Allow more fine grained authorization check with oslo.policy

Registered by Hisashi Osanai on 2015-01-26

First, the content of this BP is same as the following BP. But the policy module in osolo-incubator will be graduated so the way of implementation for this BP should be updated with oslo.policy library.
https://blueprints.launchpad.net/swift/+spec/authorization-policy

Currently in swift, the authorization checks that are defined in keystoneauth middleware are based on 3 main kind of user profiles:

* "anonymous" users (users that are not authenticated), and that can only perform some specific actions (public actions
* "operators" (users that have one of the role defined in the parameter operator_roles), they have almost the right of doing everything as long as it's in their own tenant.
* "resellers admins" (users that have the role defined in the parameter reseller_admin_role), they have the right of doing almost everything.

If this profiles can handle many use cases, some users may still need a more fine grained profile/authorization checks.
For example we may need to define a profile only capable of listing objects/containers and not able to upload/create new objects, etc.

For this we propose to implement a policy engine within keystoneauth middleware.
The same way other openstack components already implement through the json policy format (based on https://github.com/openstack/oslo-incubator/blob/master/openstack/common/policy.py).

Updated: This oslo-incubator module will be graduated so this should be implemented with oslo.policy library.
https://github.com/openstack/oslo-specs/blob/master/specs/kilo/graduate-policy.rst

This way, it would be possible to define user specific authorizations for different kind of profile, by providing a policy file that describes them.

Blueprint information

Status:
Not started
Approver:
None
Priority:
Undefined
Drafter:
Hisashi Osanai
Direction:
Needs approval
Assignee:
Hisashi Osanai
Definition:
New
Series goal:
None
Implementation:
Unknown
Milestone target:
None

Related branches

Sprints

Whiteboard

Gerrit topic: https://review.openstack.org/#q,topic:bp/updated-authorization-policy,n,z

Addressed by: https://review.openstack.org/149930
    Enable Role-based access control using oslo.policy in Swift

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.