Re: [openstack-dev] [cross-project] RBAC Policy Basics

2015-06-23 Thread Adam Young
On 06/23/2015 06:14 AM, Osanai, Hisashi wrote: On Tuesday, June 23, 2015 12:14 AM, Adam Young wrote: It is not an issue if you keep each of the policy files completely separate, but it means that each service has its own meaning for the same name, and that confuses operators; owner in Nova

Re: [openstack-dev] [cross-project] RBAC Policy Basics

2015-06-23 Thread Osanai, Hisashi
On Tuesday, June 23, 2015 10:30 PM, Adam Young wrote: OK, I think I get it; you want to make a check specific to the roles on the service token. The term Service roles confused me. You can do this check with oslo.messaging today. Don't uyse the role check, just a generic check. It

Re: [openstack-dev] [cross-project] RBAC Policy Basics

2015-06-23 Thread Osanai, Hisashi
On Tuesday, June 23, 2015 12:14 AM, Adam Young wrote: It is not an issue if you keep each of the policy files completely separate, but it means that each service has its own meaning for the same name, and that confuses operators; owner in Nova means a user that has a role on this project

Re: [openstack-dev] [cross-project] RBAC Policy Basics

2015-06-22 Thread Adam Young
On 06/22/2015 12:41 AM, Osanai, Hisashi wrote: On Saturday, June 20, 2015 11:16 AM, Adam Young wrote: What situations does a shared policy file require? For example, there are policy files for Nova and Cinder and they have same targets such as context_is_admin, admin_or_owner and default. A

Re: [openstack-dev] [cross-project] RBAC Policy Basics

2015-06-21 Thread Osanai, Hisashi
On Saturday, June 20, 2015 11:16 AM, Adam Young wrote: What situations does a shared policy file require? For example, there are policy files for Nova and Cinder and they have same targets such as context_is_admin, admin_or_owner and default. A lot of these internal rules most likely

Re: [openstack-dev] [cross-project] RBAC Policy Basics

2015-06-19 Thread Adam Young
On 06/19/2015 01:08 AM, Osanai, Hisashi wrote: Adam, Thank you for the information RBAC Policy Basics. Thursday, June 18, 2015 1:47 AM, Adam Young wrote: However, we have found a need to have a global override. This is a way a cloud admin that can go into any API anywhere and fix things.

Re: [openstack-dev] [cross-project] RBAC Policy Basics

2015-06-18 Thread Osanai, Hisashi
Adam, Thank you for the information RBAC Policy Basics. Thursday, June 18, 2015 1:47 AM, Adam Young wrote: However, we have found a need to have a global override. This is a way a cloud admin that can go into any API anywhere and fix things. This means that Glance, Neutron, Nova, and

[openstack-dev] [cross-project] RBAC Policy Basics

2015-06-17 Thread Adam Young
Policy is supposed to allow access control to work across multiple services and endpoints. However, each service has specified policy differently. Here are some of the basic working assumptions for policy enforcement we can use to work towards consistent enforcement. 1) A policy rule