On 06/22/2015 12:41 AM, Osanai, Hisashi wrote:
On Saturday, June 20, 2015 11:16 AM, Adam Young wrote:
What situations does a shared policy file require?
For example, there are policy files for Nova and Cinder and they have
same targets such as
"context_is_admin", "admin_or_owner" and "default".
A lot of these internal rules most likely should be removed. They do
conflict, with differenet interpretations between the proejcts. They are
also confusing two different things: scope and role./ I think we
should make it a point to keep them separate.
I don't understand why you think it as conflicts. They use same target name
such as "context_is_admin", "admin_or_owner" and "default" but they use them
on different processes. I might have mis-understanding here but for me there
is no conflict.
It is not an issue if you keep each of the policy files completely
separate, but it means that each service has its own meaning for the
same name, and that confuses operators; owner in Nova means "a user
that has a role on this project" where as "owner" in Keystone means
"Objects associated with a specific user".
http://lists.openstack.org/pipermail/openstack-dev/2015-May/063915.html
- HTTP_X_SERVICE_ROLES handling in _checks.py
I've missed there there was another push for "Service specif roles" out
there. We've been trying to make the concpet slighly more general by
saying that we were going to namespace roles, and that a Service would
be one potential namwspacing. Henry Nash had proposed Domain Specific
roles, in case you were wondering what else would need to be namespaced.
https://review.openstack.org/#/c/133855/
I like your thought " the concpet slighly more general" and it becomes a
solution for my issue.
Wow, I typoed this. Glad is was still comprehensible.
My concern now is:
* Service Tokens was implemented in Juno [1] but now we are not able to
Implement it with Oslo policy without extensions so far.
* I think to implement spec[2] needs more time.
[1]
https://github.com/openstack/keystone-specs/blob/master/specs/keystonemiddleware/implemented/service-tokens.rst
[2] https://review.openstack.org/#/c/133855/
Is there any way to support spec[1] in Oslo policy? Or
Should I wait for spec[2]?
I'm sorry, I am not sure what you are asking.
Thanks in advance,
Hisashi Osanai
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
