Le 21/11/2013 10:04, Yuriy Taraday a écrit :
On Thu, Nov 21, 2013 at 12:37 PM, Sylvain Bauza
mailto:sylvain.ba...@bull.net>> wrote:
Hi Yuriy, Dolph et al.
I'm implementing a climate.policy.check_is_admin(ctx) which will
look at policy.json entry 'context_is_admin' for knowing which
On Thu, Nov 21, 2013 at 12:37 PM, Sylvain Bauza wrote:
> Hi Yuriy, Dolph et al.
>
> I'm implementing a climate.policy.check_is_admin(ctx) which will look at
> policy.json entry 'context_is_admin' for knowing which roles do have
> elevated rights for Climate.
>
> This check must be called when cre
Hi Yuriy, Dolph et al.
I'm implementing a climate.policy.check_is_admin(ctx) which will look at
policy.json entry 'context_is_admin' for knowing which roles do have
elevated rights for Climate.
This check must be called when creating a context for knowing if we can
allow extra rights. The is
On Wed, Nov 20, 2013 at 9:57 PM, Dolph Mathews wrote:
>
> On Wed, Nov 20, 2013 at 10:52 AM, Yuriy Taraday wrote:
>>
>> On Wed, Nov 20, 2013 at 8:42 PM, Dolph Mathews
>> wrote:
>>
>>> is_admin is a short sighted and not at all granular -- it needs to die,
>>> so avoid imitating it.
>>>
>>
>> I su
On Wed, Nov 20, 2013 at 10:52 AM, Yuriy Taraday wrote:
> Hello, Dolph.
>
> On Wed, Nov 20, 2013 at 8:42 PM, Dolph Mathews wrote:
>
>>
>> On Wed, Nov 20, 2013 at 10:24 AM, Yuriy Taraday wrote:
>>
>>>
>>> context.is_admin should not be checked directly from code, only through
>>> policy rules. It s
Hello, Dolph.
On Wed, Nov 20, 2013 at 8:42 PM, Dolph Mathews wrote:
>
> On Wed, Nov 20, 2013 at 10:24 AM, Yuriy Taraday wrote:
>
>>
>> context.is_admin should not be checked directly from code, only through
>> policy rules. It should be set only if we need to elevate privileges from
>> code. That
On Wed, Nov 20, 2013 at 10:24 AM, Yuriy Taraday wrote:
>
> On Wed, Nov 20, 2013 at 3:21 PM, Sylvain Bauza wrote:
>
>> Yes indeed, that's something coming into my mind. Looking at Nova, I
>> found a "context_is_admin" policy in policy.json allowing you to say which
>> role is admin or not [1] and
On Wed, Nov 20, 2013 at 3:21 PM, Sylvain Bauza wrote:
>
> Yes indeed, that's something coming into my mind. Looking at Nova, I found
> a "context_is_admin" policy in policy.json allowing you to say which role
> is admin or not [1] and is matched in policy.py [2], which itself is called
> when creat
Well, I'm guessing the best way is the contrary, Swann needing to rebase
from the change I proposed about policies. The latter is still as draft,
committing myself to finish it by today.
-Sylvain
Le 20/11/2013 12:42, Dina Belova a écrit :
I suppose it's ok - just rebase from Swann's commit to
I suppose it's ok - just rebase from Swann's commit to have is_admin param
to use.
On Wed, Nov 20, 2013 at 3:21 PM, Sylvain Bauza wrote:
> Hi Yuriy,
>
> Le 20/11/2013 11:56, Yuriy Taraday a écrit :
>
> Looking at implementations in Keystone and Nova, I found the only use
> for is_admin but it
Hi Yuriy,
Le 20/11/2013 11:56, Yuriy Taraday a écrit :
Looking at implementations in Keystone and Nova, I found the only use
for is_admin but it is essential.
Whenever in code you need to run a piece of code with admin
privileges, you can create a new context with is_admin=True keeping
all
Looking at implementations in Keystone and Nova, I found the only use for
is_admin but it is essential.
Whenever in code you need to run a piece of code with admin privileges, you
can create a new context with is_admin=True keeping all other parameters
as is, run code requiring admin access and t
Le 20/11/2013 11:18, Julien Danjou a écrit :
It depends on how fine grained you want your ACL to be,
Then, that's policy matter to let you know if you can trust the user or not.
I'm digging into
http://adam.younglogic.com/2013/11/policy-enforcement-in-openstack/,great value
for knowing how m
On Wed, Nov 20 2013, Sylvain Bauza wrote:
> When reviewing https://review.openstack.org/#/c/54539/, it appeared to me
> that we need to make consensus on the way to know that a request is having
> admin creds.
> Currently, for implementing policies check in Climate, I'm looking at
> context.roles
Hi,
When reviewing https://review.openstack.org/#/c/54539/, it appeared to
me that we need to make consensus on the way to know that a request is
having admin creds.
Currently, for implementing policies check in Climate, I'm looking at
context.roles dict, which contains the unicode string 'adm
15 matches
Mail list logo