From 723f48e494ef3d2ca1cc80a3e0246ac62e273fea Mon Sep 17 00:00:00 2001 From: Fei Long Wang Date: Fri, 5 Jun 2015 05:15:45 +0000 Subject: [PATCH] Policy support Zaqar needs to support policy. This proposal is for adding policy.json and leveraging olso.policy to implement fine-grained permissions for Zaqar's Rest API endpoints. blueprint: fine-grained-permissions Co-Authored-By: Louis Taylor Change-Id: I61ff36b12d7128aae88a8b4da19be90c9faa0a02 --- specs/liberty/policy_support.rst | 147 +++++++++++++++++++++++++++++++ 1 file changed, 147 insertions(+) create mode 100644 specs/liberty/policy_support.rst diff --git a/specs/liberty/policy_support.rst b/specs/liberty/policy_support.rst new file mode 100644 index 0000000..85ce2ca --- /dev/null +++ b/specs/liberty/policy_support.rst @@ -0,0 +1,147 @@ +.. + This template should be in ReSTructured text. The filename in the git + repository should match the launchpad URL, for example a URL of + https://blueprints.launchpad.net/zaqar/+spec/awesome-thing should be named + awesome-thing.rst. + + Please do not delete any of the sections in this + template. If you have nothing to say for a whole section, just write: None + + For help with syntax, see http://sphinx-doc.org/rest.html + To test out your formatting, see http://www.tele3.cz/jbar/rest/rest.html + +============================ +Authorization Policy Support +============================ + +OpenStack components are supposed to check user privileges to perform any +action. Generally these checks are role-based. See +http://docs.openstack.org/developer/keystone/architecture.html#approach-to-authorization-policy. +Zaqar needs to support policies as well. + +Problem description +=================== + +Presently Zaqar is missing fine-grained permissions for actions. For example, it's +hard to allow one user only can get message from a queue but not be able to +post message to the queue, or something like that. + + +Proposed change +=============== + +Add policy check for all Zaqar API endpoints. This could be done by following +the same way as in other OpenStack components, by leveraging the oslo.policy +module which will do all the underlying work. + +The implementation should be fairly simple, with oslo.policy's ``Enforcer`` +class being instantiated with the policy file, then the ``enforce`` method used +to check each API call. + +Proposed content of the policy file: + +.. sourcecode:: json + + { + "context_is_admin": "role:admin", + "admin_or_owner": "is_admin:True or project_id:%(project_id)s", + "default": "rule:admin_or_owner", + + "queues:get_all": "", + "queues:put": "", + "queues:get": "", + "queues:delete": "", + + "messages:post": "", + "messages:get": "", + "messages:bulk_get": "", + "messages:bulk_delete": "", + "messages:claim": "", + + "subscriptions:get_all": "", + "subscriptions:create": "", + "subscriptions:get": "", + "subscriptions:delete": "", + "subscriptions:update": "", + } + + +Alternatives +------------ + +None. + +Data model impact +----------------- + +None. + +REST API impact +--------------- + +None. + +Other end user impact +--------------------- + +None. + +Deployer impact +--------------- + +An additional file, ``policy.json`` must be deployed. The deployer should +verify the settings in that file are correct for their deployment, such that +the correct users are allowed access. + +Developer impact +---------------- + +If there is any new API endpoint added for Zaqar, then policy rules in the +json files should be updated accordingly. + +Implementation +============== + +Assignee(s) +----------- + +Primary assignee: + kragniz (Louis Taylor) + +Milestones +---------- + +Target Milestone for completion: L-1 + +Work Items +---------- + +* Add config options to point to control policy file and settings +* Add policy check to all API calls +* Add unit tests +* Add documentation + +Dependencies +============ + +* oslo.policy + +Testing +======= + +* Unit tests +* Manual testing + +Documentation Impact +==================== + +* Feature need to be documented +* Add ``policy.json`` example +* Add documentation and examples of how to tweak policy settings + +References +========== + +* http://docs.openstack.org/developer/keystone/architecture.html#approach-to-authorization-policy +* http://docs.openstack.org/developer/keystone/api/keystone.openstack.common.policy.html +* http://docs.openstack.org/developer/keystone/configuration.html#keystone-api-protection-with-role-based-access-control-rbac