[openstack-dev] Difference between RBAC polices thats stored in policy.json and policies that can be created using openstack/identity/v3/policies
Henry Nash
henryn at linux.vnet.ibm.com
Wed Aug 14 09:14:25 UTC 2013
Hi Sudheesh,
Using v3/policies is just a way of allowing other keystone projects (nova, glance) etc. a place to centrally store/access their policy files. Keystone does not interpret any of the data you store here - it is simply acting as a central repository (where you can store a big blob of data that is, in effect, your policy file). So the only place you can set policies is in the policy file.
Henry
On 13 Aug 2013, at 08:22, sudheesh sk wrote:
> Hi ,
>
> I am trying to understand Difference between RBAC polices thats stored in policy.json and policies that can be created using openstack/identity/v3/policies.
>
> I got answer from openstack forum that I can use both DB and policy.json based implementation for RBAC policy management.
>
> Can you please tell me how to use DB based RBAC ? I can elaborate my question
> 1. In policy.json(keystone) I am able to define rule called - admin_required
> 2. Similarly I can define rules line custome_role_required
> 3. Then I can add this rule against each services (like for eg : identity:list_users = custom_role_required How can I use this for DB based RBAC policies? Also there are code like self.policy_api.enforce(context, creds, 'admin_required', {}) in many places (this is in wsgi.py)
>
> How can I utilize the same code and at the same time move the policy definition to DB
>
> Thanks a million,
> Sudheesh
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130814/6c3059b8/attachment.html>
More information about the OpenStack-dev
mailing list