Great, thanks for the clarification. > On Jun 17, 2016, at 9:56 AM, Bunting, Niall <[email protected]> wrote: > > > By setting default to admin, won't we be overly restrictive? > > I see that "add_image, download_image" are both set to "", which I assume > > means, default, which means admin, > > If that's correct, then no regular project users will be able to create > > images, or worse, launch instances. > > I usually go with "owner_or_admin" for my defaults, wrt add_image, etc. > > An empty string means everybody. So this would not affect download_image etc. > The default only applies when the policy does not exist in the file. For > example a new policy is added and the policy.json is not updated. > > Niall > From: Abel Lopez <[email protected]> > Sent: 17 June 2016 17:46:47 > To: Bunting, Niall > Cc: [email protected] > Subject: Re: [Openstack-operators] [Glance] Default policy in policy.json > > By setting default to admin, won't we be overly restrictive? > I see that "add_image, download_image" are both set to "", which I assume > means, default, which means admin, > If that's correct, then no regular project users will be able to create > images, or worse, launch instances. > I usually go with "owner_or_admin" for my defaults, wrt add_image, etc. > > > On Jun 17, 2016, at 9:27 AM, Bunting, Niall <[email protected]> wrote: > > > > Hi, > > > > > > Glance is planning to implement the patch [1], which affects the value of > > the 'default' policy. > > > > > > This would make the following change in the policy.json: > > > > - "default": "" > > > > + "default": "role:admin" (or to "!" to restrict everybody) > > > > > > We are just wondering if the operators have any reason not to make this > > change? As our thinking is that this would be more restrictive for new > > policies, to stop users accidentally getting additional permissions when a > > policy is not explicitly stated. However, we may have overlooked something > > else. > > > > > > Also which would be preferred "role:admin" or "!"? Brian points out on [1] > > that "!" would in effect, notify the admins that a policy is not defined as > > they would be unable to preform the action themselves. > > > > > > Thanks, > > > > Niall > > > > > > 1. https://review.openstack.org/#/c/330443/ > > > > _______________________________________________ > > OpenStack-operators mailing list > > [email protected] > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ OpenStack-operators mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
