Hi, While developing Nested Quota Driver for Cinder, when performing show/update/delete following restrictions apply :-
1. show : Only user who is admin or admin in parent or admin in root project should be able to perform show/view the quota of the leaf projects. 2. update : Only user admin in parent or admin in root project should be able to perform update. 3. delete : Only user admin in parent or admin in root project should be able to perform delete. In order to get the parent information or child list in nested hierarchy calls need to be made to keystone. So as part of these changes do we want to introduce 2 new roles in cinder one for project_admin and one for root_admin so that the token can be scoped at project/root level and only the permissible operation at the respective levels as described above can be allowed. For example :- A | B | C cinder quota-update C (should only be permissible from B or A) This can achieved either by :- 1. Introducing project_admin or cloud_admin rule in policy.json and later populate the [1] with respective target[2][3]. Minises code changes and gives the freedom to operators to modify policy.json and tune changes accordingly. 2. Not introduce these 2 roles in policy.json by just make code changes and additional logic in code to handle this but using this option we can go to at max 1 level of heirarchy as in-order to fetch more parent we will need to make a keystone call. Need opinion on which option can be helpful in longterm. -Vilobh [1] https://github.com/openstack/cinder/blob/master/cinder/api/contrib/quotas.py#L33 [2] https://github.com/openstack/cinder/blob/master/cinder/api/extensions.py#L379 [3] https://github.com/openstack/cinder/blob/master/cinder/api/contrib/quotas.py#L109
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
