[openstack-dev] [Keystone][Nova] Any Code Examples of Other Services Using Keystone Policy?

Sean Dague sean at dague.net
Fri May 6 10:51:41 UTC 2016


On 05/05/2016 06:03 PM, Dan Smith wrote:
>> I'm currently working on the spec for Project ID Validation in Nova
>> using Keystone. The outcome of the Design Summit Session was that the
>> Nova service user would use the Keystone policy to establish whether the
>> requester had access to the project at all to verify the id. I was
>> wondering if there were any code examples of a non-Keystone service
>> using the Keystone policy in this way?
>>
>> Also if I misunderstood something, please feel free to correct me or to
>> clarify!
> 
> Just to clarify, the outcome as I understood it is:
> 
> /Instead/ of a Nova service user, Nova should use the credentials of the
> user doing the quota manipulation to authenticate a request to keystone
> to check for the presence of the target user. That means doing a HEAD or
> GET on the tenant in keystone using the credentials provided to Nova for
> the quota operation. The only Keystone policy involved is making sure
> that the user has permission to do that HEAD or GET operation (which is
> really just a deployment thing).

Right, that's how I remember it.

The important additional piece of information is these commands are Nova
admin commands, so setting quota for other users.

I think the important next step forward here is to actually see what the
code looks like, as the actual code to check against keystone is going
to go right here -
https://github.com/openstack/nova/blob/8a93fd13786358f882a53e0bf104eeed23541465/nova/api/openstack/compute/quota_sets.py#L107

And needs to function with what we have at hand, which is a project_id
and a nova.context.

	-Sean

-- 
Sean Dague
http://dague.net



More information about the OpenStack-dev mailing list