Propagate enforcement to parent level rule

Registered by Alex Xu on 2015-05-04

In some of nova api plugin, there is policy rule for each api, for example:

    "os_compute_api:os-aggregates:index": "rule:admin_api",
    "os_compute_api:os-aggregates:create": "rule:admin_api",
    "os_compute_api:os-aggregates:show": "rule:admin_api",
    "os_compute_api:os-aggregates:update": "rule:admin_api",
    "os_compute_api:os-aggregates:delete": "rule:admin_api",
    "os_compute_api:os-aggregates:add_host": "rule:admin_api",
    "os_compute_api:os-aggregates:remove_host": "rule:admin_api",
    "os_compute_api:os-aggregates:set_metadata": "rule:admin_api",

This provide good granularity for operator to configure each API. But when all the API have some permission, that looks like boring for operator.

If we propagate enforcement to parent level rule, then operator only configure one rule for all the APIs in the plugin, for aggregate case:

    "os_compute_api:os-aggregates": "rule:admin_api"

If operator want to assign different permission for one of APIs, the rule can wrote as below:

    "os_compute_api:os-aggregates": "rule:admin_api"
    "os_compute_api:os-aggregates:show": "",

 "os_compute_api:os-aggregates:show" will overwrite the parent level "os_compute_api:os-aggregates"

Blueprint information

Status:
Not started
Approver:
None
Priority:
Undefined
Drafter:
Alex Xu
Direction:
Needs approval
Assignee:
Alex Xu
Definition:
New
Series goal:
None
Implementation:
Unknown
Milestone target:
None

Related branches

Sprints

Whiteboard

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.

Subscribers

No subscribers.