tacker

Enhancement of Tacker API resource access control

Registered by Yuta Kazato

Tacker Policy defined in the policy enforcer and policy.yaml uses "admin_or_owner" or "@(allow any)" only.
In Telecom operator usecases, they use additional information such as "area/region" and "vnfprovider" for access control.

This blueprint aims to implement fine-grained access control based on user and VNF information for API resources.
We will extend user information to include role, VIM information, VNF instance information,
and implement the policy enforcer that uses not only roles, but also user and VNF information.

Blueprint information

Status:
Not started
Approver:
None
Priority:
Undefined
Drafter:
Yuta Kazato
Direction:
Needs approval
Assignee:
Yuta Kazato
Definition:
New
Series goal:
None
Implementation:
Unknown
Milestone target:
None

Related branches

Sprints

Whiteboard

Gerrit topic: https://review.opendev.org/#/q/topic:bp/enhance-api-policy

Addressed by: https://review.opendev.org/c/openstack/tacker-specs/+/867763
    Enhancement of Tacker API Resource Access Control

Addressed by: https://review.opendev.org/c/openstack/tacker/+/871224
    [WIP]Enhancement of Tacker API resource access control

Gerrit topic: https://review.opendev.org/#/q/topic:antelope/rc2

Addressed by: https://review.opendev.org/c/openstack/tacker/+/877379
    Enhancement of Tacker API resource access control

Addressed by: https://review.opendev.org/c/openstack/tacker/+/888512
    Enhancement of Tacker API Policy for VNF tenant

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.
Edit subscription

Subscribers

No subscribers.