OpenStack Compute (nova)

Interim AuthZ service for Nova

Registered by Sandy Walsh on 2011-09-23

Until Keystone is fully functional with AuthZ support, we may need some primitive authZ in Nova. This BP discusses how this may be possible at a low-level.

Description of the proposed implementation is here:
http://etherpad.openstack.org/rbac-brain

Read the full specification

Blueprint information

Status:: Complete

Approver:: Vish Ishaya

Priority:: Essential

Drafter:: Nova Auth Team

Direction:: Approved

Assignee:: Brian Waldon

Definition:: Approved

Series goal:: Accepted for essex

Implementation:: Implemented

Milestone target:: 2012.1

Started by: Vish Ishaya on 2011-12-18

Completed by: Brian Waldon on 2012-01-17

Related branches

Related bugs

Sprints

Whiteboard

Gerrit topic: https://review.openstack.org/#q,topic:bp/interim-nova-authz-service,n,z

Addressed by: https://review.openstack.org/2766
Adds simple policy engine support

Addressed by: https://review.openstack.org/2767
First Implementation of Policy checking

Addressed by: https://review.openstack.org/2828
Refactors utils.load_cached_file

Addressed by: https://review.openstack.org/2943
Add policy checks to Compute.API

Addressed by: https://review.openstack.org/3014
Make authz failures use proper response code

Addressed by: https://review.openstack.org/3021
Add policy checking to nova.network.api.API

(?)

Work Items

This blueprint contains Public information

Everyone can see this information.

Subscribers

Rajesh Battala