="_blank">https://github.com/openstack/keystone/blob/master/keystone/openstack/common/<br>
policy.py#L71</a><br>
<span class="HOEnZb"><font color="#888888"><br>
<br>
<br>
Guang<br>
</font></span><div class="HOEnZb"><div class="h5"><br>
<br>
> -----Original Message-----<br>
> From: K.W.S.Siu [mailto:<a href="mailto:K.W.S.Siu@kent.ac.uk">K.W.S.Siu@kent.ac.uk</a>]<br>
> Sent: Tuesday, August 12, 2014 3:44 AM<br>
> To: openstack Mailing List<br>
> Subject: [openstack-dev] [keystone] Configuring protected API functions<br>
> to allow public access<br>
><br>
> Hi All,<br>
><br>
> Correct me if I am wrong but I don't think you can configure the<br>
> Keystone policy.json to allow public access to an API function, as far<br>
> as I can tell you can allow access to any authenticated user regardless<br>
> of role assignments but not public access.<br>
><br>
> My use case is a client which allows users to query for a list of<br>
> supported identity providers / protocols so that the user can then<br>
> select which provider to authenticate with - as the user is<br>
> unauthenticated at the time of the query the request needs to allow<br>
> public access to the 'List Identity Providers' API function.<br>
><br>
> I can remove the protected decorator from the required functions but<br>
> this is a nasty hack.<br>
><br>
> I suggest that it should be possible to configure this kind of access<br>
> rule on a deployment by deployment basis and I was just hoping to get<br>
> some thoughts on this.<br>
><br>
> Many thanks,<br>
> Kristy<br>
> _______________________________________________<br>
> OpenStack-dev mailing list<br>
> <a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
</div></div><br>_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br></div></div>