[openstack-dev] [cross-project] RBAC Policy Basics
Osanai, Hisashi
osanai.hisashi at jp.fujitsu.com
Fri Jun 19 05:08:03 UTC 2015
Adam,
Thank you for the information RBAC Policy Basics.
Thursday, June 18, 2015 1:47 AM, Adam Young wrote:
> However, we have found a need to have a global override. This is a way a cloud admin that can go into any API anywhere and fix things.
> This means that Glance, Neutron, Nova, and Keystone should be able to share a policy file.
What situations does a shared policy file require?
For example, there are policy files for Nova and Cinder and they have same targets such as
"context_is_admin", "admin_or_owner" and "default".
(1) load both policy.json files on a server process then the targets will be overridden by 2nd loaded policy.json.
A cloud admin changes the 2nd policy.json only.
(2) A cloud admin changes the targets in different policy.json files at one time.
Did you mention about case(2)?
Nova: https://github.com/openstack/nova/blob/master/etc/nova/policy.json
Cinder: https://github.com/openstack/cinder/blob/master/etc/cinder/policy.json
"context_is_admin": "role:admin",
"admin_or_owner": "is_admin:True or project_id:%(project_id)s",
"default": "rule:admin_or_owner",
BTW, I sent the following email in this list. I think I found right person who
can answer my question? :-)
http://lists.openstack.org/pipermail/openstack-dev/2015-May/063915.html
- HTTP_X_SERVICE_ROLES handling in _checks.py
Thanks in advance,
Hisashi Osanai
More information about the OpenStack-dev
mailing list