[openstack-dev] [keystone] Configuring protected API functions to allow public access
Hi All, Correct me if I am wrong but I don't think you can configure the Keystone policy.json to allow public access to an API function, as far as I can tell you can allow access to any authenticated user regardless of role assignments but not public access. My use case is a client which allows users to query for a list of supported identity providers / protocols so that the user can then select which provider to authenticate with - as the user is unauthenticated at the time of the query the request needs to allow public access to the 'List Identity Providers' API function. I can remove the protected decorator from the required functions but this is a nasty hack. I suggest that it should be possible to configure this kind of access rule on a deployment by deployment basis and I was just hoping to get some thoughts on this. Many thanks, Kristy ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [keystone] Configuring protected API functions to allow public access
Hi Kristy, Have you try the [] or @ rule as mentioned here? https://github.com/openstack/keystone/blob/master/keystone/openstack/common/ policy.py#L71 Guang -Original Message- From: K.W.S.Siu [mailto:k.w.s@kent.ac.uk] Sent: Tuesday, August 12, 2014 3:44 AM To: openstack Mailing List Subject: [openstack-dev] [keystone] Configuring protected API functions to allow public access Hi All, Correct me if I am wrong but I don't think you can configure the Keystone policy.json to allow public access to an API function, as far as I can tell you can allow access to any authenticated user regardless of role assignments but not public access. My use case is a client which allows users to query for a list of supported identity providers / protocols so that the user can then select which provider to authenticate with - as the user is unauthenticated at the time of the query the request needs to allow public access to the 'List Identity Providers' API function. I can remove the protected decorator from the required functions but this is a nasty hack. I suggest that it should be possible to configure this kind of access rule on a deployment by deployment basis and I was just hoping to get some thoughts on this. Many thanks, Kristy ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev smime.p7s Description: S/MIME cryptographic signature ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [keystone] Configuring protected API functions to allow public access
On Tue, Aug 12, 2014 at 10:30 AM, Yee, Guang guang@hp.com wrote: Hi Kristy, Have you try the [] or @ rule as mentioned here? That still requires valid authentication though, just not any specific authorization. I don't think we have a way to express truly public resources in oslo.policy. https://github.com/openstack/keystone/blob/master/keystone/openstack/common/ policy.py#L71 Guang -Original Message- From: K.W.S.Siu [mailto:k.w.s@kent.ac.uk] Sent: Tuesday, August 12, 2014 3:44 AM To: openstack Mailing List Subject: [openstack-dev] [keystone] Configuring protected API functions to allow public access Hi All, Correct me if I am wrong but I don't think you can configure the Keystone policy.json to allow public access to an API function, as far as I can tell you can allow access to any authenticated user regardless of role assignments but not public access. My use case is a client which allows users to query for a list of supported identity providers / protocols so that the user can then select which provider to authenticate with - as the user is unauthenticated at the time of the query the request needs to allow public access to the 'List Identity Providers' API function. I can remove the protected decorator from the required functions but this is a nasty hack. I suggest that it should be possible to configure this kind of access rule on a deployment by deployment basis and I was just hoping to get some thoughts on this. Many thanks, Kristy ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev