API: Policy should be enforced at API layer where possible (partial)

Registered by Christopher Yeoh on 2013-11-15

Where possible policy should be enforced at the API layer rather than say in the db or compute layer.

Blueprint information

Status:
Complete
Approver:
John Garbutt
Priority:
Medium
Drafter:
Christopher Yeoh
Direction:
Approved
Assignee:
Alex Xu
Definition:
Approved
Series goal:
Accepted for kilo
Implementation:
Implemented
Milestone target:
milestone icon 2015.1.0
Started by
Christopher Yeoh on 2014-01-31
Completed by
John Garbutt on 2015-03-26

Related branches

Sprints

Whiteboard

Policy is currently enforced at various levels within Nova from the API to the compute layer right down to the db. To minimise the amount of unwinding which is required it should be done wherever possible at the API layer.

Currenty policy naming convention for V2 and ec2 APIs will need to be preserved, while the V3 API policies can be made consistent with the rest of the api

workinglist: https://etherpad.openstack.org/p/apipolicycheck --alex_xu

Gerrit topic: https://review.openstack.org/#q,topic:bp/v3-api-policy,n,z

Addressed by: https://review.openstack.org/62567
    Add policy check for server's delete in v2 api

Addressed by: https://review.openstack.org/62568
    Add policy check for server's delete in v3 api

Addressed by: https://review.openstack.org/62826
    Add core_authorizer that using 'compute:' as the scope of core api in v3

Addressed by: https://review.openstack.org/63063
    Add policy check for server's start/stop in v3 api

Addressed by: https://review.openstack.org/63566
    Move policy check of start/stop to api layer

Addressed by: https://review.openstack.org/63690
    Move policy check of delete to api layer

Addressed by: https://review.openstack.org/64072
    Move policy check of confirm/revert_resize and resize to api layer

Addressed by: https://review.openstack.org/64239
    Move policy check of rebuild/create_image to api layer

Addressed by: https://review.openstack.org/63883
    Move policy check of reboot to api layer

Addressed by: https://review.openstack.org/64502
    Change the scope of update's policy to compute:v3:servers:update v3

Addressed by: https://review.openstack.org/64643
    Move policy check of server_metadata to api layer

Addressed by: https://review.openstack.org/64648
    Move policy check of create into api layer

Addressed by: https://review.openstack.org/64997
    Move policy check of rescue/unrescue to api layer

Addressed by: https://review.openstack.org/64999
    enable both extension level and action level policy check in v3 api

Addressed by: https://review.openstack.org/65071
    Move policy check of shelve/unshelve/shelve_offload to api layer

Addressed by: https://review.openstack.org/65241
    Move policy check of attach_interface/detach_interface to api layer

Addressed by: https://review.openstack.org/65609
    Move policy check of volume action to api layer

Addressed by: https://review.openstack.org/65627
    Move policy check of set_admin_password to api layer

Addressed by: https://review.openstack.org/65640
    Move policy check of compute:get_console_output to api layer

Addressed by: https://review.openstack.org/65647
    Move policy check of get_vnc_console/get_spice_console to api layer

Addressed by: https://review.openstack.org/65862
    Move policy check of restore to api layer

Addressed by: https://review.openstack.org/65896
    Changes discoverable entry scope to 'compute:v3' for v3 core api

Addressed by: https://review.openstack.org/66775
    remove all redundant policy check for all admin_actions api in compute layer

Addressed by: https://review.openstack.org/66886
    Remove policy check in db layer for flavor_manage

Addressed by: https://review.openstack.org/67026
    Remove policy check in db layer for aggregates

Addressed by: https://review.openstack.org/67749
    Update policy check on each action for agents

Addressed by: https://review.openstack.org/68012
    Update policy check on each action for evacuate

Addressed by: https://review.openstack.org/68027
    Update poliy check for flavor related API for v3

Addressed by: https://review.openstack.org/68036
    Move quota-sets db layer policy checks into api layer

Addressed by: https://review.openstack.org/68134
    Update policy check on each action for multinic

Addressed by: https://review.openstack.org/68388
    Update policy check on each action for certificates

Addressed by: https://review.openstack.org/68554
    Update policy check on each action for config_drive

Addressed by: https://review.openstack.org/69163
    Move policy 'compute:create:forced_host' into api layer

