On 07/22/2015 12:42 AM, Vilobh Meshram wrote:
Hi,
While developing Nested Quota Driver for Cinder, when performing
show/update/delete following restrictions apply :-
1. show : Only user who is admin or admin in parent or admin in root
project should be able to perform show/view the quota of the leaf
projects.
2. update : Only user admin in parent or admin in root project should
be able to perform update.
3. delete : Only user admin in parent or admin in root project should
be able to perform delete.
In order to get the parent information or child list in nested
hierarchy calls need to be made to keystone. So as part of these
changes do we want to introduce 2 new roles in cinder one for
project_admin and one for root_admin so that the token can be scoped
at project/root level and only the permissible operation at the
respective levels as described above can be allowed.
For example :-
A
|
B
|
C
cinder quota-update C (should only be permissible from B or A)
This can achieved either by :-
1. Introducing project_admin or cloud_admin rule in policy.json and
later populate the [1] with respective target[2][3]. Minises code
changes and gives the freedom to operators to modify policy.json and
tune changes accordingly.
2. Not introduce these 2 roles in policy.json by just make code
changes and additional logic in code to handle this but using this
option we can go to at max 1 level of heirarchy as in-order to fetch
more parent we will need to make a keystone call.
Try to think of the token scoping to the thing you are querying; if you
can avoid having to know the hierarchy, policy will be learer and easier
to enforce.
I think it is safer to make a user get a token scoped to the project
they want to query than to use a parent project token.
Need opinion on which option can be helpful in longterm.
-Vilobh
[1]
https://github.com/openstack/cinder/blob/master/cinder/api/contrib/quotas.py#L33
[2]
https://github.com/openstack/cinder/blob/master/cinder/api/extensions.py#L379
[3]
https://github.com/openstack/cinder/blob/master/cinder/api/contrib/quotas.py#L109
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
