[openstack-dev] Do we still need "require_admin_context" on DB opertaions in Nova now we have policy.json ?

Day, Phil philip.day at hp.com
Wed Feb 27 18:57:18 UTC 2013


Hi Folks,

With the policy controls now in place, I'm wondering if we can remove at least some of the @require_admin_context decorators in the DB layer.

The particular use case I was trying to address is to create a role in Keystone that would allow selected users to be able to make quota changes, without having to give them the admin role.    Seems that this is easy enough to do in principle in policy.json - but the action will currently still get blocked at the DB layer.

I know that some other operations (like lock) get around this by calling context.elevated() after the policy check, but wondered if there was a reason for going down that route rather than just removing the "must be admin" check in the DB layer ?

Thanks
Phil
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130227/a622fe65/attachment.html>


More information about the OpenStack-dev mailing list