On Saturday, June 20, 2015 11:16 AM, Adam Young wrote: > > What situations does a shared policy file require? > > For example, there are policy files for Nova and Cinder and they have > > same targets such as > > "context_is_admin", "admin_or_owner" and "default". > > A lot of these internal rules most likely should be removed. They do > conflict, with differenet interpretations between the proejcts. They are > also confusing two different things: scope and role./ I think we > should make it a point to keep them separate.
I don't understand why you think it as conflicts. They use same target name such as "context_is_admin", "admin_or_owner" and "default" but they use them on different processes. I might have mis-understanding here but for me there is no conflict. > > http://lists.openstack.org/pipermail/openstack-dev/2015-May/063915.html > > - HTTP_X_SERVICE_ROLES handling in _checks.py > > I've missed there there was another push for "Service specif roles" out > there. We've been trying to make the concpet slighly more general by > saying that we were going to namespace roles, and that a Service would > be one potential namwspacing. Henry Nash had proposed Domain Specific > roles, in case you were wondering what else would need to be namespaced. > > https://review.openstack.org/#/c/133855/ I like your thought " the concpet slighly more general" and it becomes a solution for my issue. My concern now is: * Service Tokens was implemented in Juno [1] but now we are not able to Implement it with Oslo policy without extensions so far. * I think to implement spec[2] needs more time. [1] https://github.com/openstack/keystone-specs/blob/master/specs/keystonemiddleware/implemented/service-tokens.rst [2] https://review.openstack.org/#/c/133855/ Is there any way to support spec[1] in Oslo policy? Or Should I wait for spec[2]? Thanks in advance, Hisashi Osanai __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
