Use RBAC to define admin-ness

Bug #1152716 reported by Brian Waldon on 2013-03-08
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Glance
Critical
Eoghan Glynn

Bug Description

Glance depends on a single configured role to define who is an Admin in the system. We should push the definition of Admin-ness out of configuration and into the policy.json file like Nova:

https://github.com/openstack/nova/blob/master/nova/policy.py#L105
https://github.com/openstack/nova/blob/master/etc/nova/policy.json#L2

Mark Washenberger (markwash) wrote :

I presume we continue to support the old configuration option as well.

Eoghan Glynn (eglynn) on 2013-04-26
Changed in glance:
assignee: nobody → Eoghan Glynn (eglynn)

Fix proposed to branch: master
Review: https://review.openstack.org/28048

Changed in glance:
status: Triaged → In Progress

Reviewed: https://review.openstack.org/28048
Committed: http://github.com/openstack/glance/commit/cc938e25f3babd8aa1299ae75cc5fa2cf24a00a0
Submitter: Jenkins
Branch: master

commit cc938e25f3babd8aa1299ae75cc5fa2cf24a00a0
Author: Eoghan Glynn <email address hidden>
Date: Wed May 1 15:41:53 2013 +0000

    Use RBAC policy to determine if context is admin.

    Fixes bug 1152716

    If the context roles do not match the configured admin_role,
    fall back to determining if admin via the "context_is_admin"
    RBAC policy rule (for consistency with the approach used by
    the other projects).

    Note this requires that the "context_is_admin" rule *must*
    be set in the policy.json if the out-of-the-box default rule
    is used (as this default is so open, the net effect of omitting
    the "context_is_admin" rule is for every request to acquire
    admin status).

    Change-Id: Ide2cf604b48f24bd759ce2d65091ff546cd9d22e

Changed in glance:
status: In Progress → Fix Committed
Thierry Carrez (ttx) on 2013-05-29
Changed in glance:
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2013-10-17
Changed in glance:
milestone: havana-1 → 2013.2
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers