Implement policy-based auth in API
In order to allow permission customization Murano should implement the policy-based authentication model other openstack services use. This may be related to the existing RBAC tickets.
See http://
As an example from designate, a default policy file is included with the config. For each API operation, a set of rules are defined determining who can carry it out. For instance, the `create_server` operation has a policy rule defined in https:/
The case for this is to allow admins to customize their deployments; for instance, an administrator might decide that they want to only allow administrators to tag images, or that ordinary users are not allowed to upload packages, etc etc. The default policy.json file should be as permissive as makes sense (I think nearly all operations right now would be granted within a tenant, for example). We would need a list of operations that require control (essentially, all the operations the API supports).
Blueprint information
- Status:
- Complete
- Approver:
- ruhe
- Priority:
- High
- Drafter:
- Steve McLellan
- Direction:
- Approved
- Assignee:
- Steve McLellan
- Definition:
- Approved
- Series goal:
- Accepted for juno
- Implementation:
- Implemented
- Milestone target:
- 2014.2
- Started by
- ruhe
- Completed by
- ruhe
Related branches
Related bugs
Sprints
Whiteboard
Gerrit topic: https:/
Addressed by: https:/
Add policy checks to API