Policy is supposed to allow access control to work across multiple
services and endpoints. However, each service has specified policy
differently.
Here are some of the basic working assumptions for policy enforcement we
can use to work towards consistent enforcement.
1) A policy rule should specify:
Where do I find the scope in this request?
What role does the token need to contain in order to access this
the API?
Roles are not global. Roles are always scoped to something. Just
because someone has "admin" on one project or domain does not mean they
should have it everywhere. However, we have found a need to have a
global override. This is a way a cloud admin that can go into any API
anywhere and fix things.Even if we keep the mechanism, I assume it will
take a few iterations to phase out having this specified on each rule.
2) Policy rules should be namespaced by API type.
for example, All of the Keystone policy rule targets start with:
"identity:"
such as
|"identity:ec2_get_credential": "rule:admin_required or (rule:owner and
user_id:%(target.credential.user_id)s)"|
This means that Glance, Neutron, Nova, and Keystone should be able to
share a policy file.
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: [email protected]?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
