Re: [openstack-dev] Dynamic Policy for Access Control Subteam Meeting

2015-06-04 Thread Adam Young
On 06/04/2015 05:49 PM, Morgan Fainberg wrote: Hi Everyone! I've been reading through this thread and have had some conversations along the side and wanted to jump in to distill out what I think are the key points we are trying to address here. I'm going to outline about 4 items that seem to

Re: [openstack-dev] Dynamic Policy for Access Control Subteam Meeting

2015-06-04 Thread Morgan Fainberg
Hi Everyone! I've been reading through this thread and have had some conversations along the side and wanted to jump in to distill out what I think are the key points we are trying to address here. I'm going to outline about 4 items that seem to make sense to me regarding the evolution of policy.

Re: [openstack-dev] Dynamic Policy for Access Control Subteam Meeting

2015-06-04 Thread Sean Dague
On 06/04/2015 01:03 PM, Adam Young wrote: On 06/04/2015 09:40 AM, Sean Dague wrote: So I feel like I understand the high level dynamic policy end game. I feel like what I'm proposing for policy engine with encoded defaults doesn't negatively impact that. I feel there is a middle chunk where

Re: [openstack-dev] Dynamic Policy for Access Control Subteam Meeting

2015-06-04 Thread Yee, Guang
and counterintuitive? Guang -Original Message- From: Sean Dague [mailto:s...@dague.net] Sent: Thursday, June 04, 2015 10:16 AM To: openstack-dev@lists.openstack.org Subject: Re: [openstack-dev] Dynamic Policy for Access Control Subteam Meeting On 06/04/2015 01:03 PM, Adam Young wrote

Re: [openstack-dev] Dynamic Policy for Access Control Subteam Meeting

2015-06-04 Thread Adam Young
On 06/04/2015 09:40 AM, Sean Dague wrote: So I feel like I understand the high level dynamic policy end game. I feel like what I'm proposing for policy engine with encoded defaults doesn't negatively impact that. I feel there is a middle chunk where perhaps we've got different concerns or

Re: [openstack-dev] Dynamic Policy for Access Control Subteam Meeting

2015-06-04 Thread Adam Young
On 06/04/2015 09:40 AM, Sean Dague wrote: Is there some secret dragon I'm missing here? No. But it is a significant bit of coding to do; you would need to crawl every API and make sure you hit every code path that could enforce policy. Um, I don't understand that. I'm saying that you'd

Re: [openstack-dev] Dynamic Policy for Access Control Subteam Meeting

2015-06-04 Thread Tim Hinrichs
Inline. On Thu, Jun 4, 2015 at 6:40 AM, Sean Dague s...@dague.net wrote: On 06/04/2015 08:52 AM, Adam Young wrote: On 06/04/2015 06:32 AM, Sean Dague wrote: On 06/03/2015 08:40 PM, Tim Hinrichs wrote: As long as there's some way to get the *declarative* policy from the system (as a data

Re: [openstack-dev] Dynamic Policy for Access Control Subteam Meeting

2015-06-04 Thread Sean Dague
On 06/04/2015 12:12 PM, Tim Hinrichs wrote: Inline. On Thu, Jun 4, 2015 at 6:40 AM, Sean Dague s...@dague.net mailto:s...@dague.net wrote: On 06/04/2015 08:52 AM, Adam Young wrote: On 06/04/2015 06:32 AM, Sean Dague wrote: On 06/03/2015 08:40 PM, Tim Hinrichs wrote:

Re: [openstack-dev] Dynamic Policy for Access Control Subteam Meeting

2015-06-04 Thread Sean Dague
On 06/03/2015 08:40 PM, Tim Hinrichs wrote: As long as there's some way to get the *declarative* policy from the system (as a data file or as an API call) that sounds fine. But I'm dubious that it will be easy to keep the API call that returns the declarative policy in sync with the actual

Re: [openstack-dev] Dynamic Policy for Access Control Subteam Meeting

2015-06-04 Thread Adam Young
On 06/04/2015 01:16 PM, Sean Dague wrote: It gets overwritten by the central store. And you are wrong, that gives me what I want, because we can emit a WARNING in the logs if the patch is something crazy. The operators will see it, and be able to fix it later. I'm not trying to prevent people

