Re: [Openstack-operators] [Glance] Default policy in policy.json
On Tue, Jun 21, 2016, at 12:27 PM, Adam Young wrote: > On 06/20/2016 10:09 PM, Michael Richardson wrote: > > On Fri, 17 Jun 2016 16:27:54 + > > > >> Also which would be preferred "role:admin" or "!"? Brian points out on [1] > >> that "!" would in effect, notify the admins that a policy is not defined > >> as they would be unable to preform the action themselves. > > +1 for "!" (and brilliant that the Glance project are being proactive on > > this front; hopefully the others will follow suit). > > > > Cheers, > > Michael Richardson. > > > >> > >> Thanks, > >> > >> Niall > >> > >> > >> 1. https://review.openstack.org/#/c/330443/ > >> > >> ___ > >> OpenStack-operators mailing list > >> OpenStack-operators@lists.openstack.org > >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators > > > We are workging on making the "admin and is_admin_project" a reality. > THat should be the default, but we can submit that once things are > working. There has been some work done in oslo.policy recently (https://review.openstack.org/#/c/309152/), and is being incorporated by Nova (https://review.openstack.org/#/c/290155/), which eliminates the need for a default rule. It works by having every rule that a project uses register a default policy for that rule, so there is never a check that falls through to the default rule. I would recommend that Glance take a look at using that mechanism to provide a standard policy set for deployers. > > > ___ > OpenStack-operators mailing list > OpenStack-operators@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
Re: [Openstack-operators] [Glance] Default policy in policy.json
On 06/20/2016 10:09 PM, Michael Richardson wrote: On Fri, 17 Jun 2016 16:27:54 + Also which would be preferred "role:admin" or "!"? Brian points out on [1] that "!" would in effect, notify the admins that a policy is not defined as they would be unable to preform the action themselves. +1 for "!" (and brilliant that the Glance project are being proactive on this front; hopefully the others will follow suit). Cheers, Michael Richardson. Thanks, Niall 1. https://review.openstack.org/#/c/330443/ ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators We are workging on making the "admin and is_admin_project" a reality. THat should be the default, but we can submit that once things are working. ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
Re: [Openstack-operators] [Glance] Default policy in policy.json
On Fri, 17 Jun 2016 16:27:54 + > Also which would be preferred "role:admin" or "!"? Brian points out on [1] > that "!" would in effect, notify the admins that a policy is not defined as > they would be unable to preform the action themselves. +1 for "!" (and brilliant that the Glance project are being proactive on this front; hopefully the others will follow suit). Cheers, Michael Richardson. > > > Thanks, > > Niall > > > 1. https://review.openstack.org/#/c/330443/ > > ___ > OpenStack-operators mailing list > OpenStack-operators@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators -- Michael Richardson Catalyst IT Limited 150-154 Willis Street, PO Box 11-053 Wellington New Zealand DDI: ++64 4 803 2260 http://catalyst.net.nz GPG: 0530 4686 F996 4E2C 5DC7 6327 5C98 5EED A302 ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
Re: [Openstack-operators] [Glance] Default policy in policy.json
Great, thanks for the clarification. > On Jun 17, 2016, at 9:56 AM, Bunting, Niall wrote: > > > By setting default to admin, won't we be overly restrictive? > > I see that "add_image, download_image" are both set to "", which I assume > > means, default, which means admin, > > If that's correct, then no regular project users will be able to create > > images, or worse, launch instances. > > I usually go with "owner_or_admin" for my defaults, wrt add_image, etc. > > An empty string means everybody. So this would not affect download_image etc. > The default only applies when the policy does not exist in the file. For > example a new policy is added and the policy.json is not updated. > > Niall > From: Abel Lopez > Sent: 17 June 2016 17:46:47 > To: Bunting, Niall > Cc: openstack-operators@lists.openstack.org > Subject: Re: [Openstack-operators] [Glance] Default policy in policy.json > > By setting default to admin, won't we be overly restrictive? > I see that "add_image, download_image" are both set to "", which I assume > means, default, which means admin, > If that's correct, then no regular project users will be able to create > images, or worse, launch instances. > I usually go with "owner_or_admin" for my defaults, wrt add_image, etc. > > > On Jun 17, 2016, at 9:27 AM, Bunting, Niall wrote: > > > > Hi, > > > > > > Glance is planning to implement the patch [1], which affects the value of > > the 'default' policy. > > > > > > This would make the following change in the policy.json: > > > > - "default": "" > > > > + "default": "role:admin" (or to "!" to restrict everybody) > > > > > > We are just wondering if the operators have any reason not to make this > > change? As our thinking is that this would be more restrictive for new > > policies, to stop users accidentally getting additional permissions when a > > policy is not explicitly stated. However, we may have overlooked something > > else. > > > > > > Also which would be preferred "role:admin" or "!"? Brian points out on [1] > > that "!" would in effect, notify the admins that a policy is not defined as > > they would be unable to preform the action themselves. > > > > > > Thanks, > > > > Niall > > > > > > 1. https://review.openstack.org/#/c/330443/ > > > > ___ > > OpenStack-operators mailing list > > OpenStack-operators@lists.openstack.org > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators signature.asc Description: Message signed with OpenPGP using GPGMail ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
