Improvements to rule based access control
The following is a proposal to improve the rule based api access in Nova. There are currently a number of issues which need to be addressed:
1. In some cases, despite having a rule defined in policy.json, a command can get blocked by the require_
2. In some cases, a single rule can apply to multiple api calls. A Nova user should be able to define a rule for each api call. The rules need to be granular enough to support this.
3. In some cases, a policy failure does not return an HTTP 403. A policy failure should always return a consistent HTTP 403 error code.
Other than the changes described above, current policy definition behavior will remain the same.
Blueprint information
- Status:
- Started
- Approver:
- Russell Bryant
- Priority:
- Undefined
- Drafter:
- None
- Direction:
- Needs approval
- Assignee:
- Ed Bak
- Definition:
- Review
- Series goal:
- None
- Implementation:
-
Slow progress
- Milestone target:
- None
- Started by
- Thierry Carrez
- Completed by
Related branches
Related bugs
Sprints
Whiteboard
Gerrit topic: https:/
Addressed by: https:/
Rule based access control improvements
Addressed by: https:/
Rule based access control improvements - attempt 2
Before approving, can you review the description here and make sure it reflects the current set of changes you intend to make? It appears that it does not. --russellb
This blueprint has been updated to reflect the code changes actually made. Based on earlier feedback, there was a desire to maintain the policy definition as close as possible to the current behavior. The behavior of blank, undefined rules and the "default" rule will not change.
Addressed by: https:/
Rule based access control improvements - Part 1
Unapproved - please re-submit via nova-spec --johnthetubagy (20th March 2014)
Removed from next, as next is now reserved for near misses from the last milestone --johnthetubaguy
