[openstack-dev] [keystone] On dynamic policy, role hierarchies/groups/sets etc.
Adam Young
ayoung at redhat.com
Fri May 8 01:55:38 UTC 2015
On 05/06/2015 06:54 PM, Hu, David J (Converged Cloud) wrote:
> david8hu> One of the first thing we have to do is get all of our
> glossary straight J I am starting to hear about “capability”. Are we
> talking about “rule” in oslo policy terms? Or “action” in nova policy
> terms? Or this is something new. For example,
> “compute:create_instance” is a “rule” in oslo.policy enforce(…)
> definition, “compute:create_instance” is an “action” in nova.policy
> enforce(…) definition.
By capability, I ( think I ) mean Action in Nova terms, as I am trying
to exclude the internal rules that policy lets you define. However, to
further muddy the water, you can actually enforce on one of these
rules./ For example, the Keystone server enforces on "admin_required"
for the V2 API.
The term capability has been thrown around a few times and I picked it
up. Really what I want to delineate is the point in the code at which
policy gets enforced.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150507/efe3978a/attachment.html>
More information about the OpenStack-dev
mailing list