Murano

Implement policy-based auth in API

Registered by Steve McLellan

In order to allow permission customization Murano should implement the policy-based authentication model other openstack services use. This may be related to the existing RBAC tickets.

See http://docs.openstack.org/trunk/openstack-ops/content/projects_users.html for an explanation.

As an example from designate, a default policy file is included with the config. For each API operation, a set of rules are defined determining who can carry it out. For instance, the `create_server` operation has a policy rule defined in https://github.com/stackforge/designate/blob/master/etc/designate/policy.json#L15, and checked against by the API in https://github.com/stackforge/designate/blob/master/designate/central/service.py#L314.

The case for this is to allow admins to customize their deployments; for instance, an administrator might decide that they want to only allow administrators to tag images, or that ordinary users are not allowed to upload packages, etc etc. The default policy.json file should be as permissive as makes sense (I think nearly all operations right now would be granted within a tenant, for example). We would need a list of operations that require control (essentially, all the operations the API supports).

Docs:
https://etherpad.openstack.org/p/MuranoPolicies

Blueprint information

Status:
Complete
Approver:
ruhe
Priority:
High
Drafter:
Steve McLellan
Direction:
Approved
Assignee:
Steve McLellan
Definition:
Approved
Series goal:
Accepted for juno
Implementation:
Implemented
Milestone target:
milestone icon 2014.2
Started by
ruhe
Completed by
ruhe

Related branches

Sprints

Whiteboard

Gerrit topic: https://review.openstack.org/#q,topic:bp/policy-checks-in-api,n,z

Addressed by: https://review.openstack.org/94657
    Add policy checks to API

(?)

Work Items

Nearby

This blueprint contains Public information 
Everyone can see this information.
Edit subscription

Subscribers

No subscribers.