Re: [openstack-dev] [keystone][cross-project] Standardized role names and policy

2016-06-28 Thread Jamie Lennox
On 28 June 2016 at 04:22, Jay Faulkner wrote: > Is this spec still alive? I'm working on the spec for Ironic integration > of Keystone policy, and like some of the items in the draft, but obviously > they aren't binding and I can't really reference them unless the spec > merges or at least shows

Re: [openstack-dev] [keystone][cross-project] Standardized role names and policy

2016-06-27 Thread Jay Faulkner
Is this spec still alive? I'm working on the spec for Ironic integration of Keystone policy, and like some of the items in the draft, but obviously they aren't binding and I can't really reference them unless the spec merges or at least shows progress towards merging. Thanks, Jay Faulkner OSIC

Re: [openstack-dev] [keystone][cross-project] Standardized role names and policy

2016-01-31 Thread Adam Young
On 01/30/2016 08:24 PM, Henry Nash wrote: On 30 Jan 2016, at 21:55, Adam Young > wrote: On 01/30/2016 04:14 PM, Henry Nash wrote: Hi Adam, Fully support this kind of approach. I am still concerned over the scope check, since we do have examples of when there is mo

Re: [openstack-dev] [keystone][cross-project] Standardized role names and policy

2016-01-30 Thread Henry Nash
> On 30 Jan 2016, at 21:55, Adam Young > wrote: > > On 01/30/2016 04:14 PM, Henry Nash wrote: >> Hi Adam, >> >> Fully support this kind of approach. >> >> I am still concerned over the scope check, since we do have examples of when >> there is more than one (target)

Re: [openstack-dev] [keystone][cross-project] Standardized role names and policy

2016-01-30 Thread Adam Young
On 01/30/2016 04:14 PM, Henry Nash wrote: Hi Adam, Fully support this kind of approach. I am still concerned over the scope check, since we do have examples of when there is more than one (target) scope check, e.g.: an API that might operate on an object that maybe global, domain or project s

Re: [openstack-dev] [keystone][cross-project] Standardized role names and policy

2016-01-30 Thread Henry Nash
Hi Adam, Fully support this kind of approach. I am still concerned over the scope check, since we do have examples of when there is more than one (target) scope check, e.g.: an API that might operate on an object that maybe global, domain or project specific - in which case you need to “match

[openstack-dev] [keystone][cross-project] Standardized role names and policy

2016-01-30 Thread Adam Young
I'd like to bring people's attention to a Cross Project spec that has the potential to really strengthen the security story for OpenStack in a scalable way. "A common policy scenario across all projects" https://review.openstack.org/#/c/245629/ The summary version is: Role name or pattern