openstack team mailing list archive

Thread
Date

Re: Keystone JSON format access control policy

To: Xiangjun Qian <xiangjunqian@xxxxxxxxx>
From: Dolph Mathews <dolph.mathews@xxxxxxxxx>
Date: Mon, 29 Apr 2013 08:00:55 -0500
Cc: openstack <openstack@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <CAL0zppN92chFAJ-ZTbDuEBQdBz3PnMfwkNXHAQf-m1u_1i1K_Q@mail.gmail.com>

The JSON approach is rather arbitrary; keystone has an API to manage &
publish policy blobs of any format (/v3/policies), and the policy engines
themselves are completely pluggable. I don't think there's anything
preventing a deployment from implementing an XACML based policy solution
(if there is a blocker to using XACML, it's certainly a bug).

-Dolph

On Mon, Apr 29, 2013 at 4:50 AM, Xiangjun Qian <xiangjunqian@xxxxxxxxx>wrote:

> Hi everyone,
>
> I'm currently looking at access control mechanisms of OpenStack and
> finding that the access control policy is specified using JSON format.
>
> I'm wondering why we do not adopt an XML based approach like XACML, is it
> because of the performance problem, or we just choose JSON as it's simple?
>
> Thank you very much for your feedback.
>
> Best Regards,
>
> --
> Xiangjun
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp
>
>

Follow ups

Re: Keystone JSON format access control policy
From: Xiangjun Qian, 2013-04-29

References

Keystone JSON format access control policy
From: Xiangjun Qian, 2013-04-29