[openstack-dev] view-only use case but APIs are admin-only

Michael J Fork mjfork at us.ibm.com
Wed May 1 21:56:37 UTC 2013


"Bak, Ed (HPCS Fort Collins)" <ed.bak2 at hp.com> wrote on 04/25/2013 12:58:07
PM:

> From: "Bak, Ed (HPCS Fort Collins)" <ed.bak2 at hp.com>
> To: OpenStack Development Mailing List
<openstack-dev at lists.openstack.org>,
> Date: 04/25/2013 03:18 PM
> Subject: Re: [openstack-dev] view-only use case but APIs are admin-only
>
> We also have a need for various explicit roles which we can’t put in
> place because of this issue.    I have also noticed cases where
> certain rules aren’t granular enough and several  places where an
> incorrect policy returns an HTTP 500 instead of an HTTP 403.  I’m
> willing to fix all of this but I would like some buy in on a
> solution before I submit the code in order to minimize rework.  I
> can turn this discussion into a blueprint if that is more
> appropriate.  I would like to propose the following;
>
> 1.       Remove the require_admin_context everywhere.  Access to
> actions will then only be controlled through roles specified through
> policy.json.
> 2.       Fix the cases where a single rule can apply to multiple
> actions.  In most cases the groupings make sense, but making things
> as granular as possible will allow everyone to define rules and
> roles in the most flexible way possible.
> 3.       Fix the error handling so that invalid permissions always
> return a 403.
> 4.       Remove the concept of a default rule.  In order to avoid
> inadvertently opening up any current admin only functions, the
> default behavior when a rule is not specified should be a failure (
> or maybe require admin in this case ).

+1 to all these proposals (and to turning this into a blueprint).

Just for clarity, are you talking about fixing Nova only or across all the
projects?

Michael

-------------------------------------------------
Michael Fork
Architect, OpenStack Development
IBM Systems & Technology Group
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130501/ae8fe5e8/attachment.html>


More information about the OpenStack-dev mailing list