A proposal for RBAC policies to support instance access control

OpenStack uses a role based access control (RBAC) mechanism to manage accesses to its resources. With the current architecture, users' roles are stored into Keystone, but the access control policy execution is performed independently in each service, based on the rules defined in each policy.json file. However, with current mechanism, we can not restrict a role to access the actions of one specified set of resources(eg. some instances among a group of instances in one project) . Sometimes the scenario is very important according to the security requirements of some large enterprises. To support this scenario, we may need to enhance the syntax of policy.json and do seme code implementation.
Here is my proposal: 1）add resource scope rule definition syntax, this simple syntax is [resource_rule_name]:”[resource rule] or [resource rule] or …”, where [resource rule] can be instance_id:uuid. For example, database_servers:” instance_id: b48316c5-71e8-45e4-9884-6c78055b9b13 or instance_id: 25517360-b757-47d3-be45-0e8d2a01b36a” means database_servers are the instances whose instance uuid march one of the two target uuids. 2) Now we can define access policies regarding to the resource scope definition in access control list, Recommended syntax is “[service_scope]:[action]:”: “[role_rules] and [resource_rule]”. For example, “compute:stop”: “rule:admin_or_owner or (role:database_admin and rule:database_servers)”, means the action compute:stop can be performed by admin, owner, or database administrators when target is one of the two database servers defined above.