API: Policy should be enforced at API layer where possible (partial)
Where possible policy should be enforced at the API layer rather than say in the db or compute layer.
Blueprint information
- Status:
- Complete
- Approver:
- John Garbutt
- Priority:
- Medium
- Drafter:
- Christopher Yeoh
- Direction:
- Approved
- Assignee:
- Alex Xu
- Definition:
- Approved
- Series goal:
- Accepted for kilo
- Implementation:
-
Implemented
- Milestone target:
-
2015.1.0
- Started by
- Christopher Yeoh
- Completed by
- John Garbutt
Related branches
Sprints
Whiteboard
Policy is currently enforced at various levels within Nova from the API to the compute layer right down to the db. To minimise the amount of unwinding which is required it should be done wherever possible at the API layer.
Currenty policy naming convention for V2 and ec2 APIs will need to be preserved, while the V3 API policies can be made consistent with the rest of the api
workinglist: https:/
Gerrit topic: https:/
Addressed by: https:/
Add policy check for server's delete in v2 api
Addressed by: https:/
Add policy check for server's delete in v3 api
Addressed by: https:/
Add core_authorizer that using 'compute:' as the scope of core api in v3
Addressed by: https:/
Add policy check for server's start/stop in v3 api
Addressed by: https:/
Move policy check of start/stop to api layer
Addressed by: https:/
Move policy check of delete to api layer
Addressed by: https:/
Move policy check of confirm/
Addressed by: https:/
Move policy check of rebuild/
Addressed by: https:/
Move policy check of reboot to api layer
Addressed by: https:/
Change the scope of update's policy to compute:
Addressed by: https:/
Move policy check of server_metadata to api layer
Addressed by: https:/
Move policy check of create into api layer
Addressed by: https:/
Move policy check of rescue/unrescue to api layer
Addressed by: https:/
enable both extension level and action level policy check in v3 api
Addressed by: https:/
Move policy check of shelve/
Addressed by: https:/
Move policy check of attach_
Addressed by: https:/
Move policy check of volume action to api layer
Addressed by: https:/
Move policy check of set_admin_password to api layer
Addressed by: https:/
Move policy check of compute:
Addressed by: https:/
Move policy check of get_vnc_
Addressed by: https:/
Move policy check of restore to api layer
Addressed by: https:/
Changes discoverable entry scope to 'compute:v3' for v3 core api
Addressed by: https:/
remove all redundant policy check for all admin_actions api in compute layer
Addressed by: https:/
Remove policy check in db layer for flavor_manage
Addressed by: https:/
Remove policy check in db layer for aggregates
Addressed by: https:/
Update policy check on each action for agents
Addressed by: https:/
Update policy check on each action for evacuate
Addressed by: https:/
Update poliy check for flavor related API for v3
Addressed by: https:/
Move quota-sets db layer policy checks into api layer
Addressed by: https:/
Update policy check on each action for multinic
Addressed by: https:/
Update policy check on each action for certificates
Addressed by: https:/
Update policy check on each action for config_drive
Addressed by: https:/
Move policy 'compute:
Addressed by: https:/
Move quota-classes db layer policy checks into api layer
Addressed by: https:/
update policy check on each action for instance usage audit log
Addressed by: https:/
Adjust the exception handling to make it more more accurate
Addressed by: https:/
Add test cases for multinic on policy check
Addressed by: https:/
Remove db layer policy checks for migration
Addressed by: https:/
Remove db layer authorize for keypair
Addressed by: https:/
Move policy check of pci to api layer
Addressed by: https:/
Rmove db layer policy checks for pci
Addressed by: https:/
Remove db layer authorization for certificates
Addressed by: https:/
Move policy checks of resize/
Addressed by: https:/
Split resize as extension from v3 servers core
Addressed by: https:/
Add decorator expected_errors for resize_server v3
Addressed by: https:/
Remove db layer authorization for compute_node and split v3 policy for hypervisors
Addressed by: https:/
Update policy check on services V3 API & DB layer
Addressed by: https:/
Remove db layer admin authorization on compute_node
Addressed by: https:/
Remove db layer admin authorization on services
Addressed by: https:/
Remove db layer policy checks for cell
Addressed by: https:/
Move policy check of get_all into api layer
Addressed by: https:/
Change the policy scope to 'compute:
Addressed by: https:/
add policy check for ips and consoles in v3 api
Addressed by: https:/
Use instance lookup helper for v2 api
Addressed by: https:/
Move policy check of get into API layer
v3 API patches have been deferred to Juno --russellb
Unapproved - please re-submit via nova-spec --johnthetubagy (20th March 2014)
Gerrit topic: https:/
Addressed by: https:/
Blueprint for implementing policy should be enforced at REST API layer
Addressed by: https:/
Move the policy checks into REST API layer for shelve v3 extension
Addressed by: https:/
Implement policy should be enforced at REST API layer
Addressed by: https:/
