On 10/24/2015 12:46 AM, Clint Byrum wrote:
Can I ask one thing though, can we use a domain name + project_name_
and not the ID?
I think we can do that. The submitted patch for the overall spec is here:
https://review.openstack.org/#/c/205629/
and the change for Keystone is here:
https://revi
Excerpts from Adam Young's message of 2015-10-19 22:53:14 +0900:
> While I tend to play up bug 968696 for dramatic effect, the reality is
> we have a logical contradiction on what we mean by 'admin' when talking
> about RBAC.
>
> In early iterations of OpenStack, roles were global. This is ref
Adam Young wrote on 10/22/2015 10:31:12 AM:
> On 10/22/2015 05:16 AM, William M Edmonds wrote:
> Adam Young wrote on 10/19/2015 09:53:14 AM:
> > While I tend to play up bug 968696 for dramatic effect, the reality is
> > we have a logical contradiction on what we mean by 'admin' when talking
On 10/22/2015 05:16 AM, William M Edmonds wrote:
Adam Young wrote on 10/19/2015 09:53:14 AM:
> While I tend to play up bug 968696 for dramatic effect, the reality is
> we have a logical contradiction on what we mean by 'admin' when talking
> about RBAC.
>
> In early iterations of OpenStack, ro
Adam Young wrote on 10/19/2015 09:53:14 AM:
> While I tend to play up bug 968696 for dramatic effect, the reality is
> we have a logical contradiction on what we mean by 'admin' when talking
> about RBAC.
>
> In early iterations of OpenStack, roles were global. This is reflected
> in many of t
On 10/19/2015 12:50 PM, Fox, Kevin M wrote:
Maybe I misunderstood then. I was thinking you were proposing endpoint
scoped tokens. But heat calls out to other endpoints itself, so if a
token is scoped to heat, it can't relay it further.
Right...not proposing that. This is specifically for ope
onday, October 19, 2015 9:00 AM
To: openstack-dev@lists.openstack.org
Subject: Re: [openstack-dev] [cross-project] Admin
On 10/19/2015 11:53 AM, Fox, Kevin M wrote:
+1.
I think there may be a slight issue with this and Heat, or any other service
depending on Heat though. It would have to be very care
On 10/19/2015 12:39 PM, Neil Jerram wrote:
On 19/10/15 14:57, Adam Young wrote:
While I tend to play up bug 968696 for dramatic effect, the reality is
we have a logical contradiction on what we mean by 'admin' when talking
about RBAC.
In early iterations of OpenStack, roles were global. This
On 19/10/15 14:57, Adam Young wrote:
> While I tend to play up bug 968696 for dramatic effect, the reality is
> we have a logical contradiction on what we mean by 'admin' when talking
> about RBAC.
>
> In early iterations of OpenStack, roles were global. This is reflected
> in many of the Poli
a trust. Somethin needs a second look there anyway.
Thanks,
Kevin
From: Adam Young [ayo...@redhat.com]
Sent: Monday, October 19, 2015 6:53 AM
To: OpenStack Development Mailing List
Subject: [openstack-dev] [cross-project] Admin
While I tend to play up
. Maybe a flag in the
service catalog saying if the service can be scoped or not?
Thanks,
Kevin
From: Adam Young [ayo...@redhat.com]
Sent: Monday, October 19, 2015 6:53 AM
To: OpenStack Development Mailing List
Subject: [openstack-dev] [cross-project] Admin
While I tend to play up bug 968696 for dramatic effect, the reality is
we have a logical contradiction on what we mean by 'admin' when talking
about RBAC.
In early iterations of OpenStack, roles were global. This is reflected
in many of the Policy checks that only look for the global role.
On 07/24/2015 05:10 AM, Thierry Carrez wrote:
Adam Young wrote:
[...]
There should be no "Global Admin Tokens." They are a security risk,
and violate the principal of Least Privilege.
https://en.wikipedia.org/wiki/Principle_of_least_privilege.
Thanks for taking on this long-standing issue.
S
Adam Young wrote:
> [...]
> There should be no "Global Admin Tokens." They are a security risk,
> and violate the principal of Least Privilege.
> https://en.wikipedia.org/wiki/Principle_of_least_privilege.
Thanks for taking on this long-standing issue.
Should we have some cross-project spec to
On 07/23/2015 01:11 PM, melanie witt wrote:
On Jul 23, 2015, at 7:35, Adam Young wrote:
What this means is the if a user is assigned "admin" on any project, they are
assigned admin for everything.
Fixing this is going to require a change to how we write policy.
Each policy rule needs to hav
On Jul 23, 2015, at 7:35, Adam Young wrote:
> What this means is the if a user is assigned "admin" on any project, they are
> assigned admin for everything.
>
> Fixing this is going to require a change to how we write policy.
>
> Each policy rule needs to have two parts:
>
> 1. Match the sco
I a user has an admin role anywhere, they have it everywhere. This is
bug https://bugs.launchpad.net/keystone/+bug/968696 and, in order to fix
it we are going to have to adjust our thinking on policy checks.
Here is the theory:
A user is assigned a role on a project. Policy uses the roles ass
17 matches
Mail list logo