[openstack-dev] [keystone] Configuring protected API functions to allow public access

Yee, Guang guang.yee at hp.com
Tue Aug 12 15:30:30 UTC 2014


Hi Kristy,

Have you try the "[]" or "@" rule as mentioned here?

https://github.com/openstack/keystone/blob/master/keystone/openstack/common/
policy.py#L71



Guang


> -----Original Message-----
> From: K.W.S.Siu [mailto:K.W.S.Siu at kent.ac.uk]
> Sent: Tuesday, August 12, 2014 3:44 AM
> To: openstack Mailing List
> Subject: [openstack-dev] [keystone] Configuring protected API functions
> to allow public access
> 
> Hi All,
> 
> Correct me if I am wrong but I don't think you can configure the
> Keystone policy.json to allow public access to an API function, as far
> as I can tell you can allow access to any authenticated user regardless
> of role assignments but not public access.
> 
> My use case is a client which allows users to query for a list of
> supported identity providers / protocols so that the user can then
> select which provider to authenticate with - as the user is
> unauthenticated at the time of the query the request needs to allow
> public access to the 'List Identity Providers' API function.
> 
> I can remove the protected decorator from the required functions but
> this is a nasty hack.
> 
> I suggest that it should be possible to configure this kind of access
> rule on a deployment by deployment basis and I was just hoping to get
> some thoughts on this.
> 
> Many thanks,
> Kristy
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6183 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140812/b6838bb8/attachment.bin>


More information about the OpenStack-dev mailing list