The work described below has been completed with a few changes from the original description. This change is for nova only.
1. The require_admin_context has been removed in cases where it overrode the policy set in policy.json 2. Error handling has been cleaned up. All calls should return an HTTP 403 when a policy check fails. 3. A number of apis which were grouped together under a single policy have been broken out so more granular policies can be defined. The default rule still exists. Blank rules in the policy.json still default to true. This was done to maintain backward compatibility. The change is https://review.openstack.org/#/c/32762 It still needs one more core reviewer to approve it. From: Michael J Fork [mailto:[email protected]] Sent: Wednesday, May 01, 2013 3:57 PM To: OpenStack Development Mailing List Subject: Re: [openstack-dev] view-only use case but APIs are admin-only "Bak, Ed (HPCS Fort Collins)" <[email protected]> wrote on 04/25/2013 12:58:07 PM: > From: "Bak, Ed (HPCS Fort Collins)" <[email protected]> > To: OpenStack Development Mailing List <[email protected]>, > Date: 04/25/2013 03:18 PM > Subject: Re: [openstack-dev] view-only use case but APIs are admin-only > > We also have a need for various explicit roles which we can’t put in > place because of this issue. I have also noticed cases where > certain rules aren’t granular enough and several places where an > incorrect policy returns an HTTP 500 instead of an HTTP 403. I’m > willing to fix all of this but I would like some buy in on a > solution before I submit the code in order to minimize rework. I > can turn this discussion into a blueprint if that is more > appropriate. I would like to propose the following; > > 1. Remove the require_admin_context everywhere. Access to > actions will then only be controlled through roles specified through > policy.json. > 2. Fix the cases where a single rule can apply to multiple > actions. In most cases the groupings make sense, but making things > as granular as possible will allow everyone to define rules and > roles in the most flexible way possible. > 3. Fix the error handling so that invalid permissions always > return a 403. > 4. Remove the concept of a default rule. In order to avoid > inadvertently opening up any current admin only functions, the > default behavior when a rule is not specified should be a failure ( > or maybe require admin in this case ). +1 to all these proposals (and to turning this into a blueprint). Just for clarity, are you talking about fixing Nova only or across all the projects? Michael ------------------------------------------------- Michael Fork Architect, OpenStack Development IBM Systems & Technology Group
_______________________________________________ OpenStack-dev mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
