Policy is supposed to allow access control to work across multiple
services and endpoints. However, each service has specified policy
Here are some of the basic working assumptions for policy enforcement we
can use to work towards consistent enforcement.
1) A policy rule should specify:
Where do I find the scope in this request?
What role does the token need to contain in order to access this
Roles are not global. Roles are always scoped to something. Just
because someone has "admin" on one project or domain does not mean they
should have it everywhere. However, we have found a need to have a
global override. This is a way a cloud admin that can go into any API
anywhere and fix things.Even if we keep the mechanism, I assume it will
take a few iterations to phase out having this specified on each rule.
2) Policy rules should be namespaced by API type.
for example, All of the Keystone policy rule targets start with:
|"identity:ec2getcredential": "rule:adminrequired or (rule:owner and
This means that Glance, Neutron, Nova, and Keystone should be able to
share a policy file.
OpenStack Development Mailing List (not for usage questions)