[openstack-dev] [all][policy][keystone] Better Policy Model and Representing Capabilites
Adam Young
ayoung at redhat.com
Tue Oct 14 19:25:46 UTC 2014
There are two distinct permissions to be managed:
1. What can the user do.
2. What actions can this token be used to do.
2. is a subset of 1.
Just because I, Adam Young, have the ability to destroy the golden image
I have up on glance does not mean that I want to delegate that ability
every time I use a token.
But that is exactly the mechanism we have today.
As a user, I should not be locked in to only delegating roles. A role
may say "you can read or modify an image" but I want to only delegate
the "Read" part when creating a new VM: I want Nova to be able to read
the image I specify.
Hence, I started a spec around "capabilities" which are I think, a
different check than for RBAC.
https://review.openstack.org/#/c/123726/
More information about the OpenStack-dev
mailing list