External PDP Integration for Keystone
Keystone (together with Oslo_policy) provides a native authorization policy engine for OpenStack. Existing discussions [1] show several defaults about such solution. As OpenStack may be deployed by different users with different requirements, a generic yet flexible approach is needed through which users may define, apply and manage their own authorization policy.
External PDP (Policy Decision Point) disables the native Oslo_policy and delegates authorization to an external authorization policy engine. Existing works [2, 3] show the feasibility of this approach with the Fortress and Moon policy engines. This blueprint proposes a generic hook which will re-direct authorization requests to an external PDP instead of using the native one. Each policy engine stores and manages related information of their policy, grants or denies requests based on these information and rules.
[1] https:/
[2] https:/
[3] https:/
Blueprint information
- Status:
- Complete
- Approver:
- None
- Priority:
- Undefined
- Drafter:
- WuKong
- Direction:
- Needs approval
- Assignee:
- None
- Definition:
- Obsolete
- Series goal:
- None
- Implementation:
- Unknown
- Milestone target:
- None
- Started by
- Completed by
- Lance Bragstad
Related branches
Related bugs
Sprints
Whiteboard
(lbragstad) 19-02-12: Marking this as obsolete since this appears to be addressed by http/https check rules [0].
[0] https:/