Fine-grained queue permissioning

Registered by Ken Wronkiewicz

In order to provide for communication between disparate systems, there needs to be in Marconi a way to do fine-grained access control on a per-queue basis to allow potentially a list of user accounts to have some combinatorial combination of read / write / claim+delete access for an individual queue.

In order to simplify maintenance, it would be desirable to use roles instead of merely a list of designated users.

It might be desirable to allow users to create webhooks that are self-authenticating URLs as well, so that you can configure external products without revealing your login credentials.

It would not be desirable to "overload" existing mechanisms, like inserting it into the metadata.

Blueprint information

Status:
Complete
Approver:
Flavio Percoco
Priority:
Medium
Drafter:
Feilong Wang
Direction:
Approved
Assignee:
Flavio Percoco
Definition:
Approved
Series goal:
Accepted for liberty
Implementation:
Implemented
Milestone target:
milestone icon 1.0.0
Started by
Feilong Wang
Completed by
Flavio Percoco

Related branches

Sprints

Whiteboard

The basic idea will be leveraging oslo.policy to implement the RBAC policy enforcement for queue and message actions. Will draft a spec soon. -- flwang

Gerrit topic: https://review.openstack.org/#q,topic:bp/fine-grained-permissions,n,z

Addressed by: https://review.openstack.org/179673
    Policy support

Addressed by: https://review.openstack.org/209910
    Policy support

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.