[openstack-dev] [Glance] property protections -- final call for comments

stuart.mclaren at hp.com stuart.mclaren at hp.com
Fri Jul 26 16:56:42 UTC 2013


Hi Brian,

Firstly, thanks for all your great work here!

Some feedback:

1) Is there a clash with existing user properties?

For currently deployed systems a user may have an existing property 'foo: bar'.
If we restrict property access (by virtue of allowing only owner_xxx)
can the user update this previously existing property?

2) "A nice feature of this scheme is that the cloud provider can pick an arbitrary
informal namespace for this purpose and educate users appropriately."

How about having the user properties area be always the same?
It would be more consistent/predictable -- is there a down side?

3) we could potentially link roles to the regex

eg this could allow role1_xxx to be writable only if you have 'role1'.
By assigning appropriate roles (com.provider/com.partner/nova?) you
could provide the ability to write to that prefix without config file
changes.

Thanks,

-Stuart

> After lots of discussion, I think we've come to a consensus on what property protections should look like in Glance.  Please reply with comments!
>
> The blueprint: https://blueprints.launchpad.net/glance/+spec/api-v2-property-protection
>
> The full specification: https://wiki.openstack.org/wiki/Glance-property-protections
>   (it's got a Prior Discussion section with links to the discussion etherpads)
>
> A "product" approach to describing the feature: https://wiki.openstack.org/wiki/Glance-property-protections-product
>
> cheers,
> brian



More information about the OpenStack-dev mailing list