[Openstack-operators] [Glance] Default policy in policy.json

Andrew Laski andrew at lascii.com
Tue Jun 21 17:28:18 UTC 2016



On Tue, Jun 21, 2016, at 12:27 PM, Adam Young wrote:
> On 06/20/2016 10:09 PM, Michael Richardson wrote:
> > On Fri, 17 Jun 2016 16:27:54 +0000
> > <snip>
> >> Also which would be preferred "role:admin" or "!"? Brian points out on [1] that "!" would in effect, notify the admins that a policy is not defined as they would be unable to preform the action themselves.
> > +1 for "!" (and brilliant that the Glance project are being proactive on this front; hopefully the others will follow suit).
> >
> > Cheers,
> > Michael Richardson.
> >
> >>
> >> Thanks,
> >>
> >> Niall
> >>
> >>
> >> 1. https://review.openstack.org/#/c/330443/
> >>
> >> _______________________________________________
> >> OpenStack-operators mailing list
> >> OpenStack-operators at lists.openstack.org
> >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
> >
> We are workging on making the "admin and is_admin_project" a reality.  
> THat should be the default, but we can submit that once things are
> working.

There has been some work done in oslo.policy recently
(https://review.openstack.org/#/c/309152/), and is being incorporated by
Nova (https://review.openstack.org/#/c/290155/), which eliminates the
need for a default rule. It works by having every rule that a project
uses register a default policy for that rule, so there is never a check
that falls through to the default rule. I would recommend that Glance
take a look at using that mechanism to provide a standard policy set for
deployers.


> 
> 
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators



More information about the OpenStack-operators mailing list