- Original Message -
> From: "Nathan Kinder"
> To: openstack-dev@lists.openstack.org
> Sent: Tuesday, October 14, 2014 2:25:35 AM
> Subject: Re: [openstack-dev] [all][policy][keystone] Better Policy Model and
> Representing Capabilites
>
>
>
> On
On Mon, Oct 13, 2014 at 1:17 PM, Morgan Fainberg
wrote:
> Description of the problem: Without attempting an action on an endpoint
> with a current scoped token, it is impossible to know what actions are
> available to a user.
>
>
> Horizon makes some attempts to solve this issue by sourcing all o
There are two distinct permissions to be managed:
1. What can the user do.
2. What actions can this token be used to do.
2. is a subset of 1.
Just because I, Adam Young, have the ability to destroy the golden image
I have up on glance does not mean that I want to delegate that ability
ever
That was really helpful background. Thanks!
I’d be happy to look into using Congress to implement what we’ve discussed:
caching policy.json files, updating them periodically, and answering queries
about the roles required to be granted access to a certain kind of action. I
think we have the r
On Tuesday, October 14, 2014, Nathan Kinder wrote:
>
>
> On 10/14/2014 07:42 AM, Tim Hinrichs wrote:
> > First, some truth in advertising: I work on Congress (policy as a
> service), so I’ve mostly given thought to this problem in that context.
> >
> > 1) I agree with the discussion below about c
On 10/14/2014 07:42 AM, Tim Hinrichs wrote:
> First, some truth in advertising: I work on Congress (policy as a service),
> so I’ve mostly given thought to this problem in that context.
>
> 1) I agree with the discussion below about creating a token that encodes all
> the permitted actions for
First, some truth in advertising: I work on Congress (policy as a service), so
I’ve mostly given thought to this problem in that context.
1) I agree with the discussion below about creating a token that encodes all
the permitted actions for the user. The cons seem substantial.
(i) The token
On 14/10/2014 01:25, Nathan Kinder wrote:
>
>
> On 10/13/2014 01:17 PM, Morgan Fainberg wrote:
>> Description of the problem: Without attempting an action on an
>> endpoint with a current scoped token, it is impossible to know what
>> actions are available to a user.
>>
This is not unusual in
On 10/13/2014 01:17 PM, Morgan Fainberg wrote:
> Description of the problem: Without attempting an action on an endpoint with
> a current scoped token, it is impossible to know what actions are available
> to a user.
>
>
> Horizon makes some attempts to solve this issue by sourcing all of the
This is a hot topic for some brainstorms here, since I started to hack a
bit with OpenStack =)
Regarding the given options, the second one looks better IMO, and we could
avoid some of the token bloating issues by having a parameter where the
service specifies what is set of actions that are impor
10 matches
Mail list logo