
<html>

  <head>

    <meta content="text/html; charset=windows-1252"

      http-equiv="Content-Type">

  </head>

  <body text="#000000" bgcolor="#FFFFFF">

    <div class="moz-cite-prefix">On 05/05/2016 05:54 PM, Dolph Mathews

      wrote:<br>

    </div>

    <blockquote

cite="mid:CAC=h7gUzqGBaN_vvNQuUqQGDrffLUyJd-PzJW6rWhSTnBc4DwQ@mail.gmail.com"

      type="cite">

      <div dir="ltr">My understanding from the summit session was that

        we should have a specific role defined in keystone's policy.json

        here:

        <div><br>

        </div>

        <div>  <a moz-do-not-send="true"

href="https://github.com/openstack/keystone/blob/a16287af5b7761c8453b2a8e278d78652497377c/etc/policy.json#L37">https://github.com/openstack/keystone/blob/a16287af5b7761c8453b2a8e278d78652497377c/etc/policy.json#L37</a></div>

        <div><br>

        </div>

        <div>Which grants access to nothing in keystone beyond that

          check. So, the new rule could be revised to something as

          generic as:</div>

        <div><br>

        </div>

        <div>  "identity:get_project": "rule:admin_required or

          project_id:%(<a moz-do-not-send="true"

            href="http://target.project.id">target.project.id</a>)s or

          role:identity_get_project",</div>

        <div><br>

        </div>

        <div>Where the new role name I appended at the end exactly

          matches the policy rule name.</div>

      </div>

    </blockquote>

    Would we expect the have the implied rule that Member implies

    identity_get_project?<br>

    <br>

    <br>

    <blockquote

cite="mid:CAC=h7gUzqGBaN_vvNQuUqQGDrffLUyJd-PzJW6rWhSTnBc4DwQ@mail.gmail.com"

      type="cite">

      <div dir="ltr">

        <div><br>

        </div>

        <div>However, unlike the summit discussion, which specified only

          providing access to HEAD /v3/projects/{project_id}, keystone's

          usage of policy unfortunately wraps both HEAD and GET with the

          same policy check.</div>

      </div>

      <br>

      <div class="gmail_quote">

        <div dir="ltr">On Thu, May 5, 2016 at 3:05 PM Augustina Ragwitz

          <<a moz-do-not-send="true"

            href="mailto:aragwitz.lists@pobox.com">aragwitz.lists@pobox.com</a>>

          wrote:<br>

        </div>

        <blockquote class="gmail_quote" style="margin:0 0 0

          .8ex;border-left:1px #ccc solid;padding-left:1ex">I'm

          currently working on the spec for Project ID Validation in

          Nova<br>

          using Keystone. The outcome of the Design Summit Session was

          that the<br>

          Nova service user would use the Keystone policy to establish

          whether the<br>

          requester had access to the project at all to verify the id. I

          was<br>

          wondering if there were any code examples of a non-Keystone

          service<br>

          using the Keystone policy in this way?<br>

          <br>

          Also if I misunderstood something, please feel free to correct

          me or to<br>

          clarify!<br>

          <br>

          Here is the etherpad from the session:<br>

          <a moz-do-not-send="true"

            href="https://etherpad.openstack.org/p/newton-nova-keystone"

            rel="noreferrer" target="_blank">https://etherpad.openstack.org/p/newton-nova-keystone</a><br>

          And here is the current spec: <a moz-do-not-send="true"

            href="https://review.openstack.org/#/c/294337"

            rel="noreferrer" target="_blank">https://review.openstack.org/#/c/294337</a><br>

          <br>

          <br>

          --<br>

          Augustina Ragwitz<br>

          Sr Systems Software Engineer, HPE Cloud<br>

          Hewlett Packard Enterprise<br>

          ---<br>

          irc: auggy<br>

          <br>

__________________________________________________________________________<br>

          OpenStack Development Mailing List (not for usage questions)<br>

          Unsubscribe: <a moz-do-not-send="true"

href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe"

            rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>

          <a moz-do-not-send="true"

            href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"

            rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>

        </blockquote>

      </div>

      <div dir="ltr">-- <br>

      </div>

      <div dir="ltr">-Dolph</div>

      <br>

      <fieldset class="mimeAttachmentHeader"></fieldset>

      <br>

      <pre wrap="">__________________________________________________________________________

OpenStack Development Mailing List (not for usage questions)

Unsubscribe: <a class="moz-txt-link-abbreviated" href="mailto:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>

<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>

</pre>

    </blockquote>

    <br>

  </body>

</html>