[Openstack] [openstack-dev][cinder] Nested Quota Driver and policy.json changes

Adam Young ayoung at redhat.com
Thu Jul 23 03:23:27 UTC 2015 

On 07/22/2015 12:42 AM, Vilobh Meshram wrote:
> Hi,
>
> While developing Nested Quota Driver for Cinder, when performing 
> show/update/delete following restrictions apply :-
>
> 1. show : Only user who is admin or admin in parent or admin in root 
> project should be able to perform show/view the quota of the leaf 
> projects.
>
> 2. update : Only user admin in parent or admin in root project should 
> be able to perform update.
>
> 3. delete : Only user admin in parent or admin in root project should 
> be able to perform delete.
>
> In order to get the parent information or child list in nested 
> hierarchy calls need to be made to keystone. So as part of these 
> changes do we want to introduce 2 new roles in cinder one for 
> project_admin and one for root_admin so that the token can be scoped 
> at project/root level and only the permissible operation at the 
> respective levels as described above can be allowed.
>
> For example  :-
>
> A
>  |
> B
>  |
> C
>
> cinder quota-update C (should only be permissible from B or A)
>
> This can achieved either by :-
> 1. Introducing project_admin or cloud_admin rule in policy.json and 
> later populate the [1] with respective target[2][3]. Minises code 
> changes and gives the freedom to operators to modify policy.json and 
> tune changes accordingly.
> 2. Not introduce these 2 roles in policy.json by just make code 
> changes and additional logic in code to handle this but using this 
> option we can go to at max 1 level of heirarchy as in-order to fetch 
> more parent we will need to make a keystone call.


Try to think of the token scoping to the thing you are querying;  if you 
can avoid having to know the hierarchy, policy will be learer and easier 
to enforce.

I think it is safer to make a user get a token scoped to the project 
they want to query than to use a parent project token.

>
> Need opinion on which option can be helpful in longterm.
>
> -Vilobh
> [1] 
> https://github.com/openstack/cinder/blob/master/cinder/api/contrib/quotas.py#L33
> [2] 
> https://github.com/openstack/cinder/blob/master/cinder/api/extensions.py#L379
> [3] 
> https://github.com/openstack/cinder/blob/master/cinder/api/contrib/quotas.py#L109
>
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20150722/2a453ddf/attachment.html>

More information about the Openstack mailing list