Addressed by: https://review.openstack.org/69166
    Move quota-classes db layer policy checks into api layer

Addressed by: https://review.openstack.org/69198
    update policy check on each action for instance usage audit log

Addressed by: https://review.openstack.org/71534
    Adjust the exception handling to make it more more accurate

Addressed by: https://review.openstack.org/72886
    Add test cases for multinic on policy check

Addressed by: https://review.openstack.org/73132
    Remove db layer policy checks for migration

Addressed by: https://review.openstack.org/73140
    Remove db layer authorize for keypair

Addressed by: https://review.openstack.org/73163
    Move policy check of pci to api layer

Addressed by: https://review.openstack.org/73167
    Rmove db layer policy checks for pci

Addressed by: https://review.openstack.org/73176
    Remove db layer authorization for certificates

Addressed by: https://review.openstack.org/73192
    Move policy checks of resize/revert_resize/confirm_resize into api

Addressed by: https://review.openstack.org/59284
    Split resize as extension from v3 servers core

Addressed by: https://review.openstack.org/59285
    Add decorator expected_errors for resize_server v3

Addressed by: https://review.openstack.org/73207
    Remove db layer authorization for compute_node and split v3 policy for hypervisors

Addressed by: https://review.openstack.org/73481
    Update policy check on services V3 API & DB layer

Addressed by: https://review.openstack.org/73487
    Remove db layer admin authorization on compute_node

Addressed by: https://review.openstack.org/73490
    Remove db layer admin authorization on services

Addressed by: https://review.openstack.org/73537
    Remove db layer policy checks for cell

Addressed by: https://review.openstack.org/73547
    Move policy check of get_all into api layer

Addressed by: https://review.openstack.org/73556
    Change the policy scope to 'compute:v3:servers' for v3 get_all_tenants

Addressed by: https://review.openstack.org/73860
    add policy check for ips and consoles in v3 api

Addressed by: https://review.openstack.org/73927
    Use instance lookup helper for v2 api

Addressed by: https://review.openstack.org/73928
    Move policy check of get into API layer

v3 API patches have been deferred to Juno --russellb

Unapproved - please re-submit via nova-spec --johnthetubagy (20th March 2014)

Gerrit topic: https://review.openstack.org/#q,topic:bp/for,n,z

Addressed by: https://review.openstack.org/92005
    Blueprint for implementing policy should be enforced at REST API layer

Addressed by: https://review.openstack.org/100408
    Move the policy checks into REST API layer for shelve v3 extension

Addressed by: https://review.openstack.org/127160
    Implement policy should be enforced at REST API layer

Addressed by: https://review.openstack.org/128560
    The end goal of Nova API policy improvement

Addressed by: https://review.openstack.org/138270
    Add vision of nova rest API policy improvement in devref

Addressed by: https://review.openstack.org/143390
    Adds skip_policy_check flag to Compute API and Network API

Addressed by: https://review.openstack.org/143391
    Adds common policy authorizer helper function for Nova V2.1 API

Addressed by: https://review.openstack.org/143392
    Adds V2.1 Policy Enforcement unittest base class

Addressed by: https://review.openstack.org/143393
    Move policy enforcement into REST API layer for v2.1 pause server

Addressed by: https://review.openstack.org/143767
    Add base policy rules for EC2 policy back-compatible

Addressed by: https://review.openstack.org/143768
    Add new policy rule for EC2 reboot

Addressed by: https://review.openstack.org/143771
    Remove useless policy check at nova-network NetworkManager

Addressed by: https://review.openstack.org/144073
    Add REST API policy checking for ec2 network related api

Addressed by: https://review.openstack.org/144579
    Refactor _format_instances in api/ec2/cloudy.py

Addressed by: https://review.openstack.org/147072
    Move policy enforcement into REST API layer for v2.1 lock server

Addressed by: https://review.openstack.org/147092
    Add REST API policy checking for ec2 volume related api

Addressed by: https://review.openstack.org/147106
    Add new policy rule for EC2 start/stop_instances

Addressed by: https://review.openstack.org/147375
    Add REST API checking for security_group_api(ec2)

Addressed by: https://review.openstack.org/147380
    Move policy enforcement into REST API layer for v2.1 suspend/resume server

