openstack/zaqar-specs
Code Issues Proposed changes

Merge "Policy support"

Browse Source
This commit is contained in:
Jenkins 2015-08-12 06:37:59 +00:00 committed by Gerrit Code Review
commit f5737faf77
1 changed files with 147 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

147
specs/liberty/policy_support.rst Normal file
View File

@ -0,0 +1,147 @@
..
This template should be in ReSTructured text. The filename in the git
repository should match the launchpad URL, for example a URL of
https://blueprints.launchpad.net/zaqar/+spec/awesome-thing should be named
awesome-thing.rst.
Please do not delete any of the sections in this
template. If you have nothing to say for a whole section, just write: None
For help with syntax, see http://sphinx-doc.org/rest.html
To test out your formatting, see http://www.tele3.cz/jbar/rest/rest.html
============================
Authorization Policy Support
============================
OpenStack components are supposed to check user privileges to perform any
action. Generally these checks are role-based. See
http://docs.openstack.org/developer/keystone/architecture.html#approach-to-authorization-policy.
Zaqar needs to support policies as well.
Problem description
===================
Presently Zaqar is missing fine-grained permissions for actions. For example, it's
hard to allow one user only can get message from a queue but not be able to
post message to the queue, or something like that.
Proposed change
===============
Add policy check for all Zaqar API endpoints. This could be done by following
the same way as in other OpenStack components, by leveraging the oslo.policy
module which will do all the underlying work.
The implementation should be fairly simple, with oslo.policy's ``Enforcer``
class being instantiated with the policy file, then the ``enforce`` method used
to check each API call.
Proposed content of the policy file:
.. sourcecode:: json
{
"context_is_admin": "role:admin",
"admin_or_owner": "is_admin:True or project_id:%(project_id)s",
"default": "rule:admin_or_owner",
"queues:get_all": "",
"queues:put": "",
"queues:get": "",
"queues:delete": "",
"messages:post": "",
"messages:get": "",
"messages:bulk_get": "",
"messages:bulk_delete": "",
"messages:claim": "",
"subscriptions:get_all": "",
"subscriptions:create": "",
"subscriptions:get": "",
"subscriptions:delete": "",
"subscriptions:update": "",
}
Alternatives
------------
None.
Data model impact
-----------------
None.
REST API impact
---------------
None.
Other end user impact
---------------------
None.
Deployer impact
---------------
An additional file, ``policy.json`` must be deployed. The deployer should
verify the settings in that file are correct for their deployment, such that
the correct users are allowed access.
Developer impact
----------------
If there is any new API endpoint added for Zaqar, then policy rules in the
json files should be updated accordingly.
Implementation
==============
Assignee(s)
-----------
Primary assignee:
kragniz (Louis Taylor)
Milestones
----------
Target Milestone for completion: L-1
Work Items
----------
* Add config options to point to control policy file and settings
* Add policy check to all API calls
* Add unit tests
* Add documentation
Dependencies
============
* oslo.policy
Testing
=======
* Unit tests
* Manual testing
Documentation Impact
====================
* Feature need to be documented
* Add ``policy.json`` example
* Add documentation and examples of how to tweak policy settings
References
==========
* http://docs.openstack.org/developer/keystone/architecture.html#approach-to-authorization-policy
* http://docs.openstack.org/developer/keystone/api/keystone.openstack.common.policy.html
* http://docs.openstack.org/developer/keystone/configuration.html#keystone-api-protection-with-role-based-access-control-rbac