External PDP Integration for oslo-policy

Registered by WuKong on 2017-08-10

Oslo-policy (together with Keystone/roles) provides a native authorization policy engine for OpenStack. Existing discussions [1] show several defaults about such solution. As OpenStack may be deployed by different users with different requirements, a generic yet flexible approach is needed through which users may define, apply and manage their own authorization policy.
External PDP (Policy Decision Point) disables the native Oslo_policy and delegates authorization to an external authorization policy engine. Existing works [2, 3] show the feasibility of this approach with the Fortress and Moon policy engines. This blueprint proposes a generic hook which will re-direct authorization requests to an external PDP instead of using the native one. Each policy engine stores and manages related information of their policy, grants or denies requests based on these information and rules.

[1] https://etherpad.openstack.org/p/keystone-policy-meeting
[2] https://review.openstack.org/#/c/237521/
[3] https://git.opnfv.org/cgit/moon/tree/keystone-moon

Blueprint information

Status:
Not started
Approver:
None
Priority:
Undefined
Drafter:
WuKong
Direction:
Needs approval
Assignee:
WuKong
Definition:
New
Series goal:
None
Implementation:
Unknown
Milestone target:
None

Related branches

Sprints

Whiteboard

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.