Addressed by: https://review.openstack.org/147382
    Enforce in REST API layer on v2.1 api shevle

Addressed by: https://review.openstack.org/147386
    Enforce policy checking in REST API layer for v2.1 server_password

Addressed by: https://review.openstack.org/147406
    Move policy enforcement into REST API layer for v2.1 server_diagnostics

Addressed by: https://review.openstack.org/147425
    Move policy enforcement into REST API layer for v2.1 rescue api

Addressed by: https://review.openstack.org/147752
    Add new policy rule for EC2 create/import/describe/delete keypair

Addressed by: https://review.openstack.org/147782
    Move policy enforcement into REST API layer for v2.1 lock server

Addressed by: https://review.openstack.org/147818
    Move v2.1 virtual_interfaces api policy enforcement into REST API layer

Addressed by: https://review.openstack.org/148163
    Enforce in REST API layer on v2.1 api evacuate

Addressed by: https://review.openstack.org/148281
    Add new policy rule for EC2 terminate_instances

Addressed by: https://review.openstack.org/148379
    Add missing policy for nova in policy.json

Addressed by: https://review.openstack.org/148485
    Remove shelve policy for nova compute layer

Addressed by: https://review.openstack.org/148558
    Add new policy rule for EC2 get_password_data

Addressed by: https://review.openstack.org/148809
    Add new policy rule for EC2 terminate_instances

Addressed by: https://review.openstack.org/148816
    Add new policy rule for EC2 create_image

Addressed by: https://review.openstack.org/148838
    Move migrate-server policy enforce into REST API

Addressed by: https://review.openstack.org/149153
    Add new policy rule for EC2 run_instances

Addressed by: https://review.openstack.org/149466
    Add new policy rule for EC2 create/delete_tags

Addressed by: https://review.openstack.org/149468
    Add new policy rule for EC2 describe_instance_attribute

Addressed by: https://review.openstack.org/149502
    Add new policy rules for describe_regions/availability_zones

Addressed by: https://review.openstack.org/149520
    Enforce in REST API layer on v2.1 api attach_interfaces

Addressed by: https://review.openstack.org/149525
    Add new policy rules for ec2 describe_instances/instances_v6

Addressed by: https://review.openstack.org/149527
    Move policy enforcement into REST API layer for v2.1 create backup

Addressed by: https://review.openstack.org/149529
    Move policy enforcement into REST API layer for v2.1 admin actions

Addressed by: https://review.openstack.org/149609
    Move policy enforcement into REST API layer for v2.1 admin password

Addressed by: https://review.openstack.org/149825
    Move policy enforcement into REST API layer for v2.1 fping

Addressed by: https://review.openstack.org/149855
    Move policy enforcement into REST API layer for v2.1 deferred_delete

Addressed by: https://review.openstack.org/149856
    Move policy enforcement into REST API layer for v2.1 server_metadata

Addressed by: https://review.openstack.org/149858
    Move policy enforcement into REST API layer for v2.1 multinic

Addressed by: https://review.openstack.org/149861
    Move policy enforcement into REST API layer for v2.1 ips

Addressed by: https://review.openstack.org/149875
    Correct the policy enforcement for v2.1 server-groups

Addressed by: https://review.openstack.org/149907
    Enforce in REST API layer on v2.1 api volumes-attachments

Addressed by: https://review.openstack.org/149917
    Enforce in REST API layer on v2.1 api console-output

Addressed by: https://review.openstack.org/149927
    Enforce in REST API layer on v2.1 api remote consoles

Addressed by: https://review.openstack.org/149931
    Move policy enforcement into REST API layer for v2.1 servers

Addressed by: https://review.openstack.org/149939
    Add enforce in REST API layer on v2.1 api limits

Addressed by: https://review.openstack.org/149945
    Add enforce in REST API layer on v2.1 api floating_ip_dns

Addressed by: https://review.openstack.org/149962
    Move policy enforcement into REST API layer for v2.1 networks

This has missed the Feature Freeze Proposal deadline, marking as NeedsCodeReview, lets not add any more patches here, if possible. --johnthetubaguy 26th Jan 2015

Addressed by: https://review.openstack.org/150258
    Move policy enforcement into REST API layer for v2.1 extended_volumes

