By setting default to admin, won't we be overly restrictive? I see that "add_image, download_image" are both set to "", which I assume means, default, which means admin, If that's correct, then no regular project users will be able to create images, or worse, launch instances. I usually go with "owner_or_admin" for my defaults, wrt add_image, etc.
> On Jun 17, 2016, at 9:27 AM, Bunting, Niall <[email protected]> wrote: > > Hi, > > > Glance is planning to implement the patch [1], which affects the value of the > 'default' policy. > > > This would make the following change in the policy.json: > > - "default": "" > > + "default": "role:admin" (or to "!" to restrict everybody) > > > We are just wondering if the operators have any reason not to make this > change? As our thinking is that this would be more restrictive for new > policies, to stop users accidentally getting additional permissions when a > policy is not explicitly stated. However, we may have overlooked something > else. > > > Also which would be preferred "role:admin" or "!"? Brian points out on [1] > that "!" would in effect, notify the admins that a policy is not defined as > they would be unable to preform the action themselves. > > > Thanks, > > Niall > > > 1. https://review.openstack.org/#/c/330443/ > > _______________________________________________ > OpenStack-operators mailing list > [email protected] > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ OpenStack-operators mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
