oslo.policy

Propagate enforcement to parent level rule

Registered by Alex Xu on 2015-05-04

In some of nova api plugin, there is policy rule for each api, for example:

    "os_compute_api:os-aggregates:index": "rule:admin_api",
    "os_compute_api:os-aggregates:create": "rule:admin_api",
    "os_compute_api:os-aggregates:show": "rule:admin_api",
    "os_compute_api:os-aggregates:update": "rule:admin_api",
    "os_compute_api:os-aggregates:delete": "rule:admin_api",
    "os_compute_api:os-aggregates:add_host": "rule:admin_api",
    "os_compute_api:os-aggregates:remove_host": "rule:admin_api",
    "os_compute_api:os-aggregates:set_metadata": "rule:admin_api",

This provide good granularity for operator to configure each API. But when all the API have some permission, that looks like boring for operator.

If we propagate enforcement to parent level rule, then operator only configure one rule for all the APIs in the plugin, for aggregate case:

"os_compute_api:os-aggregates": "rule:admin_api"

If operator want to assign different permission for one of APIs, the rule can wrote as below:

"os_compute_api:os-aggregates": "rule:admin_api"
"os_compute_api:os-aggregates:show": "",

"os_compute_api:os-aggregates:show" will overwrite the parent level "os_compute_api:os-aggregates"

Blueprint information

Status:: Not started

Approver:: None

Priority:: Undefined

Drafter:: Alex Xu

Direction:: Needs approval

Assignee:: Alex Xu

Definition:: New

Series goal:: None

Implementation:: Unknown

Milestone target:: None

Related branches

Related bugs

Sprints

Whiteboard

(?)

Work Items

This blueprint contains Public information

Everyone can see this information.

Subscribers

No subscribers.