Re: [openstack-dev] Dynamic Policy for Access Control Subteam Meeting

2015-06-04 Thread Adam Young
On 06/04/2015 06:32 AM, Sean Dague wrote: On 06/03/2015 08:40 PM, Tim Hinrichs wrote: As long as there's some way to get the *declarative* policy from the system (as a data file or as an API call) that sounds fine. But I'm dubious that it will be easy to keep the API call that returns the

Re: [openstack-dev] Dynamic Policy for Access Control Subteam Meeting

2015-06-04 Thread Sean Dague
On 06/04/2015 08:52 AM, Adam Young wrote: On 06/04/2015 06:32 AM, Sean Dague wrote: On 06/03/2015 08:40 PM, Tim Hinrichs wrote: As long as there's some way to get the *declarative* policy from the system (as a data file or as an API call) that sounds fine. But I'm dubious that it will be

Re: [openstack-dev] Dynamic Policy for Access Control Subteam Meeting

2015-06-03 Thread Doug Hellmann
Excerpts from Sean Dague's message of 2015-06-03 13:34:11 -0400: On 06/03/2015 12:10 PM, Tim Hinrichs wrote: I definitely buy the idea of layering policies on top of each other. But I'd worry about the long-term feasibility of putting default policies into code mainly because it ensures

Re: [openstack-dev] Dynamic Policy for Access Control Subteam Meeting

2015-06-03 Thread Tim Hinrichs
As long as there's some way to get the *declarative* policy from the system (as a data file or as an API call) that sounds fine. But I'm dubious that it will be easy to keep the API call that returns the declarative policy in sync with the actual code that implements that policy. Tim On Wed,

Re: [openstack-dev] Dynamic Policy for Access Control Subteam Meeting

2015-06-03 Thread Sean Dague
On 06/02/2015 06:27 PM, Morgan Fainberg wrote: On Tue, Jun 2, 2015 at 12:09 PM, Adam Young ayo...@redhat.com mailto:ayo...@redhat.com wrote: Since this a cross project concern, sending it out to the wider mailing list: We have a sub-effort in Keystone to do better access

Re: [openstack-dev] Dynamic Policy for Access Control Subteam Meeting

2015-06-03 Thread Tim Hinrichs
I definitely buy the idea of layering policies on top of each other. But I'd worry about the long-term feasibility of putting default policies into code mainly because it ensures we'll never be able to provide any tools that help users (or other services like Horizon) know what the effective

Re: [openstack-dev] Dynamic Policy for Access Control Subteam Meeting

2015-06-03 Thread Adam Young
On 06/03/2015 06:47 AM, Sean Dague wrote: Where I get fuzzy on what I've read / discussed on Dynamic Policy right now is the fact that every API call is going to need another round trip to Keystone for a policy check (which would be db calls in keystone?) Which, maybe is fine, but it seems like

Re: [openstack-dev] Dynamic Policy for Access Control Subteam Meeting

2015-06-03 Thread Sean Dague
On 06/03/2015 12:10 PM, Tim Hinrichs wrote: I definitely buy the idea of layering policies on top of each other. But I'd worry about the long-term feasibility of putting default policies into code mainly because it ensures we'll never be able to provide any tools that help users (or other

Re: [openstack-dev] Dynamic Policy for Access Control Subteam Meeting

2015-06-02 Thread Morgan Fainberg
On Tue, Jun 2, 2015 at 12:09 PM, Adam Young ayo...@redhat.com wrote: Since this a cross project concern, sending it out to the wider mailing list: We have a sub-effort in Keystone to do better access control policy (not the Neutron or Congress based policy efforts). I presented on this

Re: [openstack-dev] Dynamic Policy

2014-11-19 Thread Henry Nash
Hi Adam, So a comprehensive write-up...although I'm not sure we have made the case for why we need a complete rewrite of how policy is managed. We seemed to have lept into a solution without looking at other possible solutions to the problems we are trying to solve. Here's a start at an