policy.json - Checking resource field against constant

Registered by Florent Flament on 2014-01-21

Keystone policy engine currently allows 4 kinds of rules:

* rule:<rulename> (class `RuleCheck`) allows making recursive rules,
  by checking that <rulename> is True;

* role:<rolename> (class `RoleCheck`) checks that <rolename> belongs
  to the roles associated with the token;

* http:<targeturl> (class `HttpCheck`) uses an external policy engine,
  by calling <targeturl>;

* <credential>:<match> (class `GenericCheck`) allows checking a
  credential (provided through the token) against a string or any
  field of a resource being processed (user, role, domain, project,
  ...)

The feature proposed in this blueprint consists in allowing the
platform administrator to have resources' fields compared against
constants in its policy.json files, without using an external policy
engine.

For instance, to avoid deleting users by mistake, the platform
administrator may want to ensure that a user's `enabled` field is set
to `False`, prior to deleting it. To do that, he wishes to set the
following rule into its Keystone policy.json file:

"identity:delete_user": "'False':%(target.user.enabled)s",

Class to update:
https://github.com/openstack/oslo-incubator/blob/master/openstack/common/policy.py#L833

Blueprint information

Status:
Not started
Approver:
Ben Nemec
Priority:
Undefined
Drafter:
None
Direction:
Needs approval
Assignee:
Florent Flament
Definition:
Approved
Series goal:
None
Implementation:
Unknown
Milestone target:
None

Related branches

Sprints

Whiteboard

Gerrit topic: https://review.openstack.org/#q,topic:bp/policy-constant-check,n,z

Addressed by: https://review.openstack.org/68176
    Allow policy.json resource vs constant check

Another user story:
I'd like to have 2 different roles:
* An `admin` role only allowing to grant the 'Member' role to users ;
* A `super-admin` role allowing to grant any role.

To implement that, one would use the following rules:
"role_allowed": "role:super_admin or (role:admin and 'Member':%(target.role.name)s)",
"same_domain": "domain_id:%(target.domain.id)s or domain_id:%(target.project.domain_id)s",
"same_dom_or_proj": "rule:same_domain or project_id:%(target.project.id)s",
"identity:create_grant": "rule:cloud_admin or (rule:role_allowed and rule:same_dom_or_proj)",
"identity:revoke_grant": "rule:cloud_admin or (rule:role_allowed and rule:same_dom_or_proj)",

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.

Subscribers

No subscribers.