> On Jun 2, 2016, at 10:58 AM, Adam Young <ayo...@redhat.com> wrote: > > Any senseible RBAC setup would support this, but we are not using a sensible > one, we are using a hand rolled one. Replacing everything with Fortress > implies a complete rewrite of what we do now. Nuke it from orbit type stuff. > > What I would rather focus on is the splitting of the current policy into two > parts: > > 1. Scope check done in code > 2. Role check done in middleware > > Role check should be donebased on URL, not on the policy key like > identity:create_user > > > Then, yes, a Fortress style query could be done, or it could be done by > asking the service itself.
Mostly in agreement. I prefer to focus on the model (RBAC) rather than a specific impl like Fortress. That is to say support the model and allow the impl to remain pluggable. That way you enable many vendors to participate in your ecosystem and more important, one isn’t tied to a specific backend (ldapv3, sql, …) __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
