Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1063581 - [RFE][keystone]: Allow prefixes other than 'identity:' for policy.json
Summary: [RFE][keystone]: Allow prefixes other than 'identity:' for policy.json
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: RFEs
Version: unspecified
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: ---
Assignee: RHOS Maint
QA Contact:
Whiteboard: upstream_milestone_none upstream_stat...
Depends On:
TreeView+ depends on / blocked
Reported: 2014-02-11 05:03 UTC by RHOS Integration
Modified: 2015-03-19 16:59 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Last Closed: 2015-03-19 16:59:23 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description RHOS Integration 2014-02-11 05:03:54 UTC
Cloned from launchpad blueprint


The way keystone's enforcement works, all policy elements in the policy.json file must be prefixed with 'identity:', in theory this should be expanded to allow each extension to be used as the identifier (e.g. os-ec2, meaning the enforcement rule could be os-ec2:<method>).  Likely this should be specified in a similar syntax to this (in controller.protected decorator):


The default should remain "identity".  For transition perhaps allow an alternate (e.g. if there was a desire to support 'identity' and 'assignment' for example), where enforcement that occurs on the "old" rule indicates via logging this will need to be changed in a future release.

Specification URL (additional information):


Note You need to log in before you can comment on or make changes to this bug.