[openstack-dev] [keystone] [nova] [oslo] [cross-project] Dynamic Policy
Sean Dague
sean at dague.net
Wed Jun 3 18:55:23 UTC 2015
On 06/03/2015 02:44 PM, David Chadwick wrote:
> In the design that we have been building for a policy administration
> database, we dont require a single policy in order to unify common
> concepts such as hierarchical attributes and roles between the different
> policies of Openstack services. This is because policies and hierarchies
> are held separately and are linked via a many to many relationship. My
> understanding of Adam's primary requirement was that a role hierarchy
> say, should be common across all OpenStack service policies, without
> this necessarily meaning you have to have one huge policy. And there is
> no requirement for Keystone to own all the policies. So each service
> could still own and manage its own policy, whilst having attribute
> hierarchies in common.
>
> Does this help?
>
> regards
>
> David
That part makes total sense. What concerned me is there was an
intermediary step that seemed like it was literally *one file*
(https://review.openstack.org/134656). That particular step I think is
unworkable.
By "common role hierachy" do you mean namespaced roles for services?
Because if yes, definitely. And I think that's probably the first
concrete step moving the whole thing forward, which should be doable on
the existing static json definitions.
-Sean
--
Sean Dague
http://dague.net
More information about the OpenStack-dev
mailing list