Thursday, 2016-12-15

ekcsmasahito: I didn’t totally understand the question.01:02
ekcsmasahito: you mean can a non-global admin write rules?01:03
ekcsmasahito: or are there different levels of rules for global vs non-global admins?01:03
masahitoekcs: I means the rule written by a user could affect all tenant.01:03
masahitofor example:01:04
masahitowhen user1 in tenant1 writes a rule like rule1(x):- nova:servers(id=x), rule1 gets all servers in the Nova01:05
masahitomeaning rule1 also shows servers in tenant2, tenant3 and so on.01:06
ekcsmasahito: right. afaik there is only one global context for all rules.01:06
ekcsso supporting tenants writing their on separate policies would require a lot of thought and design and changes.01:06
ekcson how things interact and all.01:06
ekcsone possible solution is that each tenant/project has their own restricted view (helper table) into each base table.01:08
ekcslots of practical and technical complexities to think through for sure.01:08
masahitothe possible solution makes sense.01:09
ekcsthere is some prior work to draw on in the database literature though.01:10
masahitoand I thought we just write project's dashboard without any validation. so I just commented.01:10
ekcsbut anyway I guess the answer is that right now congress doesn’t have any particular support for multi-tenant policies.01:10
masahitothanks to be clarified.01:12
ekcs= )01:15
ekcslot of good further discussion to be had on this topic!01:15
