On Tue, Jun 21, 2016, at 12:27 PM, Adam Young wrote: > On 06/20/2016 10:09 PM, Michael Richardson wrote: > > On Fri, 17 Jun 2016 16:27:54 +0000 > > <snip> > >> Also which would be preferred "role:admin" or "!"? Brian points out on [1] > >> that "!" would in effect, notify the admins that a policy is not defined > >> as they would be unable to preform the action themselves. > > +1 for "!" (and brilliant that the Glance project are being proactive on > > this front; hopefully the others will follow suit). > > > > Cheers, > > Michael Richardson. > > > >> > >> Thanks, > >> > >> Niall > >> > >> > >> 1. https://review.openstack.org/#/c/330443/ > >> > >> _______________________________________________ > >> OpenStack-operators mailing list > >> [email protected] > >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators > > > We are workging on making the "admin and is_admin_project" a reality. > THat should be the default, but we can submit that once things are > working.
There has been some work done in oslo.policy recently (https://review.openstack.org/#/c/309152/), and is being incorporated by Nova (https://review.openstack.org/#/c/290155/), which eliminates the need for a default rule. It works by having every rule that a project uses register a default policy for that rule, so there is never a check that falls through to the default rule. I would recommend that Glance take a look at using that mechanism to provide a standard policy set for deployers. > > > _______________________________________________ > OpenStack-operators mailing list > [email protected] > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators _______________________________________________ OpenStack-operators mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
