So, the policy controls allow setting it so only admins can do these kind of operations, but in *briefly* looking at the code, I think there is a mistake in the fact that the policy enforcer rules are also not taking into account ownership and protected status.
I think we might need to do something slightly different than glance handling of the protected field for images. I think ultimately, I think we'd want to get to a model where non admins can add / remove tags and properties to namespaces that are both public and not-protected as long as the policy allows it. But admin of project owning a namespace should always be able to modify a namespaces properties and tags.
So maybe, all the objects, properties, and tags rules have something like (not tested - so kind of pseudo:
"admin_required": "role:admin or is_admin:1",
"owner": "project_id:%(owner)s",
"admin_or_owner": "rule:admin_required or rule:owner",
"public": "%(visibility)s:public",
"owner": "project_id:%(project_id)s",
"not_protected": "%(protected)s:False",
"admin_and_owner_and_not_protected": "rule:admin_required and rule:owner and rule:not_protected",
"owner_or_public_and_not_protected": "(rule:owner or rule:public) and rule:not_protected",
"owner_or_public":"rule:owner or rule:public",
So, I think it would make sense for the default for creating and changing namespaces to be restricted to admins. However, I'm hesitant to lock down the ability to add properties and particularly tags. I'd rather see that if a namespace is protected that properties and tags can not be added to it. However if it is not protected, then it could be modified.
So, the policy controls allow setting it so only admins can do these kind of operations, but in *briefly* looking at the code, I think there is a mistake in the fact that the policy enforcer rules are also not taking into account ownership and protected status.
I think we might need to do something slightly different than glance handling of the protected field for images. I think ultimately, I think we'd want to get to a model where non admins can add / remove tags and properties to namespaces that are both public and not-protected as long as the policy allows it. But admin of project owning a namespace should always be able to modify a namespaces properties and tags.
So maybe, all the objects, properties, and tags rules have something like (not tested - so kind of pseudo:
"admin_required": "role:admin or is_admin:1", id:%(owner) s", required or rule:owner", s:public" , id:%(project_ id)s", s:False" , and_owner_ and_not_ protected" : "rule:admin_ required and rule:owner and rule:not_ protected" , or_public_ and_not_ protected" : "(rule:owner or rule:public) and rule:not_ protected" , or_public" :"rule: owner or rule:public",
"owner": "project_
"admin_or_owner": "rule:admin_
"public": "%(visibility)
"owner": "project_
"not_protected": "%(protected)
"admin_
"owner_
"owner_
"get_ metadef_ namespace" :"rule: owner_or_ public" , metadef_ namespaces" :"", metadef_ namespace" :"rule: admin_and_ owner_and_ not_protected" , metadef_ namespace" :"rule: admin_required" , metadef_ namespace" : "rule:admin_ and_owner_ and_not_ protected" ,
"get_
"modify_
"add_
"delete_
"get_ metadef_ object" : "rule:owner_ or_public" , metadef_ objects" : "rule:owner_ or_public" , metadef_ object" : "rule:owner_ or_public_ and_not_ protected" , metadef_ object" :"rule: owner_or_ public_ and_not_ protected" ,
"get_
"modify_
"add_
"list_ metadef_ resource_ types": "", metadef_ resource_ type":" ", metadef_ resource_ type_associatio n":"rule: admin_owner_ not_protected" ,
"get_
"add_
"get_ metadef_ property" :"rule: owner_or_ public" , metadef_ properties" :"rule: owner_or_ public" , metadef_ property" :"rule: owner_or_ public_ and_not_ protected" , metadef_ property" :"rule: owner_or_ public_ and_not_ protected" ,
"get_
"modify_
"add_
"get_ metadef_ tag":"rule: owner_or_ public" , metadef_ tags":" rule:owner_ or_public" , metadef_ tag":"rule: owner_or_ public_ and_not_ protected" , metadef_ tag":"rule: owner_or_ public_ and_not_ protected" , metadef_ tags":" rule:owner_ or_public_ and_not_ protected"
"get_
"modify_
"add_
"add_
So, I think it would make sense for the default for creating and changing namespaces to be restricted to admins. However, I'm hesitant to lock down the ability to add properties and particularly tags. I'd rather see that if a namespace is protected that properties and tags can not be added to it. However if it is not protected, then it could be modified.
Sending this now for more discussion.