[openstack-dev] [cross-project] RBAC Policy Basics

Osanai, Hisashi osanai.hisashi at jp.fujitsu.com
Mon Jun 22 04:41:58 UTC 2015

On Saturday, June 20, 2015 11:16 AM, Adam Young wrote: 
> > What situations does a shared policy file require?
> > For example, there are policy files for Nova and Cinder and they have
> > same targets such as
> > "context_is_admin", "admin_or_owner" and "default".
> A lot of these internal rules most likely should  be removed.  They do
> conflict, with differenet interpretations between the proejcts. They are
> also confusing two different things:  scope and role./  I think we
> should make it a point to keep them separate.

I don't understand why you think it as conflicts. They use same target name
such as "context_is_admin", "admin_or_owner" and "default" but they use them
on different processes. I might have mis-understanding here but for me there
is no conflict.

> > http://lists.openstack.org/pipermail/openstack-dev/2015-May/063915.html
> > - HTTP_X_SERVICE_ROLES handling in _checks.py
> I've missed there there was another  push for "Service specif roles" out
> there.  We've been trying to make the concpet slighly more general by
> saying that we were going to namespace roles, and that a Service would
> be one potential namwspacing.  Henry Nash had proposed Domain Specific
> roles, in case you were wondering what else would need to be namespaced.
> https://review.openstack.org/#/c/133855/

I like your thought " the concpet slighly more general" and it becomes a
solution for my issue.

My concern now is:
* Service Tokens was implemented in Juno [1] but now we are not able to
  Implement it with Oslo policy without extensions so far. 
* I think to implement spec[2] needs more time.

[1] https://github.com/openstack/keystone-specs/blob/master/specs/keystonemiddleware/implemented/service-tokens.rst
[2] https://review.openstack.org/#/c/133855/

Is there any way to support spec[1] in Oslo policy? Or
Should I wait for spec[2]?

Thanks in advance,
Hisashi Osanai

More information about the OpenStack-dev mailing list