Improvements to rule based access control

Registered by Ed Bak

The following is a proposal to improve the rule based api access in Nova. There are currently a number of issues which need to be addressed:
1. In some cases, despite having a rule defined in policy.json, a command can get blocked by the require_admin_context decorator within the sqlalchemy/ layer. If a user chooses to define another role or rule for a command which isn't the admin role, the command should succeed or fail based on the user's rule definition,
2. In some cases, a single rule can apply to multiple api calls. A Nova user should be able to define a rule for each api call. The rules need to be granular enough to support this.
3. In some cases, a policy failure does not return an HTTP 403. A policy failure should always return a consistent HTTP 403 error code.

Other than the changes described above, current policy definition behavior will remain the same.

Blueprint information

Russell Bryant
Needs approval
Ed Bak
Series goal:
Slow progress
Milestone target:
Started by
Thierry Carrez

Related branches



Gerrit topic:,topic:bp/rbac-improvements,n,z

Addressed by:
    Rule based access control improvements

Addressed by:
    Rule based access control improvements - attempt 2

Before approving, can you review the description here and make sure it reflects the current set of changes you intend to make? It appears that it does not. --russellb

This blueprint has been updated to reflect the code changes actually made. Based on earlier feedback, there was a desire to maintain the policy definition as close as possible to the current behavior. The behavior of blank, undefined rules and the "default" rule will not change.

Addressed by:
    Rule based access control improvements - Part 1

Unapproved - please re-submit via nova-spec --johnthetubagy (20th March 2014)

Removed from next, as next is now reserved for near misses from the last milestone --johnthetubaguy


Work Items

This blueprint contains Public information 
Everyone can see this information.