← Back to team overview

openstack team mailing list archive

Re: 'admin' role hard-coded in keystone and nova, and policy.json

 

On Fri, May 11, 2012 at 2:25 PM, Joshua Harlow <harlowja@xxxxxxxxxxxxx>wrote:

>  Cool, I’m glad that is the ultimate goal.
>

Working on it! https://blueprints.launchpad.net/keystone/+spec/rbac-keystone


>
> It seems like nova should be asking keystone for an initial policy
> template of some kind, which nova then fills in its “specifics” with or
> policies can be fully defined in keystone, either or.
>

Policy will be fully defined in keystone, and the results will be passed to
nova, etc as part of the auth validation response ("what capabilities can
this user perform on this tenant?").


>
> Just people should be aware that making custom roles might not mean much
> if policy.json files are not also updated.
>

Today, that's completely true.


>
>
> On 5/11/12 10:51 AM, "Vishvananda Ishaya" <vishvananda@xxxxxxxxx> wrote:
>
> Most of nova is configurable via policy.json, but there is the issue with
> context.is_admin checks that still exist in a few places. We definitely
> need to modify that.
>
> Joshua, the idea is that policy.json will ultimately be managed in
> keystone as well. Currently the policy.json is checked for modifications,
> so it would be possible to throw it on shared storage and modify it for
> every node at once without having to restart the nodes.  This is an interim
> solution until we allow for creating and retrieving policies inside of
> keystone.
>
> Vish
>
> On Thu, May 10, 2012 at 7:13 PM, Joshua Harlow <harlowja@xxxxxxxxxxxxx>
> wrote:
>
> I was also wondering about this, it seems there are lots of policy.json
> files with hard coded roles in them, which is weird since keystone supports
> the creation of roles and such, but if u create a role which isn’t in a
> policy.json then u have just caused yourself a problem, which isn’t very
> apparent...
>
>
> On 5/10/12 2:32 PM, "Salman A Baset" <sabaset@xxxxxxxxxx <
> http://sabaset@xxxxxxxxxx> > wrote:
>
> It seems that 'admin' role is hard-coded cross nova and horizon. As a
> result if I want to define 'myadmin' role, and grant it all the admin
> privileges, it does not seem possible. Is this a recognized limitation?
>
> Further, is there some good documentation on policy.json for nova,
> keystone, and glance?
>
> Thanks.
>
> Best Regards,
>
> Salman A. Baset
> Research Staff Member, IBM T. J. Watson Research Center
> Tel: +1-914-784-6248 <tel:%2B1-914-784-6248>
>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp
>
>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp
>
>

References