[Openstack-operators] [Glance] Default policy in policy.json

Bunting, Niall niall.bunting at hpe.com
Fri Jun 17 16:56:14 UTC 2016 

> By setting default to admin, won't we be overly restrictive?
> I see that "add_image, download_image" are both set to "", which I assume means, default, which means admin,
> If that's correct, then no regular project users will be able to create images, or worse, launch instances.
> I usually go with "owner_or_admin" for my defaults, wrt add_image, etc.


An empty string means everybody. So this would not affect download_image etc. The default only applies when the policy does not exist in the file. For example a new policy is added and the policy.json is not updated.


Niall

________________________________
From: Abel Lopez <alopgeek at gmail.com>
Sent: 17 June 2016 17:46:47
To: Bunting, Niall
Cc: openstack-operators at lists.openstack.org
Subject: Re: [Openstack-operators] [Glance] Default policy in policy.json

By setting default to admin, won't we be overly restrictive?
I see that "add_image, download_image" are both set to "", which I assume means, default, which means admin,
If that's correct, then no regular project users will be able to create images, or worse, launch instances.
I usually go with "owner_or_admin" for my defaults, wrt add_image, etc.

> On Jun 17, 2016, at 9:27 AM, Bunting, Niall <niall.bunting at hpe.com> wrote:
>
> Hi,
>
>
> Glance is planning to implement the patch [1], which affects the value of the 'default' policy.
>
>
> This would make the following change in the policy.json:
>
> - "default": ""
>
> + "default": "role:admin" (or to "!" to restrict everybody)
>
>
> We are just wondering if the operators have any reason not to make this change? As our thinking is that this would be more restrictive for new policies, to stop users accidentally getting additional permissions when a policy is not explicitly stated. However, we may have overlooked something else.
>
>
> Also which would be preferred "role:admin" or "!"? Brian points out on [1] that "!" would in effect, notify the admins that a policy is not defined as they would be unable to preform the action themselves.
>
>
> Thanks,
>
> Niall
>
>
> 1. https://review.openstack.org/#/c/330443/
>
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators

More information about the OpenStack-operators mailing list