[openstack-dev] [keystone] Configuring protected API functions to allow public access
Dolph Mathews
dolph.mathews at gmail.com
Tue Aug 12 17:26:16 UTC 2014
On Tue, Aug 12, 2014 at 10:30 AM, Yee, Guang <guang.yee at hp.com> wrote:
> Hi Kristy,
>
> Have you try the "[]" or "@" rule as mentioned here?
>
That still requires valid authentication though, just not any specific
authorization. I don't think we have a way to express truly public
resources in oslo.policy.
>
>
> https://github.com/openstack/keystone/blob/master/keystone/openstack/common/
> policy.py#L71
>
>
>
> Guang
>
>
> > -----Original Message-----
> > From: K.W.S.Siu [mailto:K.W.S.Siu at kent.ac.uk]
> > Sent: Tuesday, August 12, 2014 3:44 AM
> > To: openstack Mailing List
> > Subject: [openstack-dev] [keystone] Configuring protected API functions
> > to allow public access
> >
> > Hi All,
> >
> > Correct me if I am wrong but I don't think you can configure the
> > Keystone policy.json to allow public access to an API function, as far
> > as I can tell you can allow access to any authenticated user regardless
> > of role assignments but not public access.
> >
> > My use case is a client which allows users to query for a list of
> > supported identity providers / protocols so that the user can then
> > select which provider to authenticate with - as the user is
> > unauthenticated at the time of the query the request needs to allow
> > public access to the 'List Identity Providers' API function.
> >
> > I can remove the protected decorator from the required functions but
> > this is a nasty hack.
> >
> > I suggest that it should be possible to configure this kind of access
> > rule on a deployment by deployment basis and I was just hoping to get
> > some thoughts on this.
> >
> > Many thanks,
> > Kristy
> > _______________________________________________
> > OpenStack-dev mailing list
> > OpenStack-dev at lists.openstack.org
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140812/10517870/attachment.html>
More information about the OpenStack-dev
mailing list