OpenStack Identity (keystone)

External PDP Integration for Keystone

Registered by WuKong

Keystone (together with Oslo_policy) provides a native authorization policy engine for OpenStack. Existing discussions [1] show several defaults about such solution. As OpenStack may be deployed by different users with different requirements, a generic yet flexible approach is needed through which users may define, apply and manage their own authorization policy.
External PDP (Policy Decision Point) disables the native Oslo_policy and delegates authorization to an external authorization policy engine. Existing works [2, 3] show the feasibility of this approach with the Fortress and Moon policy engines. This blueprint proposes a generic hook which will re-direct authorization requests to an external PDP instead of using the native one. Each policy engine stores and manages related information of their policy, grants or denies requests based on these information and rules.

[1] https://etherpad.openstack.org/p/keystone-policy-meeting
[2] https://review.openstack.org/#/c/237521/
[3] https://git.opnfv.org/cgit/moon/tree/keystone-moon

Blueprint information

Status:
Complete
Approver:
None
Priority:
Undefined
Drafter:
WuKong
Direction:
Needs approval
Assignee:
None
Definition:
Obsolete
Series goal:
None
Implementation:
Unknown
Milestone target:
None
Completed by
Lance Bragstad

Related branches

Sprints

Whiteboard

(lbragstad) 19-02-12: Marking this as obsolete since this appears to be addressed by http/https check rules [0].

[0] https://docs.openstack.org/oslo.policy/latest/user/plugins.html

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.