The end goal of Nova API policy improvement
Addressed by: https:/
Add vision of nova rest API policy improvement in devref
Addressed by: https:/
Adds skip_policy_check flag to Compute API and Network API
Addressed by: https:/
Adds common policy authorizer helper function for Nova V2.1 API
Addressed by: https:/
Adds V2.1 Policy Enforcement unittest base class
Addressed by: https:/
Move policy enforcement into REST API layer for v2.1 pause server
Addressed by: https:/
Add base policy rules for EC2 policy back-compatible
Addressed by: https:/
Add new policy rule for EC2 reboot
Addressed by: https:/
Remove useless policy check at nova-network NetworkManager
Addressed by: https:/
Add REST API policy checking for ec2 network related api
Addressed by: https:/
Refactor _format_instances in api/ec2/cloudy.py
Addressed by: https:/
Move policy enforcement into REST API layer for v2.1 lock server
Addressed by: https:/
Add REST API policy checking for ec2 volume related api
Addressed by: https:/
Add new policy rule for EC2 start/stop_
Addressed by: https:/
Add REST API checking for security_
Addressed by: https:/
Move policy enforcement into REST API layer for v2.1 suspend/resume server
Addressed by: https:/
Enforce in REST API layer on v2.1 api shevle
Addressed by: https:/
Enforce policy checking in REST API layer for v2.1 server_password
Addressed by: https:/
Move policy enforcement into REST API layer for v2.1 server_diagnostics
Addressed by: https:/
Move policy enforcement into REST API layer for v2.1 rescue api
Addressed by: https:/
Add new policy rule for EC2 create/
Addressed by: https:/
Move policy enforcement into REST API layer for v2.1 lock server
Addressed by: https:/
Move v2.1 virtual_interfaces api policy enforcement into REST API layer
Addressed by: https:/
Enforce in REST API layer on v2.1 api evacuate
Addressed by: https:/
Add new policy rule for EC2 terminate_instances
Addressed by: https:/
Add missing policy for nova in policy.json
Addressed by: https:/
Remove shelve policy for nova compute layer
Addressed by: https:/
Add new policy rule for EC2 get_password_data
Addressed by: https:/
Add new policy rule for EC2 terminate_instances
Addressed by: https:/
Add new policy rule for EC2 create_image
Addressed by: https:/
Move migrate-server policy enforce into REST API
Addressed by: https:/
Add new policy rule for EC2 run_instances
Addressed by: https:/
Add new policy rule for EC2 create/delete_tags
Addressed by: https:/
Add new policy rule for EC2 describe_
Addressed by: https:/
Add new policy rules for describe_
Addressed by: https:/
Enforce in REST API layer on v2.1 api attach_interfaces
Addressed by: https:/
Add new policy rules for ec2 describe_
Addressed by: https:/
Move policy enforcement into REST API layer for v2.1 create backup
Addressed by: https:/
Move policy enforcement into REST API layer for v2.1 admin actions
Addressed by: https:/
Move policy enforcement into REST API layer for v2.1 admin password
Addressed by: https:/
Move policy enforcement into REST API layer for v2.1 fping
Addressed by: https:/
Move policy enforcement into REST API layer for v2.1 deferred_delete
Addressed by: https:/
Move policy enforcement into REST API layer for v2.1 server_metadata
Addressed by: https:/
Move policy enforcement into REST API layer for v2.1 multinic
Addressed by: https:/
Move policy enforcement into REST API layer for v2.1 ips
Addressed by: https:/
Correct the policy enforcement for v2.1 server-groups
Addressed by: https:/
Enforce in REST API layer on v2.1 api volumes-attachments
Addressed by: https:/
Enforce in REST API layer on v2.1 api console-output
Addressed by: https:/
Enforce in REST API layer on v2.1 api remote consoles
Addressed by: https:/
Move policy enforcement into REST API layer for v2.1 servers
Addressed by: https:/
Add enforce in REST API layer on v2.1 api limits
Addressed by: https:/
Add enforce in REST API layer on v2.1 api floating_ip_dns
Addressed by: https:/
Move policy enforcement into REST API layer for v2.1 networks
This has missed the Feature Freeze Proposal deadline, marking as NeedsCodeReview, lets not add any more patches here, if possible. --johnthetubaguy 26th Jan 2015
Addressed by: https:/
Move policy enforcement into REST API layer for v2.1 extended_volumes
Addressed by: https:/
Rename and move the v2.1 api policy into separated files
Addressed by: https:/
Move policy enforcement into REST API layer for v2.1 security_
Addressed by: https:/
Move policy enforcement into REST API layer for v2.1 cloudpipe
Addressed by: https:/
Move policy enforcement into REST API layer for v2.1 floating_ip_pools
Addressed by: https:/
Move policy enforcement into REST API layer for v2.1 floating ips
Addressed by: https:/
Move policy enforcement into REST API layer for v2.1 security groups
Addressed by: https:/
Remove db layer hard-code permission checks for v2.1 agents
Addressed by: https:/
Remove db layer hard-code permission checks for services and compute_nodes
Addressed by: https:/
Remove db layer hard-code permission checks for v2.1 cells
Addressed by: https:/
Remove db layer hard-code permission checks for v2.1 quota/quota-class
Addressed by: https:/
Remove db layer hard-code permission checks for flavors related