Addressed by: https://review.openstack.org/150267
    Rename and move the v2.1 api policy into separated files

Addressed by: https://review.openstack.org/150280
    Move policy enforcement into REST API layer for v2.1 security_group_default_rules

Addressed by: https://review.openstack.org/150293
    Move policy enforcement into REST API layer for v2.1 cloudpipe

Addressed by: https://review.openstack.org/150299
    Move policy enforcement into REST API layer for v2.1 floating_ip_pools

Addressed by: https://review.openstack.org/150313
    Move policy enforcement into REST API layer for v2.1 floating ips

Addressed by: https://review.openstack.org/150328
    Move policy enforcement into REST API layer for v2.1 security groups

Addressed by: https://review.openstack.org/150348
    Remove db layer hard-code permission checks for v2.1 agents

Addressed by: https://review.openstack.org/150349
    Remove db layer hard-code permission checks for services and compute_nodes

Addressed by: https://review.openstack.org/150350
    Remove db layer hard-code permission checks for v2.1 cells

Addressed by: https://review.openstack.org/150351
    Remove db layer hard-code permission checks for v2.1 quota/quota-class

Addressed by: https://review.openstack.org/150352
    Remove db layer hard-code permission checks for flavors related

Addressed by: https://review.openstack.org/150353
    Remove db layer hard-code permission checks for migrations

Addressed by: https://review.openstack.org/150354
    Remove db layer hard-code permission checks for instance-usage

Addressed by: https://review.openstack.org/150355
    Remove db layer hard-code permission checks for v2.1 pci

Addressed by: https://review.openstack.org/150687
    Remove db layer hard-code permission checks for fixed_ips

Addressed by: https://review.openstack.org/150704
    Remove db layer hard-code permission checks for floating_ips_bulk

Addressed by: https://review.openstack.org/150710
    Remove db layer hard-code permission checks for floating_ip_dns

Addressed by: https://review.openstack.org/150718
    Remove db layer hard-code permission checks for security_groups

Addressed by: https://review.openstack.org/138652
    Add policy check for consoles

Lots of patches here that have -1s and need work, deferring to kilo-3, need to check this compliments the v2.1 API work OK. --johnthetubaguy 3 Feb 2015

Most of patches waiting for the last one base patch getting merged, then those patches can be rebased. --alex xu

Addressed by: https://review.openstack.org/155678
    Move v2.1 rescue api policy enforcement into REST API layer

Addressed by: https://review.openstack.org/155955
    Move v2.1 virtual_interfaces api policy enforcement into REST API layer

Because EC2 may be depreciated in the future, drop all the EC2 related patches. Let's focus on v2.1 and db layer cleanup. --alex 16 Feb 2015

Addressed by: https://review.openstack.org/159376
    Move policy enforcement into REST API layer for v2.1 api volume_attachment

Addressed by: https://review.openstack.org/159759
    Remove db layer hard-code permission checks for service_create

Addressed by: https://review.openstack.org/159760
    Remove db layer hard-code permission checks for service_update/get_by_args

Addressed by: https://review.openstack.org/159761
    Remove db layer hard-code permission checks for service_delete/service_get

Addressed by: https://review.openstack.org/159762
    Remove db layer hard-code permission checks for service_get_all_by_topic/host

Addressed by: https://review.openstack.org/160088
    Remove db layer hard-code permission checks for service_get_all

Addressed by: https://review.openstack.org/160089
    Remove db layer hard-code permission checks for service_get_by_compute_host

Addressed by: https://review.openstack.org/160102
    Remove db layer hard-code permission checks for fixed_ip_disassociate_all_by_timeout

Addressed by: https://review.openstack.org/160103
    Remove db layer hard-code permission checks for fixed_ip_get_*

Addressed by: https://review.openstack.org/160120
    Add floating_ips_bulk policy enforcement test case for v2.1 REST API layer

Gerrit topic: https://review.openstack.org/#q,topic:remove_quota_hardcode_permission,n,z

Addressed by: https://review.openstack.org/160201
    Remove db layer hard-code permission checks for quota_destroy_all_*

Addressed by: https://review.openstack.org/160202
    Remove db layer hard-code permission checks for quota_get_all_*

Addressed by: https://review.openstack.org/160203
    Remove db layer hard-code permission checks for quota_create/update