Re: [Openstack-operators] [Glance] Default policy in policy.json
> By setting default to admin, won't we be overly restrictive? > I see that "add_image, download_image" are both set to "", which I assume > means, default, which means admin, > If that's correct, then no regular project users will be able to create > images, or worse, launch instances. > I usually go with "owner_or_admin" for my defaults, wrt add_image, etc. An empty string means everybody. So this would not affect download_image etc. The default only applies when the policy does not exist in the file. For example a new policy is added and the policy.json is not updated. Niall From: Abel Lopez Sent: 17 June 2016 17:46:47 To: Bunting, Niall Cc: openstack-operators@lists.openstack.org Subject: Re: [Openstack-operators] [Glance] Default policy in policy.json By setting default to admin, won't we be overly restrictive? I see that "add_image, download_image" are both set to "", which I assume means, default, which means admin, If that's correct, then no regular project users will be able to create images, or worse, launch instances. I usually go with "owner_or_admin" for my defaults, wrt add_image, etc. > On Jun 17, 2016, at 9:27 AM, Bunting, Niall wrote: > > Hi, > > > Glance is planning to implement the patch [1], which affects the value of the > 'default' policy. > > > This would make the following change in the policy.json: > > - "default": "" > > + "default": "role:admin" (or to "!" to restrict everybody) > > > We are just wondering if the operators have any reason not to make this > change? As our thinking is that this would be more restrictive for new > policies, to stop users accidentally getting additional permissions when a > policy is not explicitly stated. However, we may have overlooked something > else. > > > Also which would be preferred "role:admin" or "!"? Brian points out on [1] > that "!" would in effect, notify the admins that a policy is not defined as > they would be unable to preform the action themselves. > > > Thanks, > > Niall > > > 1. https://review.openstack.org/#/c/330443/ > > ___ > OpenStack-operators mailing list > OpenStack-operators@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
Re: [Openstack-operators] [Glance] Default policy in policy.json
By setting default to admin, won't we be overly restrictive? I see that "add_image, download_image" are both set to "", which I assume means, default, which means admin, If that's correct, then no regular project users will be able to create images, or worse, launch instances. I usually go with "owner_or_admin" for my defaults, wrt add_image, etc. > On Jun 17, 2016, at 9:27 AM, Bunting, Niall wrote: > > Hi, > > > Glance is planning to implement the patch [1], which affects the value of the > 'default' policy. > > > This would make the following change in the policy.json: > > - "default": "" > > + "default": "role:admin" (or to "!" to restrict everybody) > > > We are just wondering if the operators have any reason not to make this > change? As our thinking is that this would be more restrictive for new > policies, to stop users accidentally getting additional permissions when a > policy is not explicitly stated. However, we may have overlooked something > else. > > > Also which would be preferred "role:admin" or "!"? Brian points out on [1] > that "!" would in effect, notify the admins that a policy is not defined as > they would be unable to preform the action themselves. > > > Thanks, > > Niall > > > 1. https://review.openstack.org/#/c/330443/ > > ___ > OpenStack-operators mailing list > OpenStack-operators@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators signature.asc Description: Message signed with OpenPGP using GPGMail ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
[Openstack-operators] [Glance] Default policy in policy.json
Hi, Glance is planning to implement the patch [1], which affects the value of the 'default' policy. This would make the following change in the policy.json: - "default": "" + "default": "role:admin" (or to "!" to restrict everybody) We are just wondering if the operators have any reason not to make this change? As our thinking is that this would be more restrictive for new policies, to stop users accidentally getting additional permissions when a policy is not explicitly stated. However, we may have overlooked something else. Also which would be preferred "role:admin" or "!"? Brian points out on [1] that "!" would in effect, notify the admins that a policy is not defined as they would be unable to preform the action themselves. Thanks, Niall 1. https://review.openstack.org/#/c/330443/ ___ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators