Adam,
Thank you for the information RBAC Policy Basics.
Thursday, June 18, 2015 1:47 AM, Adam Young wrote:
> However, we have found a need to have a global override. This is a way a
> cloud admin that can go into any API anywhere and fix things.
> This means that Glance, Neutron, Nova, and Keystone should be able to share a
> policy file.
What situations does a shared policy file require?
For example, there are policy files for Nova and Cinder and they have same
targets such as
"context_is_admin", "admin_or_owner" and "default".
(1) load both policy.json files on a server process then the targets will be
overridden by 2nd loaded policy.json.
A cloud admin changes the 2nd policy.json only.
(2) A cloud admin changes the targets in different policy.json files at one
time.
Did you mention about case(2)?
Nova: https://github.com/openstack/nova/blob/master/etc/nova/policy.json
Cinder: https://github.com/openstack/cinder/blob/master/etc/cinder/policy.json
"context_is_admin": "role:admin",
"admin_or_owner": "is_admin:True or project_id:%(project_id)s",
"default": "rule:admin_or_owner",
BTW, I sent the following email in this list. I think I found right person who
can answer my question? :-)
http://lists.openstack.org/pipermail/openstack-dev/2015-May/063915.html
- HTTP_X_SERVICE_ROLES handling in _checks.py
Thanks in advance,
Hisashi Osanai
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
