Enforce RBAC From Service Policy Engines

Registered by Alexej Ababilov

Horizon should not be defining permissions itself; instead those decisions should be enforced by the policy engines of the individual services (current plan is to have those roll up through Keystone). Once keystone supports retrieving this data in the V3 API Horizon should move to this model ASAP.

Step 1 is to simply respect and enforce the RBAC policy; step two will be to allow management of it.

Blueprint information

Devin Carlen
Gabriel Hurley
David Lyle
Series goal:
Accepted for havana
Milestone target:
milestone icon 2013.2
Started by
David Lyle
Completed by
David Lyle

Related branches



[jpichon] What is blocking this again? Is there a link to another blueprint?

[lcheng] Policy API in Keystone V3 is already implemented, however the OpenStack services have not defined the policies/rules that the Policy Engine need to consume. I think only Keystone have updated their policy file.

[dklyle] All services use a policy file, but none actually upload it to keystone by default, including keystone. As that is the case, the scope for this is going to be adding the policy engine into Horizon and using it to interpret policy from a copy of the Keystone policy.json.

After that, work to allow pull down policy files from keystone, edit them and upload the patch will be added.

[dklyle] Additional info, reading the policy files from keystone is a read only operation which unless changed will block non-admin users from being able to use the policy blobs loaded into keystone.

Additionally, the API as specified only returns an ID, blob and MIME-type. We will need a service type as well.

Gerrit topic: https://review.openstack.org/#q,topic:bp/rbac,n,z

Addressed by: https://review.openstack.org/42725
    Adding RBAC policy system and checks for identity


Work Items

Dependency tree

* Blueprints in grey have been implemented.