[openstack-dev] [keystone] Configuring protected API functions to allow public access

2014-08-12 Thread K.W.S.Siu
Hi All,

Correct me if I am wrong but I don't think you can configure the Keystone 
policy.json to allow public access to an API function, as far as I can tell you 
can allow access to any authenticated user regardless of role assignments but 
not public access.

My use case is a client which allows users to query for a list of supported 
identity providers / protocols so that the user can then select which provider 
to authenticate with - as the user is unauthenticated at the time of the query 
the request needs to allow public access to the 'List Identity Providers' API 
function.

I can remove the protected decorator from the required functions but this is a 
nasty hack.

I suggest that it should be possible to configure this kind of access rule on a 
deployment by deployment basis and I was just hoping to get some thoughts on 
this.

Many thanks,
Kristy
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


Re: [openstack-dev] [keystone] Configuring protected API functions to allow public access

2014-08-12 Thread Yee, Guang
Hi Kristy,

Have you try the [] or @ rule as mentioned here?

https://github.com/openstack/keystone/blob/master/keystone/openstack/common/
policy.py#L71



Guang


 -Original Message-
 From: K.W.S.Siu [mailto:k.w.s@kent.ac.uk]
 Sent: Tuesday, August 12, 2014 3:44 AM
 To: openstack Mailing List
 Subject: [openstack-dev] [keystone] Configuring protected API functions
 to allow public access
 
 Hi All,
 
 Correct me if I am wrong but I don't think you can configure the
 Keystone policy.json to allow public access to an API function, as far
 as I can tell you can allow access to any authenticated user regardless
 of role assignments but not public access.
 
 My use case is a client which allows users to query for a list of
 supported identity providers / protocols so that the user can then
 select which provider to authenticate with - as the user is
 unauthenticated at the time of the query the request needs to allow
 public access to the 'List Identity Providers' API function.
 
 I can remove the protected decorator from the required functions but
 this is a nasty hack.
 
 I suggest that it should be possible to configure this kind of access
 rule on a deployment by deployment basis and I was just hoping to get
 some thoughts on this.
 
 Many thanks,
 Kristy
 ___
 OpenStack-dev mailing list
 OpenStack-dev@lists.openstack.org
 http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


smime.p7s
Description: S/MIME cryptographic signature
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


Re: [openstack-dev] [keystone] Configuring protected API functions to allow public access

2014-08-12 Thread Dolph Mathews
On Tue, Aug 12, 2014 at 10:30 AM, Yee, Guang guang@hp.com wrote:

 Hi Kristy,

 Have you try the [] or @ rule as mentioned here?


That still requires valid authentication though, just not any specific
authorization. I don't think we have a way to express truly public
resources in oslo.policy.




 https://github.com/openstack/keystone/blob/master/keystone/openstack/common/
 policy.py#L71



 Guang


  -Original Message-
  From: K.W.S.Siu [mailto:k.w.s@kent.ac.uk]
  Sent: Tuesday, August 12, 2014 3:44 AM
  To: openstack Mailing List
  Subject: [openstack-dev] [keystone] Configuring protected API functions
  to allow public access
 
  Hi All,
 
  Correct me if I am wrong but I don't think you can configure the
  Keystone policy.json to allow public access to an API function, as far
  as I can tell you can allow access to any authenticated user regardless
  of role assignments but not public access.
 
  My use case is a client which allows users to query for a list of
  supported identity providers / protocols so that the user can then
  select which provider to authenticate with - as the user is
  unauthenticated at the time of the query the request needs to allow
  public access to the 'List Identity Providers' API function.
 
  I can remove the protected decorator from the required functions but
  this is a nasty hack.
 
  I suggest that it should be possible to configure this kind of access
  rule on a deployment by deployment basis and I was just hoping to get
  some thoughts on this.
 
  Many thanks,
  Kristy
  ___
  OpenStack-dev mailing list
  OpenStack-dev@lists.openstack.org
  http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

 ___
 OpenStack-dev mailing list
 OpenStack-dev@lists.openstack.org
 http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev