[openstack-dev] [cinder] Nested Quota Driver and policy.json changes
Vilobh Meshram
vilobhmeshram.openstack at gmail.com
Wed Jul 22 04:42:49 UTC 2015
Hi,
While developing Nested Quota Driver for Cinder, when performing
show/update/delete following restrictions apply :-
1. show : Only user who is admin or admin in parent or admin in root
project should be able to perform show/view the quota of the leaf projects.
2. update : Only user admin in parent or admin in root project should be
able to perform update.
3. delete : Only user admin in parent or admin in root project should be
able to perform delete.
In order to get the parent information or child list in nested hierarchy
calls need to be made to keystone. So as part of these changes do we want
to introduce 2 new roles in cinder one for project_admin and one for
root_admin so that the token can be scoped at project/root level and only
the permissible operation at the respective levels as described above can
be allowed.
For example :-
A
|
B
|
C
cinder quota-update C (should only be permissible from B or A)
This can achieved either by :-
1. Introducing project_admin or cloud_admin rule in policy.json and later
populate the [1] with respective target[2][3]. Minises code changes and
gives the freedom to operators to modify policy.json and tune changes
accordingly.
2. Not introduce these 2 roles in policy.json by just make code changes and
additional logic in code to handle this but using this option we can go to
at max 1 level of heirarchy as in-order to fetch more parent we will need
to make a keystone call.
Need opinion on which option can be helpful in longterm.
-Vilobh
[1]
https://github.com/openstack/cinder/blob/master/cinder/api/contrib/quotas.py#L33
[2]
https://github.com/openstack/cinder/blob/master/cinder/api/extensions.py#L379
[3]
https://github.com/openstack/cinder/blob/master/cinder/api/contrib/quotas.py#L109
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150721/8e65c139/attachment.html>
More information about the OpenStack-dev
mailing list