[openstack-dev] [all] making project_id optional in API URLs

michael mccune msm at redhat.com
Wed Dec 9 15:02:34 UTC 2015


On 12/08/2015 05:59 PM, Adam Young wrote:
> I think it is kindof irrelevant.  It can be there or not be there in the
> URL itself, so long as it does not show up in the service catalog. From
> an policy standpoint, having the project in the URL means that you can
> do an access control check without fetching the object from the
> database; you should, however, confirm that the object return belongs to
> the project at a later point.

from the policy standpoint does it matter if the project id appears in 
the url or in the headers?

mike




More information about the OpenStack-dev mailing list