Open Stack

On Jul 23, 2015, at 7:35, Adam Young <ayoung at redhat.com> wrote:

> What this means is the if a user is assigned "admin" on any project, they are assigned admin for everything.
> 
> Fixing this is going to require a change to how we write policy.
> 
> Each policy rule needs to have two parts:
> 
> 1.  Match the scoped of the token (project for everything that is not Keystone, project or domain for Keystone).
> 
> 2.  Match the role.

Thanks for bringing this up. If I understand correctly, you're saying we can fix this by modifying policy.json alone, right? There aren't any code changes required?

So far, for me it has worked fine for "admin" role to grant "admin" everywhere for the system administrators (no one else has "admin" role). But with the prospect of nested quota in nova, I think we would have a new rule for quota update that is, for example:

"quota_admin_rule": "role:quota_admin and project_id:%(project_id)s"
"admin_or_quota_admin": "role:admin or rule:quota_admin_rule"

"compute_extension:quotas:update": "rule:admin_or_quota_admin",
"compute_extension:quotas:delete": "rule:admin_or_quota_admin",
"os_compute_api:os-quota-sets:update": "rule:admin_or_quota_admin",
"os_compute_api:os-quota-sets:delete": "rule:admin_or_quota_admin",
"os_compute_api:os-quota-sets:detail": "rule:admin_or_quota_admin",

if I want system administrators and designated quota administrators of a project to be able to update quota. In keystone the quota admins will have the role "quota_admin" only in their projects.

Is that an example of the right way to scope "admin" in your view?

-melanie (irc: melwitt)





-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150723/3a3e6626/attachment.pgp>