On Tue, Jun 21, 2016, at 12:27 PM, Adam Young wrote:
> On 06/20/2016 10:09 PM, Michael Richardson wrote:
> > On Fri, 17 Jun 2016 16:27:54 +
> >
> >> Also which would be preferred "role:admin" or "!"? Brian points out on [1]
> >> that "!" would in effect, notify the admins that a policy is n
On 06/20/2016 10:09 PM, Michael Richardson wrote:
On Fri, 17 Jun 2016 16:27:54 +
Also which would be preferred "role:admin" or "!"? Brian points out on [1] that
"!" would in effect, notify the admins that a policy is not defined as they would be unable to
preform the action themselves.
+
On Fri, 17 Jun 2016 16:27:54 +
> Also which would be preferred "role:admin" or "!"? Brian points out on [1]
> that "!" would in effect, notify the admins that a policy is not defined as
> they would be unable to preform the action themselves.
+1 for "!" (and brilliant that the Glance projec
So this would not affect download_image etc.
> The default only applies when the policy does not exist in the file. For
> example a new policy is added and the policy.json is not updated.
>
> Niall
> From: Abel Lopez
> Sent: 17 June 2016 17:46:47
> To: Bunting, Niall
olicy is added and the policy.json is not updated.
Niall
From: Abel Lopez
Sent: 17 June 2016 17:46:47
To: Bunting, Niall
Cc: openstack-operators@lists.openstack.org
Subject: Re: [Openstack-operators] [Glance] Default policy in policy.json
By setting default to ad
By setting default to admin, won't we be overly restrictive?
I see that "add_image, download_image" are both set to "", which I assume
means, default, which means admin,
If that's correct, then no regular project users will be able to create images,
or worse, launch instances.
I usually go with "
Hi,
Glance is planning to implement the patch [1], which affects the value of the
'default' policy.
This would make the following change in the policy.json:
- "default": ""
+ "default": "role:admin" (or to "!" to restrict everybody)
We are just wondering if the operators have any reason no
