Cool, I'm glad that is the ultimate goal.

It seems like nova should be asking keystone for an initial policy template of 
some kind, which nova then fills in its "specifics" with or policies can be 
fully defined in keystone, either or.

Just people should be aware that making custom roles might not mean much if 
policy.json files are not also updated.

On 5/11/12 10:51 AM, "Vishvananda Ishaya" <vishvana...@gmail.com> wrote:

Most of nova is configurable via policy.json, but there is the issue with 
context.is_admin checks that still exist in a few places. We definitely need to 
modify that.

Joshua, the idea is that policy.json will ultimately be managed in keystone as 
well. Currently the policy.json is checked for modifications, so it would be 
possible to throw it on shared storage and modify it for every node at once 
without having to restart the nodes.  This is an interim solution until we 
allow for creating and retrieving policies inside of keystone.

Vish

On Thu, May 10, 2012 at 7:13 PM, Joshua Harlow <harlo...@yahoo-inc.com> wrote:
I was also wondering about this, it seems there are lots of policy.json files 
with hard coded roles in them, which is weird since keystone supports the 
creation of roles and such, but if u create a role which isn't in a policy.json 
then u have just caused yourself a problem, which isn't very apparent...


On 5/10/12 2:32 PM, "Salman A Baset" <saba...@us.ibm.com 
<http://saba...@us.ibm.com> > wrote:

It seems that 'admin' role is hard-coded cross nova and horizon. As a result if 
I want to define 'myadmin' role, and grant it all the admin privileges, it does 
not seem possible. Is this a recognized limitation?

Further, is there some good documentation on policy.json for nova, keystone, 
and glance?

Thanks.

Best Regards,

Salman A. Baset
Research Staff Member, IBM T. J. Watson Research Center
Tel: +1-914-784-6248 <tel:%2B1-914-784-6248>



_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to     : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp



_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to     : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Reply via email to