> By setting default to admin, won't we be overly restrictive? > I see that "add_image, download_image" are both set to "", which I assume > means, default, which means admin, > If that's correct, then no regular project users will be able to create > images, or worse, launch instances. > I usually go with "owner_or_admin" for my defaults, wrt add_image, etc.
An empty string means everybody. So this would not affect download_image etc. The default only applies when the policy does not exist in the file. For example a new policy is added and the policy.json is not updated. Niall ________________________________ From: Abel Lopez <[email protected]> Sent: 17 June 2016 17:46:47 To: Bunting, Niall Cc: [email protected] Subject: Re: [Openstack-operators] [Glance] Default policy in policy.json By setting default to admin, won't we be overly restrictive? I see that "add_image, download_image" are both set to "", which I assume means, default, which means admin, If that's correct, then no regular project users will be able to create images, or worse, launch instances. I usually go with "owner_or_admin" for my defaults, wrt add_image, etc. > On Jun 17, 2016, at 9:27 AM, Bunting, Niall <[email protected]> wrote: > > Hi, > > > Glance is planning to implement the patch [1], which affects the value of the > 'default' policy. > > > This would make the following change in the policy.json: > > - "default": "" > > + "default": "role:admin" (or to "!" to restrict everybody) > > > We are just wondering if the operators have any reason not to make this > change? As our thinking is that this would be more restrictive for new > policies, to stop users accidentally getting additional permissions when a > policy is not explicitly stated. However, we may have overlooked something > else. > > > Also which would be preferred "role:admin" or "!"? Brian points out on [1] > that "!" would in effect, notify the admins that a policy is not defined as > they would be unable to preform the action themselves. > > > Thanks, > > Niall > > > 1. https://review.openstack.org/#/c/330443/ > > _______________________________________________ > OpenStack-operators mailing list > [email protected] > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators _______________________________________________ OpenStack-operators mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
