[openstack-dev] [cross-project] RBAC Policy Basics

Adam Young ayoung at redhat.com
Mon Jun 22 15:13:33 UTC 2015

On 06/22/2015 12:41 AM, Osanai, Hisashi wrote:
> On Saturday, June 20, 2015 11:16 AM, Adam Young wrote:
>>> What situations does a shared policy file require?
>>> For example, there are policy files for Nova and Cinder and they have
>>> same targets such as
>>> "context_is_admin", "admin_or_owner" and "default".
>> A lot of these internal rules most likely should  be removed.  They do
>> conflict, with differenet interpretations between the proejcts. They are
>> also confusing two different things:  scope and role./  I think we
>> should make it a point to keep them separate.
> I don't understand why you think it as conflicts. They use same target name
> such as "context_is_admin", "admin_or_owner" and "default" but they use them
> on different processes. I might have mis-understanding here but for me there
> is no conflict.

It is not an issue if you keep each of the policy files completely 
separate, but it means that each service has its own meaning for the 
same name, and that confuses operators;  owner in Nova means "a user 
that has a role on this project" where as "owner" in Keystone means 
"Objects associated with a specific user".

>>> http://lists.openstack.org/pipermail/openstack-dev/2015-May/063915.html
>>> - HTTP_X_SERVICE_ROLES handling in _checks.py
>> I've missed there there was another  push for "Service specif roles" out
>> there.  We've been trying to make the concpet slighly more general by
>> saying that we were going to namespace roles, and that a Service would
>> be one potential namwspacing.  Henry Nash had proposed Domain Specific
>> roles, in case you were wondering what else would need to be namespaced.
>> https://review.openstack.org/#/c/133855/
> I like your thought " the concpet slighly more general" and it becomes a
> solution for my issue.
Wow, I typoed this.  Glad is was still comprehensible.

> My concern now is:
> * Service Tokens was implemented in Juno [1] but now we are not able to
>    Implement it with Oslo policy without extensions so far.
> * I think to implement spec[2] needs more time.
> [1] https://github.com/openstack/keystone-specs/blob/master/specs/keystonemiddleware/implemented/service-tokens.rst
> [2] https://review.openstack.org/#/c/133855/
> Is there any way to support spec[1] in Oslo policy? Or
> Should I wait for spec[2]?

I'm sorry, I am not sure what you are asking.
> Thanks in advance,
> Hisashi Osanai
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

More information about the OpenStack-dev mailing list