Make Authorization Orthogonal
The quantum codebase is now a bit 'polluted' by policy checks spread throughout db logic and sometimes even plugin logic.
While per se this is not harmful, it has some drawbacks:
1) There's no uniformity of style in policy.json
2) Understanding how authorization works is not trivial, as the checks might be somewhere else in the code
3) Developers have to explicitly worry about authZ logic, which is mixed with 'business' logic
4) It is hard for users to understand how to tune authZ in their setup by editing policy.json
It would be great to finally be able to decouple user request processing from user request authorization.
This is something we are carrying with us in the codebase since the F-2 milestone. (Policy.json was introduced in F-1).
During the Grizzly release cycle many new extensions were added with explicit policy checks.
The aim of this blueprint is to submit a set of patches that progressively (probably over the course of H-1 and H-2) will complete the separation of authZ from request processing.
For further details, please refer to the specification URL.
Blueprint information
- Status:
- Complete
- Approver:
- Mark McClain
- Priority:
- Low
- Drafter:
- Salvatore Orlando
- Direction:
- Approved
- Assignee:
- Salvatore Orlando
- Definition:
- Approved
- Series goal:
- Accepted for havana
- Implementation:
- Implemented
- Milestone target:
- 2013.2
- Started by
- Mark McClain
- Completed by
- Salvatore Orlando
Related branches
Related bugs
Sprints
Whiteboard
Update 2013-8-21
The latest patch reasonably concludes this blueprint.
We have considered uniforming scheduler policies (dhcp, l3, lb) to the others, but this would have required switching them to using the same controller class as all other resources.
this is not easy, out of topic for this blueprint, and will cause backward-
Restructuring of controllers will be tackled at the next summit, as it will be probably a topic for Icehouse.
-------
Gerrit topic: https:/
Addressed by: https:/
Enable authZ checks for member actions
Addressed by: https:/
Fix typo in policy.json and checks in nicira plugin
Addressed by: https:/
Remove calls to policy.enforce from plugin and db logic
Addressed by: https:/
Remove calls to policy.check from plugin logic
Pushing out completion to H-2.
The last patch, moving authZ out of the api app and making it an independent element in the pipeline, will require a bit of work, and is not really high priority.
Gerrit topic: https:/
Addressed by: https:/
Deprecate "extension:xxx" policies but preserve bw compatibility
Decreasing priority to low as most of the blueprint is already implemented and merged.
What's missing is probably the least important bit.
It would be good to get it by H3, but nobody will complain if that does not happen.
Addressed by: https:/
Remove calls to policy.check and policy.enforce from plugin code