Fine-grained queue permissioning
In order to provide for communication between disparate systems, there needs to be in Marconi a way to do fine-grained access control on a per-queue basis to allow potentially a list of user accounts to have some combinatorial combination of read / write / claim+delete access for an individual queue.
In order to simplify maintenance, it would be desirable to use roles instead of merely a list of designated users.
It might be desirable to allow users to create webhooks that are self-authenticating URLs as well, so that you can configure external products without revealing your login credentials.
It would not be desirable to "overload" existing mechanisms, like inserting it into the metadata.
Blueprint information
- Status:
- Complete
- Approver:
- Flavio Percoco
- Priority:
- Medium
- Drafter:
- Feilong Wang
- Direction:
- Approved
- Assignee:
- Flavio Percoco
- Definition:
- Approved
- Series goal:
- Accepted for liberty
- Implementation:
- Implemented
- Milestone target:
- 1.0.0
- Started by
- Feilong Wang
- Completed by
- Flavio Percoco
Related branches
Related bugs
Sprints
Whiteboard
The basic idea will be leveraging oslo.policy to implement the RBAC policy enforcement for queue and message actions. Will draft a spec soon. -- flwang
Gerrit topic: https:/
Addressed by: https:/
Policy support
Addressed by: https:/
Policy support