Enable advanced policy rule
For now, the restriction of Ceilometer entity [1] operation is weak, and more important, it doesn't support operator usage.
* for most operations, the only restriction is non-admin user cannot operate enity owned by another tenant
* the restriction is defined in each operation, so operators must read source code or document to know each operation's policy, and futhermore, they cannot modify the policy.json file to change the default behavior
* it is not so good to maintain specific policy in each operation, since they are implemented seperately
So, my suggestion is to lean example from other core project, like nova, keystone and neutron etc. We can specify rules in policy.json and for each operation, call a enfore method, then the rule is checked and the operation can know nothing just the result, and decide to continue or raise. the operators can read the policy.json to know what is defined and even can modify it to meet what they need.
For now, a non-admin user can delete alarm created by other user in same tenant, which seems not so good, after this bp is implemented, we can change the default behavior very easily if we want.
[1] resource is a meanful term in Ceilometer so I use entity term
Blueprint information
- Status:
- Complete
- Approver:
- None
- Priority:
- Undefined
- Drafter:
- None
- Direction:
- Needs approval
- Assignee:
- None
- Definition:
- Obsolete
- Series goal:
- None
- Implementation:
- Unknown
- Milestone target:
- None
- Started by
- Completed by
- gordon chung
Related branches
Related bugs
Sprints
Whiteboard
Gerrit topic: https:/
Addressed by: https:/
Block non-admin user to get meters
DROPPED IN FAVOUR OF: https:/