Hi Brian, Firstly, thanks for all your great work here!
Some feedback: 1) Is there a clash with existing user properties? For currently deployed systems a user may have an existing property 'foo: bar'. If we restrict property access (by virtue of allowing only owner_xxx) can the user update this previously existing property? 2) "A nice feature of this scheme is that the cloud provider can pick an arbitrary informal namespace for this purpose and educate users appropriately." How about having the user properties area be always the same? It would be more consistent/predictable -- is there a down side? 3) we could potentially link roles to the regex eg this could allow role1_xxx to be writable only if you have 'role1'. By assigning appropriate roles (com.provider/com.partner/nova?) you could provide the ability to write to that prefix without config file changes. Thanks, -Stuart
After lots of discussion, I think we've come to a consensus on what property protections should look like in Glance. Please reply with comments! The blueprint: https://blueprints.launchpad.net/glance/+spec/api-v2-property-protection The full specification: https://wiki.openstack.org/wiki/Glance-property-protections (it's got a Prior Discussion section with links to the discussion etherpads) A "product" approach to describing the feature: https://wiki.openstack.org/wiki/Glance-property-protections-product cheers, brian
_______________________________________________ OpenStack-dev mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
