Hello, Dolph. On Wed, Nov 20, 2013 at 8:42 PM, Dolph Mathews <[email protected]>wrote:
> > On Wed, Nov 20, 2013 at 10:24 AM, Yuriy Taraday <[email protected]>wrote: > >> >> context.is_admin should not be checked directly from code, only through >> policy rules. It should be set only if we need to elevate privileges from >> code. That should be the meaning of it. >> > > is_admin is a short sighted and not at all granular -- it needs to die, so > avoid imitating it. > I suggest keeping it in case we need to elevate privileges from code. In this case we can't rely on roles so just one flag should work fine. As I said before, we should avoid setting or reading is_admin directly from code. It should be set only in context.elevated and read only by "admin_required" policy rule. Does this sound reasonable? -- Kind regards, Yuriy.
_______________________________________________ OpenStack-dev mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
