- Original Message -
From: Nathan Kinder nkin...@redhat.com
To: openstack-dev@lists.openstack.org
Sent: Tuesday, October 14, 2014 2:25:35 AM
Subject: Re: [openstack-dev] [all][policy][keystone] Better Policy Model and
Representing Capabilites
On 10/13/2014 01:17 PM, Morgan
On 14/10/2014 01:25, Nathan Kinder wrote:
On 10/13/2014 01:17 PM, Morgan Fainberg wrote:
Description of the problem: Without attempting an action on an
endpoint with a current scoped token, it is impossible to know what
actions are available to a user.
This is not unusual in the
First, some truth in advertising: I work on Congress (policy as a service), so
I’ve mostly given thought to this problem in that context.
1) I agree with the discussion below about creating a token that encodes all
the permitted actions for the user. The cons seem substantial.
(i) The token
On 10/14/2014 07:42 AM, Tim Hinrichs wrote:
First, some truth in advertising: I work on Congress (policy as a service),
so I’ve mostly given thought to this problem in that context.
1) I agree with the discussion below about creating a token that encodes all
the permitted actions for the
On Tuesday, October 14, 2014, Nathan Kinder nkin...@redhat.com wrote:
On 10/14/2014 07:42 AM, Tim Hinrichs wrote:
First, some truth in advertising: I work on Congress (policy as a
service), so I’ve mostly given thought to this problem in that context.
1) I agree with the discussion
That was really helpful background. Thanks!
I’d be happy to look into using Congress to implement what we’ve discussed:
caching policy.json files, updating them periodically, and answering queries
about the roles required to be granted access to a certain kind of action. I
think we have the
There are two distinct permissions to be managed:
1. What can the user do.
2. What actions can this token be used to do.
2. is a subset of 1.
Just because I, Adam Young, have the ability to destroy the golden image
I have up on glance does not mean that I want to delegate that ability
Description of the problem: Without attempting an action on an endpoint with a
current scoped token, it is impossible to know what actions are available to a
user.
Horizon makes some attempts to solve this issue by sourcing all of the policy
files from all of the services to determine what a
This is a hot topic for some brainstorms here, since I started to hack a
bit with OpenStack =)
Regarding the given options, the second one looks better IMO, and we could
avoid some of the token bloating issues by having a parameter where the
service specifies what is set of actions that are
On 10/13/2014 01:17 PM, Morgan Fainberg wrote:
Description of the problem: Without attempting an action on an endpoint with
a current scoped token, it is impossible to know what actions are available
to a user.
Horizon makes some attempts to solve this issue by sourcing all of the
10 matches
Mail list logo