On Fri, May 11, 2012 at 2:25 PM, Joshua Harlow wrote:
> Cool, I’m glad that is the ultimate goal.
>
Working on it! https://blueprints.launchpad.net/keystone/+spec/rbac-keystone
>
> It seems like nova should be asking keystone for an initial policy
> template of some kind, which nova then fills
ack
Subject: Re: [Openstack] 'admin' role hard-coded in keystone and nova, and
policy.json
I was also wondering about this, it seems there are lots of policy.json files
with hard coded roles in them, which is weird since keystone supports the
creation of roles and such, but if u creat
Cool, I'm glad that is the ultimate goal.
It seems like nova should be asking keystone for an initial policy template of
some kind, which nova then fills in its "specifics" with or policies can be
fully defined in keystone, either or.
Just people should be aware that making custom roles might n
Most of nova is configurable via policy.json, but there is the issue with
context.is_admin checks that still exist in a few places. We definitely
need to modify that.
Joshua, the idea is that policy.json will ultimately be managed in keystone
as well. Currently the policy.json is checked for modif
I was also wondering about this, it seems there are lots of policy.json files
with hard coded roles in them, which is weird since keystone supports the
creation of roles and such, but if u create a role which isn't in a policy.json
then u have just caused yourself a problem, which isn't very app
Dolph: I think what Salman is looking for is some want to configure what role
is used to determine admin-ness within a service. For example, Glance allows
you to set a 'service_role' option. The context.is_admin checks make sure
whatever role defined in service_role is found in the roles returne
policy.json is entirely end-user configurable (it's not hardcoded at all):
replace every instance of "role:admin" in your policy.json (there's two by
default in nova's policy.json, for example) with "role:myadmin", create the
corresponding "myadmin" role in keystone, and grant it to the appropriate
It seems that 'admin' role is hard-coded cross nova and horizon. As a
result if I want to define 'myadmin' role, and grant it all the admin
privileges, it does not seem possible. Is this a recognized limitation?
Further, is there some good documentation on policy.json for nova,
keystone, and glan
8 matches
Mail list logo
