Make Authorization Orthogonal

Registered by Salvatore Orlando

The quantum codebase is now a bit 'polluted' by policy checks spread throughout db logic and sometimes even plugin logic.
While per se this is not harmful, it has some drawbacks:
1) There's no uniformity of style in policy.json
2) Understanding how authorization works is not trivial, as the checks might be somewhere else in the code
3) Developers have to explicitly worry about authZ logic, which is mixed with 'business' logic
4) It is hard for users to understand how to tune authZ in their setup by editing policy.json

It would be great to finally be able to decouple user request processing from user request authorization.
This is something we are carrying with us in the codebase since the F-2 milestone. (Policy.json was introduced in F-1).
During the Grizzly release cycle many new extensions were added with explicit policy checks.

The aim of this blueprint is to submit a set of patches that progressively (probably over the course of H-1 and H-2) will complete the separation of authZ from request processing.

For further details, please refer to the specification URL.

Blueprint information

Mark McClain
Salvatore Orlando
Salvatore Orlando
Series goal:
Accepted for havana
Milestone target:
milestone icon 2013.2
Started by
Mark McClain
Completed by
Salvatore Orlando

Related branches



Update 2013-8-21

The latest patch reasonably concludes this blueprint.
We have considered uniforming scheduler policies (dhcp, l3, lb) to the others, but this would have required switching them to using the same controller class as all other resources.
this is not easy, out of topic for this blueprint, and will cause backward-compatibility issues with existing policy.json file.

Restructuring of controllers will be tackled at the next summit, as it will be probably a topic for Icehouse.


Gerrit topic:,topic:bp/make-authz-orthogonal,n,z

Addressed by:
    Enable authZ checks for member actions

Addressed by:
    Fix typo in policy.json and checks in nicira plugin

Addressed by:
    Remove calls to policy.enforce from plugin and db logic

Addressed by:
    Remove calls to policy.check from plugin logic

Pushing out completion to H-2.
The last patch, moving authZ out of the api app and making it an independent element in the pipeline, will require a bit of work, and is not really high priority.

Gerrit topic:,topic:bug/1177572,n,z

Addressed by:
    Deprecate "extension:xxx" policies but preserve bw compatibility

Decreasing priority to low as most of the blueprint is already implemented and merged.
What's missing is probably the least important bit.
It would be good to get it by H3, but nobody will complain if that does not happen.

Addressed by:
    Remove calls to policy.check and policy.enforce from plugin code


Work Items

This blueprint contains Public information 
Everyone can see this information.


No subscribers.