Improve request scoping based on policy/context
Currently there are several issues related to request scoping and policy in Heat:
- The ReST API can't be controlled via policy.json
- The default request scope (DB filter) is always per tenant, but in theory we support the owner_is_tenant option, where if set to False the scope should be per-user not per tenant
- We don't respect policy based admin-ness, is_admin in the context is always ignored, so there's no way to potentially provide project admins access to management-api functionality (on a per-project basis)
We should overhaul our handling of policy so it's more consistent and comprehensive, then deployers will have much more control when specifying site-specific RBAC policies.
Blueprint information
- Status:
- Complete
- Approver:
- Steve Baker
- Priority:
- High
- Drafter:
- Steven Hardy
- Direction:
- Approved
- Assignee:
- Steven Hardy
- Definition:
- Approved
- Series goal:
- Accepted for icehouse
- Implementation:
- Implemented
- Milestone target:
- 2014.1
- Started by
- Steve Baker
- Completed by
- Steven Hardy
Related branches
Related bugs
Sprints
Whiteboard
(shardy): Actually owner_is_tenant seems to be a left-over glance-ism, so we can probably just remove it.
Gerrit topic: https:/
Addressed by: https:/
Clean up "target" interface to policy
Addressed by: https:/
test_
Addressed by: https:/
Add check_is_admin to common.
Gerrit topic: https:/
Addressed by: https:/
Create policy Enforcer object in context
Addressed by: https:/
Remove owner_is_tenant from RequestContext
Addressed by: https:/
Fix show_deleted errors in RequestContext
Addressed by: https:/
Make db API respect context show_deleted
Addressed by: https:/
Derive context is_admin from policy
Addressed by: https:/
Remove misleading docstrings in ContextMiddleware
Addressed by: https:/
Add policy enforcement to ReST API
(shardy): I'm going to declare this complete, as we've added the main part was the addition of policy enforcement, and the scoping aspects while partially completed have now been superseded by the management-api efforts around unscoped list stacks.
Work Items
Dependency tree
* Blueprints in grey have been implemented.