OpenStack Compute (Nova)

Interim AuthZ service for Nova

Registered by Sandy Walsh on 2011-09-23

Until Keystone is fully functional with AuthZ support, we may need some primitive authZ in Nova. This BP discusses how this may be possible at a low-level.

Description of the proposed implementation is here:
http://etherpad.openstack.org/rbac-brain

Blueprint information

Status:
Complete
Approver:
Vish Ishaya
Priority:
Essential
Drafter:
Nova Auth Team
Direction:
Approved
Assignee:
Brian Waldon
Definition:
Approved
Series goal:
Accepted for essex
Implementation:
Implemented
Milestone target:
milestone icon 2012.1
Started by
Vish Ishaya on 2011-12-18
Completed by
Brian Waldon on 2012-01-17

Related branches

Sprints

Whiteboard

Gerrit topic: https://review.openstack.org/#q,topic:bp/interim-nova-authz-service,n,z

Addressed by: https://review.openstack.org/2766
    Adds simple policy engine support

Addressed by: https://review.openstack.org/2767
    First Implementation of Policy checking

Addressed by: https://review.openstack.org/2828
    Refactors utils.load_cached_file

Addressed by: https://review.openstack.org/2943
    Add policy checks to Compute.API

Addressed by: https://review.openstack.org/3014
    Make authz failures use proper response code

Addressed by: https://review.openstack.org/3021
    Add policy checking to nova.network.api.API

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.