[openstack-dev] [Climate] How we agree to determine that an user has admin rights ?
Yuriy Taraday
yorik.sar at gmail.com
Wed Nov 20 16:52:41 UTC 2013
Hello, Dolph.
On Wed, Nov 20, 2013 at 8:42 PM, Dolph Mathews <dolph.mathews at gmail.com>wrote:
>
> On Wed, Nov 20, 2013 at 10:24 AM, Yuriy Taraday <yorik.sar at gmail.com>wrote:
>
>>
>> context.is_admin should not be checked directly from code, only through
>> policy rules. It should be set only if we need to elevate privileges from
>> code. That should be the meaning of it.
>>
>
> is_admin is a short sighted and not at all granular -- it needs to die, so
> avoid imitating it.
>
I suggest keeping it in case we need to elevate privileges from code. In
this case we can't rely on roles so just one flag should work fine.
As I said before, we should avoid setting or reading is_admin directly from
code. It should be set only in context.elevated and read only by
"admin_required" policy rule.
Does this sound reasonable?
--
Kind regards, Yuriy.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20131120/a9d7e6b7/attachment.html>
More information about the OpenStack-dev
mailing list