[openstack-dev] [Ceilometer] Policy Issue

Sampath Priyankara sampath.priyankara at lab.ntt.co.jp
Wed Apr 30 06:18:37 UTC 2014


Hi : ZhiQiang ,

 Found this discussion after I filed the bug report.
  https://bugs.launchpad.net/ceilometer/+bug/1314372

 Sorry for that.
 
 More than happy to work with you on following BP to implement a more
advance and user friendly policy settings to ceilometer.
 https://blueprints.launchpad.net/ceilometer/+spec/advanced-policy-rule

In your BP, 
"For now, a non-admin user can delete alarm created by other user in same
tenant, which seems not so good, after this bp is implemented, we can change
the default behavior very easily if we want."

 I was thinking,  at least we need role-based rules and generic rules (Ex:
tenant_id:%(tenant_id)s) support in policy.json. 
  let me know your plans and also if you need any help.

Best regards,
          Sampath

> -----Original Message-----
> From: Julien Danjou [mailto:julien at danjou.info]
> Sent: Monday, February 10, 2014 7:42 PM
> To: ZhiQiang Fan
> Cc: OpenStack Development Mailing List
> Subject: Re: [openstack-dev] [Ceilometer] Policy Issue
> 
> On Mon, Feb 10 2014, ZhiQiang Fan wrote:
> 
> > So, is this loose policy limit designed purposely, or it just a simple
> > implementation for policy?
> 
> It's just nobody stepped up to implement a more complete one, indeed.
> 
> > So, is there any opportunity to implement more strict policy check,
> > for i.e. a normal user can read resources created by other users (to
> > be stricter, may disable this too), but read+write for his own?
> >
> > I'd like to get some help or advise before create a blueprint
> 
> Yep, go ahead and create a blueprint. :) If you need help, just ask on
this list
> or on IRC.
> 
> --
> Julien Danjou
> -- Free Software hacker - independent consultant
> -- http://julien.danjou.info





More information about the OpenStack-dev mailing list