A proposal for RBAC policies to support instance access control
OpenStack uses a role based access control (RBAC) mechanism to manage accesses to its resources. With the current architecture, users' roles are stored into Keystone, but the access control policy execution is performed independently in each service, based on the rules defined in each policy.json file. However, with current mechanism, we can not restrict a role to access the actions of one specified set of resources(eg. some instances among a group of instances in one project) . Sometimes the scenario is very important according to the security requirements of some large enterprises. To support this scenario, we may need to enhance the syntax of policy.json and do seme code implementation.
Here is my proposal: 1)add resource scope rule definition syntax, this simple syntax is [resource_
Blueprint information
- Status:
- Complete
- Approver:
- None
- Priority:
- Undefined
- Drafter:
- zhouhua
- Direction:
- Needs approval
- Assignee:
- None
- Definition:
- Obsolete
- Series goal:
- None
- Implementation:
- Unknown
- Milestone target:
- None
- Started by
- Completed by
- Steve Martinelli
Whiteboard
(stevemar): marking this as obsolete since it has been inactive for a very long time, please use the new feature proposal process in keystone-specs