openstack team mailing list archive
-
openstack team
-
Mailing list archive
-
Message #17166
Re: Question about Keystone RBAC
That will provided by Identity API v3, currently in draft:
https://github.com/openstack/identity-api/blob/master/openstack-identity-api/src/markdown/identity-api-v3.md
The "when" is first dependent on:
1) Identity API v3 support in keystone
https://review.openstack.org/#/c/12106/
2) Identity API v3 support in keystoneclient
https://review.openstack.org/#/c/12806/
3) services need to consume the centralized policy info, probably through
common middleware
4) adding UI support in horizon
An open question: are you looking to modify policy per service or do you
need policy granularity per endpoint?
-Dolph
On Wed, Oct 3, 2012 at 7:29 PM, Shake Chen <shake.chen@xxxxxxxxx> wrote:
> Hi
>
> I also have question about RBAC.
>
> when we can setting the roles permission in Horizon?
>
>
> On Thu, Oct 4, 2012 at 2:56 AM, Dolph Mathews <dolph.mathews@xxxxxxxxxxxxx
> > wrote:
>
>> (replying on list)
>>
>> RBAC policy enforce is already implemented on consuming services and
>> default policies are provided by policy.json files (e.g.
>> https://github.com/openstack/nova/blob/master/etc/nova/policy.json ).
>>
>> We haven't yet implemented a method for services to consume policy
>> blobs from Identity API v3, /v3/policies (which itself is still in
>> development), rather than loading policy.json files.
>>
>> For an example of scoping RBAC per project, see the admin_or_owner rule
>> in nova's policy.json above.
>>
>> As for the efficiency of policy storage, I'm not clear on what your
>> concerns are?
>>
>> -Dolph
>> ------------------------------
>> *From:* MS. Faraji [ms.faraji@xxxxxxxxxxx]
>> *Sent:* Wednesday, October 03, 2012 1:34 PM
>> *To:* Dolph Mathews
>> *Subject:* Question about Keystone RBAC
>>
>> Hi,
>>
>> I sent an email to inquire about RBAC implementation in Keystone before,
>> and you generously shared your information. However, there are a couple of
>> questions that I have in mind.
>> I searched the Internet and documents; however, I did not find useful
>> information about them. I hope you can help me to find it out.
>>
>> 1) Consider the enforce API is implemented, which side should use it?
>> Service or Keystone itself. If Keystone uses this function, how does it
>> know about the action that a user
>> wants to perform on a resource. If service call it as an API, what is the
>> endpoint? How services use authorization in Keystone?
>>
>> 2) Can roles and associated actions be defined in the scope of project or
>> domain? For example demo can do release in project 1 but not in project 2.
>>
>> 3) Is the plain storage of capabilities ( no data structure) efficient?
>> In terms of required storage space and later lookups.
>>
>> Thanks in advance for your help and assistance,
>> I look forward to your response.
>>
>>
>> Moh,
>>
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~openstack
>> Post to : openstack@xxxxxxxxxxxxxxxxxxx
>> Unsubscribe : https://launchpad.net/~openstack
>> More help : https://help.launchpad.net/ListHelp
>>
>>
>
>
> --
> Shake Chen
>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp
>
>
References