openstack
/
glance
Code Issues Proposed changes

Merge "Documentation for using policies for protected properties"

This commit is contained in:
Jenkins 2013-11-26 16:53:02 +00:00 committed by Gerrit Code Review
parent 8d8ddd50d0 3e388988fe
commit c8dcacc454
2 changed files with 26 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
doc/source/configuring.rst
View File

@ -1171,6 +1171,13 @@ service will not start.**
Optional. Default: not enabled.
If property_protection_file is set, the file may use either roles or policies
to specify property protections.
* ``property_protection_rule_format=<roles|policies>``
Optional. Default: ``roles``.
Configuring Glance APIs
-----------------------

23
doc/source/property-protections.rst
View File

@ -42,15 +42,20 @@ expression matching a set of properties to be protected.
.. note::
Section headers must compile to a valid regular expression, otherwise a **500
Internal Server Error** will be thrown on server startup. Regular expressions
Section headers must compile to a valid regular expression, otherwise
glance api service will not start. Regular expressions
will be handled by python's re module which is PERL like.
Each section describes four key-value pairs, where the key is one of
``create/read/update/delete``, and the value is a comma separated list of user
roles that are permitted to perform that operation in the Glance API. If any of
roles that are permitted to perform that operation in the Glance API. **If any of
the keys are not specified, then the glance api service will not start
successfully.
successfully.**
.. note::
Only one policy rule is allowed per property operation. **If multiple are
specified, then the glance api service will not start.**
The path to the file should be specified in the ``[DEFAULT]`` section of
``glance-api.conf`` as follows.
@ -62,6 +67,16 @@ The path to the file should be specified in the ``[DEFAULT]`` section of
If this config value is not specified, property protections are not enforced.
**If the path is invalid, glance api service will not start successfully.**
The file may use either roles or policies to describe the property protections.
The config value should be specified in the ``[DEFAULT]`` section of
``glance-api.conf`` as follows.
::
property_protection_rule_format=<roles|policies>
The default value for ``property_protection_rule_format`` is ``roles``.
Property protections are applied in the order specified in the configuration
file. This means that if for example you specify a section with ``[.*]`` at
the top of the file, all proceeding sections will be ignored.