Public bug reported: It's not directly related to Neutron though, Neutron have been used tagging concept widely so that I think it's good place to start with. Also, I felt this feature allows rbac_policy functionality to be achieved in a slightly more generic way.
What I want to achieve is tag based policy. The scenario that I imagine like this 1. Admin attach tag to several resource. (Network / Service Provider ...) 2. Tags attached in project exposed in auth_token so that credential used oslo.policy can take tagging list. 3. Admin add specific rule in oslo.policy like this "get_network": "project_tags:%(tags)s" 4. Then users can access limited resources which only matched to their tag. I think changing for the implementation belongs to several components though (oslo.context / oslo.policy / keystone / nova ...), LoC is not so much since there were already many building blocks can be used. I already posted the keystone side for the feature that I said in (2): https://bugs.launchpad.net/keystone/+bug/1807697 It seems that the feedback from the service use directly this feature can give a little more power to this RFE. So I will be appreciated to what Neutron folks think about it. Thanks in advance. ** Affects: neutron Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1825336 Title: [RFE] Tag based policy Status in neutron: New Bug description: It's not directly related to Neutron though, Neutron have been used tagging concept widely so that I think it's good place to start with. Also, I felt this feature allows rbac_policy functionality to be achieved in a slightly more generic way. What I want to achieve is tag based policy. The scenario that I imagine like this 1. Admin attach tag to several resource. (Network / Service Provider ...) 2. Tags attached in project exposed in auth_token so that credential used oslo.policy can take tagging list. 3. Admin add specific rule in oslo.policy like this "get_network": "project_tags:%(tags)s" 4. Then users can access limited resources which only matched to their tag. I think changing for the implementation belongs to several components though (oslo.context / oslo.policy / keystone / nova ...), LoC is not so much since there were already many building blocks can be used. I already posted the keystone side for the feature that I said in (2): https://bugs.launchpad.net/keystone/+bug/1807697 It seems that the feedback from the service use directly this feature can give a little more power to this RFE. So I will be appreciated to what Neutron folks think about it. Thanks in advance. To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1825336/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
