Policies - Add ParameterEqualityCheck rule check for comparing the parameters

Registered by Abhishek Kekane

Add new rule check 'ParameterEqualityCheck' in policy module to compare the rule on the basis of equality i.e. 'kind' is equal to 'match'.

For example, if rule in policy.json is configured as:


        'restricted': 'ntt_3251==%(x_billing_code_ntt)s'

where 'ntt_3251' is 'kind' and '%(x_billing_code_ntt)s' is 'match'.

Then comparing 'kind' == 'match' i.e., ntt_3251 == %(x_billing_code_ntt)s
should return True if %(x_billing_code_ntt)s equals to 'ntt_3251'.

**Use case:**
As a glance deployer, I want to create some licensed images which can be used by openstack users in their environment only. Other users should not be able to download and use these licensed images for their personal benefits.

Presently images shared publicly with the users can download these images freely which could lead to piracy. Today, you can stop users from downloading images by configuring 'download_image' policy with role constraint, but it will restrict all users having that particular role from downloading all of the images, this is not good. So what I want is to restrict users from downloading images only when a specific core/custom property is present in the image or users having certain specific roles.

For example,
To limit the download of image on the basis of core/custom property or roles you can configure 'download_image' policy as follows:


        "restricted": "not (ntt_3251==%(x_billing_code_ntt)s and role:_member_)",
        "download_image": "role:admin or rule:restricted"

So if 'download_image' policy is enforced then in above case only admin or user who satisfies rule 'restricted' will be able to download image. Other users will not be able to download the image.

Currently in policy module, if you want to do the comparison of 'kind' and 'match', you need to pass the required data in the 'credential' and then match it.

'credential' is a dictionary which consist of information about users, tenants and roles i.e context information. So if the comparison need to be done on the basis of image or instance properties, you need to pass these properties explicitly through the 'credential' dictionary, otherwise 'KeyError' will be
raised as this information is not present in the 'credential' dictionary and the particular policy rule will not work as per expectation.

Blueprint information

Not started
Doug Hellmann
Abhishek Kekane
Needs approval
Abhishek Kekane
Series goal:
Milestone target:

Related branches



You should not set a milestone target unless the blueprint has been properly prioritized by the project drivers.
(This is an automated message)

Gerrit topic: https://review.openstack.org/#q,topic:bp/policy-compare-kind-with-match,n,z

Addressed by: https://review.openstack.org/106285
    Add spec for policy-compare-kind-with-match

Addressed by: https://review.openstack.org/106690
    Add comparison check for 'kind' and 'match'


Work Items

Work items:
Add new class 'ParameterEqualityCheck' to compare 'kind' and 'match': TODO
Unit tests for coverage: TODO

This blueprint contains Public information 
Everyone can see this information.


No subscribers.