Adam, Thank you for the information RBAC Policy Basics.
Thursday, June 18, 2015 1:47 AM, Adam Young wrote: > However, we have found a need to have a global override. This is a way a > cloud admin that can go into any API anywhere and fix things. > This means that Glance, Neutron, Nova, and Keystone should be able to share a > policy file. What situations does a shared policy file require? For example, there are policy files for Nova and Cinder and they have same targets such as "context_is_admin", "admin_or_owner" and "default". (1) load both policy.json files on a server process then the targets will be overridden by 2nd loaded policy.json. A cloud admin changes the 2nd policy.json only. (2) A cloud admin changes the targets in different policy.json files at one time. Did you mention about case(2)? Nova: https://github.com/openstack/nova/blob/master/etc/nova/policy.json Cinder: https://github.com/openstack/cinder/blob/master/etc/cinder/policy.json "context_is_admin": "role:admin", "admin_or_owner": "is_admin:True or project_id:%(project_id)s", "default": "rule:admin_or_owner", BTW, I sent the following email in this list. I think I found right person who can answer my question? :-) http://lists.openstack.org/pipermail/openstack-dev/2015-May/063915.html - HTTP_X_SERVICE_ROLES handling in _checks.py Thanks in advance, Hisashi Osanai __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev