[Openstack-operators] [Glance] Default policy in policy.json

Abel Lopez alopgeek at gmail.com
Fri Jun 17 16:46:47 UTC 2016


By setting default to admin, won't we be overly restrictive?
I see that "add_image, download_image" are both set to "", which I assume means, default, which means admin,
If that's correct, then no regular project users will be able to create images, or worse, launch instances.
I usually go with "owner_or_admin" for my defaults, wrt add_image, etc.

> On Jun 17, 2016, at 9:27 AM, Bunting, Niall <niall.bunting at hpe.com> wrote:
> 
> Hi,
> 
> 
> Glance is planning to implement the patch [1], which affects the value of the 'default' policy.
> 
> 
> This would make the following change in the policy.json:
> 
> - "default": ""
> 
> + "default": "role:admin" (or to "!" to restrict everybody)
> 
> 
> We are just wondering if the operators have any reason not to make this change? As our thinking is that this would be more restrictive for new policies, to stop users accidentally getting additional permissions when a policy is not explicitly stated. However, we may have overlooked something else.
> 
> 
> Also which would be preferred "role:admin" or "!"? Brian points out on [1] that "!" would in effect, notify the admins that a policy is not defined as they would be unable to preform the action themselves.
> 
> 
> Thanks,
> 
> Niall
> 
> 
> 1. https://review.openstack.org/#/c/330443/
> 
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20160617/1f1d20fb/attachment.pgp>


More information about the OpenStack-operators mailing list