OpenStack Heat

Improve request scoping based on policy/context

Registered by Steven Hardy

Currently there are several issues related to request scoping and policy in Heat:
- The ReST API can't be controlled via policy.json
- The default request scope (DB filter) is always per tenant, but in theory we support the owner_is_tenant option, where if set to False the scope should be per-user not per tenant
- We don't respect policy based admin-ness, is_admin in the context is always ignored, so there's no way to potentially provide project admins access to management-api functionality (on a per-project basis)

We should overhaul our handling of policy so it's more consistent and comprehensive, then deployers will have much more control when specifying site-specific RBAC policies.

Blueprint information

Status:
Complete
Approver:
Steve Baker
Priority:
High
Drafter:
Steven Hardy
Direction:
Approved
Assignee:
Steven Hardy
Definition:
Approved
Series goal:
Accepted for icehouse
Implementation:
Implemented
Milestone target:
milestone icon 2014.1
Started by
Steve Baker
Completed by
Steven Hardy

Related branches

Sprints

Whiteboard

(shardy): Actually owner_is_tenant seems to be a left-over glance-ism, so we can probably just remove it.

Gerrit topic: https://review.openstack.org/#q,topic:bp/request-scoping-policy,n,z

Addressed by: https://review.openstack.org/58005
    Clean up "target" interface to policy

Addressed by: https://review.openstack.org/58006
    test_common_policy cleanups

Addressed by: https://review.openstack.org/58007
    Add check_is_admin to common.policy.Enforcer

Gerrit topic: https://review.openstack.org/#q,topic:bp/request-scoping-policy_2,n,z

Addressed by: https://review.openstack.org/58865
    Create policy Enforcer object in context

Addressed by: https://review.openstack.org/59208
    Remove owner_is_tenant from RequestContext

Addressed by: https://review.openstack.org/59209
    Fix show_deleted errors in RequestContext

Addressed by: https://review.openstack.org/59210
    Make db API respect context show_deleted

Addressed by: https://review.openstack.org/58866
    Derive context is_admin from policy

Addressed by: https://review.openstack.org/58867
    Remove misleading docstrings in ContextMiddleware

Addressed by: https://review.openstack.org/63185
    Add policy enforcement to ReST API

(shardy): I'm going to declare this complete, as we've added the main part was the addition of policy enforcement, and the scoping aspects while partially completed have now been superseded by the management-api efforts around unscoped list stacks.

(?)

Work Items

Dependency tree

* Blueprints in grey have been implemented.

Nearby

This blueprint contains Public information 
Everyone can see this information.