[openstack-dev] [Solum][Pecan][Security] Pecan SecureController vs. Nova policy

Georgy Okrokvertskhov gokrokvertskhov at mirantis.com
Mon Jan 6 23:26:55 UTC 2014 

Hi Dough,

Thank you for pointing to this code. As I see you use OpenStack policy
framework but not Pecan security features. How do you implement fine grain
access control like user allowed to read only, writers and admins. Can you
block part of API methods for specific user like access to create methods
for specific user role?

Thanks
Georgy


On Mon, Jan 6, 2014 at 2:45 PM, Doug Hellmann
<doug.hellmann at dreamhost.com>wrote:

>
>
>
> On Mon, Jan 6, 2014 at 2:56 PM, Georgy Okrokvertskhov <
> gokrokvertskhov at mirantis.com> wrote:
>
>> Hi,
>>
>> In Solum project we will need to implement security and ACL for Solum
>> API. Currently we use Pecan framework for API. Pecan has its own security
>> model based on SecureController class. At the same time OpenStack widely
>> uses policy mechanism which uses json files to control access to specific
>> API methods.
>>
>> I wonder if someone has any experience with implementing security and ACL
>> stuff with using Pecan framework. What is the right way to provide security
>> for API?
>>
>
> In ceilometer we are using the keystone middleware and the policy
> framework to manage arguments that constrain the queries handled by the
> storage layer.
>
>
> http://git.openstack.org/cgit/openstack/ceilometer/tree/ceilometer/api/acl.py
>
> and
>
>
> http://git.openstack.org/cgit/openstack/ceilometer/tree/ceilometer/api/controllers/v2.py#n337
>
> Doug
>
>
>
>>
>> Thanks
>> Georgy
>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>


-- 
Georgy Okrokvertskhov
Technical Program Manager,
Cloud and Infrastructure Services,
Mirantis
http://www.mirantis.com
Tel. +1 650 963 9828
Mob. +1 650 996 3284
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140106/8a91e66d/attachment.html>

More information about the OpenStack-dev mailing list