Addressed by: https:/
Remove db layer hard-code permission checks for migrations
Addressed by: https:/
Remove db layer hard-code permission checks for instance-usage
Addressed by: https:/
Remove db layer hard-code permission checks for v2.1 pci
Addressed by: https:/
Remove db layer hard-code permission checks for fixed_ips
Addressed by: https:/
Remove db layer hard-code permission checks for floating_ips_bulk
Addressed by: https:/
Remove db layer hard-code permission checks for floating_ip_dns
Addressed by: https:/
Remove db layer hard-code permission checks for security_groups
Addressed by: https:/
Add policy check for consoles
Lots of patches here that have -1s and need work, deferring to kilo-3, need to check this compliments the v2.1 API work OK. --johnthetubaguy 3 Feb 2015
Most of patches waiting for the last one base patch getting merged, then those patches can be rebased. --alex xu
Addressed by: https:/
Move v2.1 rescue api policy enforcement into REST API layer
Addressed by: https:/
Move v2.1 virtual_interfaces api policy enforcement into REST API layer
Because EC2 may be depreciated in the future, drop all the EC2 related patches. Let's focus on v2.1 and db layer cleanup. --alex 16 Feb 2015
Addressed by: https:/
Move policy enforcement into REST API layer for v2.1 api volume_attachment
Addressed by: https:/
Remove db layer hard-code permission checks for service_create
Addressed by: https:/
Remove db layer hard-code permission checks for service_
Addressed by: https:/
Remove db layer hard-code permission checks for service_
Addressed by: https:/
Remove db layer hard-code permission checks for service_
Addressed by: https:/
Remove db layer hard-code permission checks for service_get_all
Addressed by: https:/
Remove db layer hard-code permission checks for service_
Addressed by: https:/
Remove db layer hard-code permission checks for fixed_ip_
Addressed by: https:/
Remove db layer hard-code permission checks for fixed_ip_get_*
Addressed by: https:/
Add floating_ips_bulk policy enforcement test case for v2.1 REST API layer
Gerrit topic: https:/
Addressed by: https:/
Remove db layer hard-code permission checks for quota_destroy_all_*
Addressed by: https:/
Remove db layer hard-code permission checks for quota_get_all_*
Addressed by: https:/
Remove db layer hard-code permission checks for quota_create/update
Gerrit topic: https:/
Addressed by: https:/
Remove db layer hard-code permission checks for quota_class_
Addressed by: https:/
Remove db layer hard-code permission checks for quota_class/update
Addressed by: https:/
Cleanup quota_class unittest with appropriate request context
Gerrit topic: https:/
Addressed by: https:/
Remove db layer hard-code permission checks for quota_usage_update
Addressed by: https:/
Add floating_ip_dns policy enforcement test case for v2.1 REST API layer
Addressed by: https:/
Add security_
Gerrit topic: https:/
Addressed by: https:/
Remove db layer hard-code permission checks for flavor_access
Gerrit topic: https:/
Gerrit topic: https:/
Addressed by: https:/
Remove db layer hard-code permission checks for task_log_
Gerrit topic: https:/
Addressed by: https:/
Remove db layer hard-code permission checks for migrations_get*
Addressed by: https:/
Remove db layer hard-code permission checks for network_associate
Addressed by: https:/
Remove db layer hard-code permission checks for network_
Addressed by: https:/
Remove db layer hard-code permission checks for network_delete_safe
Addressed by: https:/
Remove db layer hard-code permission checks for network_
Addressed by: https:/
Remove db layer hard-code permission checks for network_set_host
Addressed by: https:/
Remove db layer hard-code permission checks for network_create_safe
Addressed by: https:/
Remove db layer hard-code permission checks for network_get_by_uuid
Addressed by: https:/
Remove db layer hard-code permission checks for network_get_by_cidr
Addressed by: https:/
Remove db layer hard-code permission checks for network_
Addressed by: https:/
Remove db layer hard-code permission checks for network_
Gerrit topic: https:/
Addressed by: https:/
Move unlock_override policy enforcement into V2.1 REST API layer
Gerrit topic: https:/
Addressed by: https:/
move the Netowrk V2 related api test from V21 to V2 test
Since we have hit feature proposal freeze, marking this as partial and ready to review. Please no more "new code" should be uploaded as we try to get the current items merged before feature freeze. --johnthetubaguy 10th March 2015
Addressed by: https:/
Remove useless policy rules for v2.1 api which removed/disabled
The team is going mark code as abandoned till liberty for other patches. --johnthetubaguy 13th March 2015
Gerrit topic: https:/
Addressed by: https:/
Pass project_id when create networks by os-tenant-networks
We probably need to try and get this one into kilo-3, if possible:
https:/
--johnthetubaguy 13th March 2015
Addressed by: https:/
Fix test cases still use v3 prefix
Addressed by: https:/
Remove comments on API policy, remove core param
Calling this complete for now. --johnthetubaguy 26th March 2015
Work Items
Dependency tree
* Blueprints in grey have been implemented.
