[openstack-dev] [Horizon][RBAC] Approach to eliminate hard-coded checks based on roles

Thiago Paiva thiagop at lsd.ufcg.edu.br
Fri Jun 20 13:55:23 UTC 2014


Hello everyone,

Today, Horizon protect its resources (views, Dashboards or Panels) using 
a hard-coded approach, restricting on code the access to users having 
determined roles (like Admin). This problem was already addressed in 
this bug: https://bugs.launchpad.net/horizon/+bug/1226627

In an attempt to flexibilize the RBAC control over Horizon resources, I 
designed an approach that involves the creation of a (temporary) 
Horizon's policy file. This file receives rules to protect every 
resource, controlling the access on Horizon and has the flexibility for 
cloud-providers to edit these rules and add the checks over the roles 
that best meet their needs.

A POC of this approach was sent to Gerrit as WIP, so you may evaluate 
the viability of the approach. It's avaliable on the review link below. 
I'd like you to take a look and send some feedback. If it seems viable 
to you guys, I'll write a blueprint (or spec) to address this change.

https://review.openstack.org/#/c/99446/

Thanks,

-- 
Thiago Paiva Brito
Software Engineer
Advanced OpenStack Brazil Team




More information about the OpenStack-dev mailing list