On 06/23/2015 06:14 AM, Osanai, Hisashi wrote:
On Tuesday, June 23, 2015 12:14 AM, Adam Young wrote:
It is not an issue if you keep each of the policy files completely
separate, but it means that each service has its own meaning for the
same name, and that confuses operators; owner in Nova
On Tuesday, June 23, 2015 10:30 PM, Adam Young wrote:
OK, I think I get it; you want to make a check specific to the roles
on the service token. The term Service roles confused me.
You can do this check with oslo.messaging today. Don't uyse the role
check, just a generic check.
It
On Tuesday, June 23, 2015 12:14 AM, Adam Young wrote:
It is not an issue if you keep each of the policy files completely
separate, but it means that each service has its own meaning for the
same name, and that confuses operators; owner in Nova means a user
that has a role on this project
On 06/22/2015 12:41 AM, Osanai, Hisashi wrote:
On Saturday, June 20, 2015 11:16 AM, Adam Young wrote:
What situations does a shared policy file require?
For example, there are policy files for Nova and Cinder and they have
same targets such as
context_is_admin, admin_or_owner and default.
A
On Saturday, June 20, 2015 11:16 AM, Adam Young wrote:
What situations does a shared policy file require?
For example, there are policy files for Nova and Cinder and they have
same targets such as
context_is_admin, admin_or_owner and default.
A lot of these internal rules most likely
On 06/19/2015 01:08 AM, Osanai, Hisashi wrote:
Adam,
Thank you for the information RBAC Policy Basics.
Thursday, June 18, 2015 1:47 AM, Adam Young wrote:
However, we have found a need to have a global override. This is a way a cloud
admin that can go into any API anywhere and fix things.
Adam,
Thank you for the information RBAC Policy Basics.
Thursday, June 18, 2015 1:47 AM, Adam Young wrote:
However, we have found a need to have a global override. This is a way a
cloud admin that can go into any API anywhere and fix things.
This means that Glance, Neutron, Nova, and
Policy is supposed to allow access control to work across multiple
services and endpoints. However, each service has specified policy
differently.
Here are some of the basic working assumptions for policy enforcement we
can use to work towards consistent enforcement.
1) A policy rule