[openstack-dev] [cross-project] RBAC Policy Basics
osanai.hisashi at jp.fujitsu.com
Mon Jun 22 04:41:58 UTC 2015
On Saturday, June 20, 2015 11:16 AM, Adam Young wrote:
> > What situations does a shared policy file require?
> > For example, there are policy files for Nova and Cinder and they have
> > same targets such as
> > "context_is_admin", "admin_or_owner" and "default".
> A lot of these internal rules most likely should be removed. They do
> conflict, with differenet interpretations between the proejcts. They are
> also confusing two different things: scope and role./ I think we
> should make it a point to keep them separate.
I don't understand why you think it as conflicts. They use same target name
such as "context_is_admin", "admin_or_owner" and "default" but they use them
on different processes. I might have mis-understanding here but for me there
is no conflict.
> > http://lists.openstack.org/pipermail/openstack-dev/2015-May/063915.html
> > - HTTP_X_SERVICE_ROLES handling in _checks.py
> I've missed there there was another push for "Service specif roles" out
> there. We've been trying to make the concpet slighly more general by
> saying that we were going to namespace roles, and that a Service would
> be one potential namwspacing. Henry Nash had proposed Domain Specific
> roles, in case you were wondering what else would need to be namespaced.
I like your thought " the concpet slighly more general" and it becomes a
solution for my issue.
My concern now is:
* Service Tokens was implemented in Juno  but now we are not able to
Implement it with Oslo policy without extensions so far.
* I think to implement spec needs more time.
Is there any way to support spec in Oslo policy? Or
Should I wait for spec?
Thanks in advance,
More information about the OpenStack-dev