[openstack-dev] [openstack-common]Add support for finer-grained policy decisions
Mark McLoughlin
markmc at redhat.com
Wed Oct 10 13:45:02 UTC 2012
Hey,
Just yanking this discussion out of gerrit so it doesn't get lost in a
closed review: https://review.openstack.org/14245
On Wed, 2012-10-10 at 01:55 +0000, Vish Ishaya (Code Review) wrote:
> I like the rewrites of the policy code, but I'm not so sure about this
> addition. Giving too much freedom in the control of policy rules leads
> to inconsistently defined rules. If some policy checks can return
> "roles" to allow for different behaviors then we have some policy
> controls being defined in the policy engine, and some in the how the
> results of the call are used. I can see this leading to a big mess in
> the future.
>
> I think the policy implementation is clearer when every complex policy
> decision is "denormalized" into one action and one target with a
> simple true-false response. If you want some roles to be able to (for
> example) modify a specific field, then there should be an action for
> modifying that particular field. Otherwise I think the policy will
> become overly complex and hard to follow.
That seems like a good point. I admit that I didn't pay enough attention
to how this would actually be used.
In the docs, Kevin says:
Consider a function that not only wants to check whether a user is
allowed to modify an object, but wants to see which set of fields the
user is allowed to modify. For this, we can use the new "case"
expression::
case {
"fulladmin" = role:admin;
"projectadmin" = project_id:%(project_id)s and role:projectadmin
}
If we take a specific example of admin_actions:pause, this would allow
the rule to not just say "the action is allowed" but also "the action is
allowed because the user is a full admin" or "the user is a project
admin".
The question then would be, what does nova do with that info? And if
nova might make a decision that something is allowed for "fulladmin" but
not "projectadmin", then why aren't they not two separate rules in the
policy? By hard-coding the "full vs project admin" decision in Nova, it
means it's not configurable in the policy.
Kevin - maybe you could elaborate more on the specific use case?
Cheers,
Mark.
More information about the OpenStack-dev
mailing list