That will provided by Identity API v3, currently in draft: https://github.com/openstack/identity-api/blob/master/openstack-identity-api/src/markdown/identity-api-v3.md
The "when" is first dependent on: 1) Identity API v3 support in keystone https://review.openstack.org/#/c/12106/ 2) Identity API v3 support in keystoneclient https://review.openstack.org/#/c/12806/ 3) services need to consume the centralized policy info, probably through common middleware 4) adding UI support in horizon An open question: are you looking to modify policy per service or do you need policy granularity per endpoint? -Dolph On Wed, Oct 3, 2012 at 7:29 PM, Shake Chen <[email protected]> wrote: > Hi > > I also have question about RBAC. > > when we can setting the roles permission in Horizon? > > > On Thu, Oct 4, 2012 at 2:56 AM, Dolph Mathews <[email protected] > > wrote: > >> (replying on list) >> >> RBAC policy enforce is already implemented on consuming services and >> default policies are provided by policy.json files (e.g. >> https://github.com/openstack/nova/blob/master/etc/nova/policy.json ). >> >> We haven't yet implemented a method for services to consume policy >> blobs from Identity API v3, /v3/policies (which itself is still in >> development), rather than loading policy.json files. >> >> For an example of scoping RBAC per project, see the admin_or_owner rule >> in nova's policy.json above. >> >> As for the efficiency of policy storage, I'm not clear on what your >> concerns are? >> >> -Dolph >> ------------------------------ >> *From:* MS. Faraji [[email protected]] >> *Sent:* Wednesday, October 03, 2012 1:34 PM >> *To:* Dolph Mathews >> *Subject:* Question about Keystone RBAC >> >> Hi, >> >> I sent an email to inquire about RBAC implementation in Keystone before, >> and you generously shared your information. However, there are a couple of >> questions that I have in mind. >> I searched the Internet and documents; however, I did not find useful >> information about them. I hope you can help me to find it out. >> >> 1) Consider the enforce API is implemented, which side should use it? >> Service or Keystone itself. If Keystone uses this function, how does it >> know about the action that a user >> wants to perform on a resource. If service call it as an API, what is the >> endpoint? How services use authorization in Keystone? >> >> 2) Can roles and associated actions be defined in the scope of project or >> domain? For example demo can do release in project 1 but not in project 2. >> >> 3) Is the plain storage of capabilities ( no data structure) efficient? >> In terms of required storage space and later lookups. >> >> Thanks in advance for your help and assistance, >> I look forward to your response. >> >> >> Moh, >> >> >> _______________________________________________ >> Mailing list: https://launchpad.net/~openstack >> Post to : [email protected] >> Unsubscribe : https://launchpad.net/~openstack >> More help : https://help.launchpad.net/ListHelp >> >> > > > -- > Shake Chen > > > > _______________________________________________ > Mailing list: https://launchpad.net/~openstack > Post to : [email protected] > Unsubscribe : https://launchpad.net/~openstack > More help : https://help.launchpad.net/ListHelp > >
_______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : [email protected] Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
