Mistral access filtering
Currently, to provide OpenStack project related visibility for objects like workbooks and workflows we have a code in DB API implementation that takes security context information and uses it directly to enforce filtering in DB API methods.
In my opinion, this approach is wrong because:
* DB API shouldn't take any additional responsibilities like security, it should only provide raw DB access
* DB API calls are not oriented to end users, it's an internal subsystem (clients are other subsystems)
* There are cases where we don't need to have any filtering (e.g. administration purposes)
So the suggestion is to implement access filtering at upper levels above DB API. For instance, by creating an additional service or special Secure DB API built on top of DB API and adding needed filters.
Blueprint information
- Status:
- Complete
- Approver:
- Renat Akhmerov
- Priority:
- Medium
- Drafter:
- Renat Akhmerov
- Direction:
- Approved
- Assignee:
- Renat Akhmerov
- Definition:
- Approved
- Series goal:
- Accepted for kilo
- Implementation:
-
Implemented
- Milestone target:
- None
- Started by
- Renat Akhmerov
- Completed by
- Renat Akhmerov
Related branches
Related bugs
Sprints
Whiteboard
Works but consider redesign.
