Improvements to rule based access control

Registered by Ed Bak on 2013-05-31

The following is a proposal to improve the rule based api access in Nova. There are currently a number of issues which need to be addressed:
1. In some cases, despite having a rule defined in policy.json, a command can get blocked by the require_admin_context decorator within the sqlalchemy/api.py layer. If a user chooses to define another role or rule for a command which isn't the admin role, the command should succeed or fail based on the user's rule definition,
2. In some cases, a single rule can apply to multiple api calls. A Nova user should be able to define a rule for each api call. The rules need to be granular enough to support this.
3. In some cases, a policy failure does not return an HTTP 403. A policy failure should always return a consistent HTTP 403 error code.

Other than the changes described above, current policy definition behavior will remain the same.

Blueprint information

Status:
Started
Approver:
Russell Bryant
Priority:
Undefined
Drafter:
None
Direction:
Needs approval
Assignee:
Ed Bak
Definition:
Review
Series goal:
None
Implementation:
Slow progress
Milestone target:
None
Started by
Thierry Carrez on 2013-06-25

Related branches

Sprints

Whiteboard

Gerrit topic: https://review.openstack.org/#q,topic:bp/rbac-improvements,n,z

Addressed by: https://review.openstack.org/31292
    Rule based access control improvements

Addressed by: https://review.openstack.org/32762
    Rule based access control improvements - attempt 2

Before approving, can you review the description here and make sure it reflects the current set of changes you intend to make? It appears that it does not. --russellb

This blueprint has been updated to reflect the code changes actually made. Based on earlier feedback, there was a desire to maintain the policy definition as close as possible to the current behavior. The behavior of blank, undefined rules and the "default" rule will not change.

Addressed by: https://review.openstack.org/35168
    Rule based access control improvements - Part 1

Unapproved - please re-submit via nova-spec --johnthetubagy (20th March 2014)

Removed from next, as next is now reserved for near misses from the last milestone --johnthetubaguy

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.