Role Based Access Control Filtering

Registered by Paul Montgomery on 2013-12-05

The Solum API includes things like user_id and project_id in the data sent to any user currently. Later, once RBAC is implemented, we should investigate potentially filtering out data going to non-operator or lesser privileged users with a security, efficiency and ease of use focus.

Note: At no point should one of these IDs, when coming from a user, be used by the Solum control plane blindly. Solum should authenticate the user's credentials and always perform a lookup in the control plane database to understand user ACLs.

Original review link with more details/discussion: https://review.openstack.org/#/c/58677/

Blueprint information

Status:
Complete
Approver:
None
Priority:
Undefined
Drafter:
None
Direction:
Needs approval
Assignee:
None
Definition:
New
Series goal:
None
Implementation:
Implemented
Milestone target:
None
Started by
Adrian Otto on 2015-06-11
Completed by
Adrian Otto on 2015-06-11

Related branches

Sprints

Whiteboard

Gerrit topic: https://review.openstack.org/#q,topic:bp/rbac-filtering,n,z

Addressed by: https://review.openstack.org/64458
    Add security context for each incommint request.

Addressed by: https://review.openstack.org/65507
    Move devstack hooks from infra config to solum repo

Addressed by: https://review.openstack.org/63201
    WIP: Centralized context class for holding "global" data

Gerrit topic: https://review.openstack.org/#q,topic:extend_context,n,z

Addressed by: https://review.openstack.org/77864
    Add catalog helper methods to RequestContext

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.