Implement policy-based auth in API

Registered by Steve McLellan

In order to allow permission customization Murano should implement the policy-based authentication model other openstack services use. This may be related to the existing RBAC tickets.

See http://docs.openstack.org/trunk/openstack-ops/content/projects_users.html for an explanation.

As an example from designate, a default policy file is included with the config. For each API operation, a set of rules are defined determining who can carry it out. For instance, the `create_server` operation has a policy rule defined in https://github.com/stackforge/designate/blob/master/etc/designate/policy.json#L15, and checked against by the API in https://github.com/stackforge/designate/blob/master/designate/central/service.py#L314.

The case for this is to allow admins to customize their deployments; for instance, an administrator might decide that they want to only allow administrators to tag images, or that ordinary users are not allowed to upload packages, etc etc. The default policy.json file should be as permissive as makes sense (I think nearly all operations right now would be granted within a tenant, for example). We would need a list of operations that require control (essentially, all the operations the API supports).

Docs:
https://etherpad.openstack.org/p/MuranoPolicies

Blueprint information

Status:
Complete
Approver:
Ruslan Kamaldinov
Priority:
High
Drafter:
Steve McLellan
Direction:
Approved
Assignee:
Steve McLellan
Definition:
Approved
Series goal:
Accepted for juno
Implementation:
Implemented
Milestone target:
milestone icon 2014.2
Started by
Ruslan Kamaldinov
Completed by
Ruslan Kamaldinov

Related branches

Sprints

Whiteboard

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.

Subscribers

No subscribers.