On 05/23/2016 11:02 AM, Sean Dague wrote:
On 05/23/2016 10:24 AM, Tim Bell wrote:
Quick warning for those who are dependent on the "user_id:%(user_id)s"
syntax for limiting actions by user. According to
https://bugs.launchpad.net/nova/+bug/1539351, this behavior was
apparently not intended according to the bug report feedback. The
behavior has changed from v2 to v2.1 and the old syntax no longer works.
v2 to v2.1 of what?
Well, the behavior changes with the backend code base. By mitaka the
default backend code for both is the same. And the legacy code base is
about to be removed.
This feature (policy enforcement by user_id) was 100% untested, which is
why it never ended up in the new API stack. Being untested setting
owner: 'user_id: %(user_id)s' might have some really unexpected results
because not everything has a user_id.
There can be security implications also so I’d recommend those using
this current v2 feature to review the bug to understand the potential
impacts as clouds enable v2.1.
While I understand from the bug report what your use case is now, I'm
kind of wondering what the shared resources / actions of these 150
people are in this project. Are they all in the same project for other
reasons?
My sediments exactly. In cloud, you should never be looking at a user
id for policy. It should be possible to always have more than one user
perform an action, and enforce policy on the project_id.
The one exception for this is Barbican managing cryptographic secrets
for a user's Identity.
And yes, I meant to say sediments. I'm trying to be part of the solution.
-Sean
_______________________________________________
OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
