[Openstack-operators] [Glance] Default policy in policy.json
Bunting, Niall
niall.bunting at hpe.com
Fri Jun 17 16:27:54 UTC 2016
Hi,
Glance is planning to implement the patch [1], which affects the value of the 'default' policy.
This would make the following change in the policy.json:
- "default": ""
+ "default": "role:admin" (or to "!" to restrict everybody)
We are just wondering if the operators have any reason not to make this change? As our thinking is that this would be more restrictive for new policies, to stop users accidentally getting additional permissions when a policy is not explicitly stated. However, we may have overlooked something else.
Also which would be preferred "role:admin" or "!"? Brian points out on [1] that "!" would in effect, notify the admins that a policy is not defined as they would be unable to preform the action themselves.
Thanks,
Niall
1. https://review.openstack.org/#/c/330443/
More information about the OpenStack-operators
mailing list