Gerrit topic: https://review.openstack.org/#q,topic:remove_quotaclass_hardcode_permission,n,z

Addressed by: https://review.openstack.org/160205
    Remove db layer hard-code permission checks for quota_class_get_all_by_name

Addressed by: https://review.openstack.org/160206
    Remove db layer hard-code permission checks for quota_class/update

Addressed by: https://review.openstack.org/160207
    Cleanup quota_class unittest with appropriate request context

Gerrit topic: https://review.openstack.org/#q,topic:remove_qutoa_hardcode_permission,n,z

Addressed by: https://review.openstack.org/160215
    Remove db layer hard-code permission checks for quota_usage_update

Addressed by: https://review.openstack.org/160237
    Add floating_ip_dns policy enforcement test case for v2.1 REST API layer

Addressed by: https://review.openstack.org/160257
    Add security_group_default_rules policy enforcement test case for v2.1 REST API layer

Gerrit topic: https://review.openstack.org/#q,topic:remove_flavor_hardcode_permission,n,z

Addressed by: https://review.openstack.org/160269
    Remove db layer hard-code permission checks for flavor_access

Gerrit topic: https://review.openstack.org/#q,topic:remove_service_db_hardcode_check,n,z

Gerrit topic: https://review.openstack.org/#q,topic:remove_task_log_hard_permission,n,z

Addressed by: https://review.openstack.org/160309
    Remove db layer hard-code permission checks for task_log_begin/end_task

Gerrit topic: https://review.openstack.org/#q,topic:remove_mig_hard_code_permission,n,z

Addressed by: https://review.openstack.org/160679
    Remove db layer hard-code permission checks for migrations_get*

Addressed by: https://review.openstack.org/161234
    Remove db layer hard-code permission checks for network_associate

Addressed by: https://review.openstack.org/161622
    Remove db layer hard-code permission checks for network_count_reserved_ips

Addressed by: https://review.openstack.org/161623
    Remove db layer hard-code permission checks for network_delete_safe

Addressed by: https://review.openstack.org/161624
    Remove db layer hard-code permission checks for network_disassociate

Addressed by: https://review.openstack.org/161625
    Remove db layer hard-code permission checks for network_set_host

Addressed by: https://review.openstack.org/161626
    Remove db layer hard-code permission checks for network_create_safe

Addressed by: https://review.openstack.org/161627
    Remove db layer hard-code permission checks for network_get_by_uuid

Addressed by: https://review.openstack.org/161628
    Remove db layer hard-code permission checks for network_get_by_cidr

Addressed by: https://review.openstack.org/161629
    Remove db layer hard-code permission checks for network_get_all_by_host

Addressed by: https://review.openstack.org/161630
    Remove db layer hard-code permission checks for network_get_associated_fixed_ips

Gerrit topic: https://review.openstack.org/#q,topic:bug/1429126,n,z

Addressed by: https://review.openstack.org/162168
    Move unlock_override policy enforcement into V2.1 REST API layer

Gerrit topic: https://review.openstack.org/#q,topic:rm_service_db_permission_check,n,z

Addressed by: https://review.openstack.org/162564
    move the Netowrk V2 related api test from V21 to V2 test

Since we have hit feature proposal freeze, marking this as partial and ready to review. Please no more "new code" should be uploaded as we try to get the current items merged before feature freeze. --johnthetubaguy 10th March 2015

Addressed by: https://review.openstack.org/163689
    Remove useless policy rules for v2.1 api which removed/disabled

The team is going mark code as abandoned till liberty for other patches. --johnthetubaguy 13th March 2015

Gerrit topic: https://review.openstack.org/#q,topic:bug/1432455,n,z

Addressed by: https://review.openstack.org/164549
    Pass project_id when create networks by os-tenant-networks

We probably need to try and get this one into kilo-3, if possible:
https://review.openstack.org/#/c/150267/
--johnthetubaguy 13th March 2015

Addressed by: https://review.openstack.org/166173
    Fix test cases still use v3 prefix

Addressed by: https://review.openstack.org/166189
    Remove comments on API policy, remove core param

Calling this complete for now. --johnthetubaguy 26th March 2015

(?)

Work Items

Dependency tree

* Blueprints in grey have been implemented.

This blueprint contains Public information 
Everyone can see this information.