[openstack-dev] [Keystone][Nova] Any Code Examples of Other Services Using Keystone Policy?

Sean Dague sean at dague.net
Fri May 6 10:51:41 UTC 2016

On 05/05/2016 06:03 PM, Dan Smith wrote:
>> I'm currently working on the spec for Project ID Validation in Nova
>> using Keystone. The outcome of the Design Summit Session was that the
>> Nova service user would use the Keystone policy to establish whether the
>> requester had access to the project at all to verify the id. I was
>> wondering if there were any code examples of a non-Keystone service
>> using the Keystone policy in this way?
>> Also if I misunderstood something, please feel free to correct me or to
>> clarify!
> Just to clarify, the outcome as I understood it is:
> /Instead/ of a Nova service user, Nova should use the credentials of the
> user doing the quota manipulation to authenticate a request to keystone
> to check for the presence of the target user. That means doing a HEAD or
> GET on the tenant in keystone using the credentials provided to Nova for
> the quota operation. The only Keystone policy involved is making sure
> that the user has permission to do that HEAD or GET operation (which is
> really just a deployment thing).

Right, that's how I remember it.

The important additional piece of information is these commands are Nova
admin commands, so setting quota for other users.

I think the important next step forward here is to actually see what the
code looks like, as the actual code to check against keystone is going
to go right here -

And needs to function with what we have at hand, which is a project_id
and a nova.context.


Sean Dague

More information about the OpenStack-dev mailing list