OpenStack Compute (nova)

API: Remove scope checks from policy rules

Registered by John Garbutt

The current admin_or_owner policy check is meaningless because the default target is the project_id and user_id from context.

This spec looks at fixing that.

Blueprint information

Status:
Not started
Approver:
None
Priority:
Undefined
Drafter:
John Garbutt
Direction:
Needs approval
Assignee:
None
Definition:
New
Series goal:
None
Implementation:
Unknown
Milestone target:
None

Related branches

Sprints

Whiteboard

Gerrit topic: https://review.openstack.org/#q,topic:bp/policy-project-checks,n,z

Addressed by: https://review.openstack.org/433037
    Add policy-project-checks spec

Gerrit topic: https://review.openstack.org/#q,topic:bp/policy-remove-scope-checks,n,z

Addressed by: https://review.openstack.org/433010
    Add polcy-docs spec

Addressed by: https://review.openstack.org/435484
    POC: improved policy functional tests

Addressed by: https://review.openstack.org/435485
    POC: add context.check_scope

Gerrit topic: https://review.openstack.org/#q,topic:bp/additional-default-policy-roles,n,z

Addressed by: https://review.openstack.org/449722
    New intro

We're now past the spec freeze for the Pike release so I'm going to untarget this for Pike. I expect we'll be discussing RBAC related items at the Boston summit, so maybe we can figure out some incremental steps forward for Queens. -- mriedem 20170418

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.
Edit subscription

Subscribers

No subscribers.