<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">We are working on cleaning up the
Keystone code with an eye to Oslo and reuse:<br>
<br>
<a class="moz-txt-link-freetext" href="https://review.openstack.org/#/c/56333/">https://review.openstack.org/#/c/56333/</a><br>
<br>
On 01/08/2014 02:47 PM, Georgy Okrokvertskhov wrote:<br>
</div>
<blockquote
cite="mid:CAG_6_o=z0gkrJ3sx7vyCktsQecU2xkx2eyWHAMRANSeU=y1z=A@mail.gmail.com"
type="cite">
<div dir="ltr">Hi,
<div><br>
</div>
<div>Keep policy control in one place is a good idea. We can use
standard policy approach and keep access control configuration
in json file as it done in Nova and other projects. </div>
<div>
Keystone uses wrapper function for methods. Here is a wrapper
code: <a moz-do-not-send="true"
href="https://github.com/openstack/keystone/blob/master/keystone/common/controller.py#L111">https://github.com/openstack/keystone/blob/master/keystone/common/controller.py#L111</a>.
Each controller method has @protected() wrapper, so a method
information is available through python f.__name__ instead of
URL parsing. It means that some RBAC parts anyway scattered
among the code. </div>
<div><br>
</div>
<div>If we want to avoid RBAC scattered among the code we can
use URL parsing approach and have all the logic inside hook.
In pecan hook WSGI environment is already created and there is
full access to request parameters\content. We can map URL to
policy key.</div>
<div><br>
</div>
<div>So we have two options:</div>
<div>1. Add wrapper to each API method like all other project
did</div>
<div>2. Add a hook with URL parsing which maps path to policy
key.</div>
<div><br>
</div>
<div><br>
</div>
<div>Thanks</div>
<div>Georgy</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Wed, Jan 8, 2014 at 9:05 AM, Kurt
Griffiths <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:kurt.griffiths@rackspace.com" target="_blank">kurt.griffiths@rackspace.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div
style="font-size:14px;font-family:Calibri,sans-serif;word-wrap:break-word">
<div>Yeah, that could work. The main thing is to try and
keep policy control in one place if you can rather than
sprinkling it all over the place.</div>
<div><br>
</div>
<span>
<div style="border-right:medium
none;padding-right:0in;padding-left:0in;padding-top:3pt;text-align:left;font-size:11pt;border-bottom:medium
none;font-family:Calibri;border-top:#b5c4df 1pt
solid;padding-bottom:0in;border-left:medium none">
<span style="font-weight:bold">From: </span>Georgy
Okrokvertskhov <<a moz-do-not-send="true"
href="mailto:gokrokvertskhov@mirantis.com"
target="_blank">gokrokvertskhov@mirantis.com</a>><br>
<span style="font-weight:bold">Reply-To: </span>OpenStack
Dev <<a moz-do-not-send="true"
href="mailto:openstack-dev@lists.openstack.org"
target="_blank">openstack-dev@lists.openstack.org</a>><br>
<span style="font-weight:bold">Date: </span>Wednesday,
January 8, 2014 at 10:41 AM
<div>
<div class="h5"><br>
<span style="font-weight:bold">To: </span>OpenStack
Dev <<a moz-do-not-send="true"
href="mailto:openstack-dev@lists.openstack.org"
target="_blank">openstack-dev@lists.openstack.org</a>><br>
<span style="font-weight:bold">Subject: </span>Re:
[openstack-dev] [Solum][Pecan][Security] Pecan
SecureController vs. Nova policy<br>
</div>
</div>
</div>
<div>
<div class="h5">
<div><br>
</div>
<div>
<div>
<div dir="ltr">Hi Kurt,
<div><br>
</div>
<div>As for WSGI middleware I think about
Pecan hooks which can be added before actual
controller call. Here is an example how we
added a hook for keystone information
collection: <a moz-do-not-send="true"
href="https://review.openstack.org/#/c/64458/4/solum/api/auth.py"
target="_blank">https://review.openstack.org/#/c/64458/4/solum/api/auth.py</a></div>
<div><br>
</div>
<div>What do you think, will this approach
with Pecan hooks work?</div>
<div><br>
</div>
<div>Thanks</div>
<div>Georgy</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Tue, Jan 7, 2014
at 2:25 PM, Kurt Griffiths <span dir="ltr">
<<a moz-do-not-send="true"
href="mailto:kurt.griffiths@rackspace.com"
target="_blank">kurt.griffiths@rackspace.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex">
<div
style="font-size:14px;font-family:Calibri,sans-serif;word-wrap:break-word">
<div>You might also consider doing this
in WSGI middleware:</div>
<div><br>
</div>
<div>Pros: </div>
<ul>
<li>Consolidates policy code in once
place, making it easier to audit and
maintain</li>
<li>Simple to turn policy on/off –
just don’t insert the middleware
when off!</li>
<li>Does not preclude the use of
oslo.policy for rule checking </li>
<li>Blocks unauthorized requests
before they have a chance to touch
the web framework or app. This
reduces your attack surface and can
improve performance (since the web
framework has yet to parse the
request). </li>
</ul>
<div>Cons:</div>
<ul>
<li>Doesn't work for policies that
require knowledge that isn’t
available this early in the pipeline
(without having to duplicate a lot
of code)</li>
<li>You have to parse the WSGI environ
dict yourself (this may not be a big
deal, depending on how much
knowledge you need to glean in order
to enforce the policy).
</li>
<li>You have to keep your HTTP path
matching in sync with with your
route definitions in the code. If
you have full test coverage, you
will know when you get out of sync.
That being said, API routes tend to
be quite stable in relation to to
other parts of the code
implementation once you have settled
on your API spec.</li>
</ul>
<div>I’m sure there are other pros and
cons I missed, but you can make your
own best judgement whether this option
makes sense in Solum’s case.</div>
<div><br>
</div>
<span>
<div style="border-right:medium
none;padding-right:0in;padding-left:0in;padding-top:3pt;text-align:left;font-size:11pt;border-bottom:medium
none;font-family:Calibri;border-top:#b5c4df
1pt
solid;padding-bottom:0in;border-left:medium
none">
<span style="font-weight:bold">From:
</span>Doug Hellmann <<a
moz-do-not-send="true"
href="mailto:doug.hellmann@dreamhost.com"
target="_blank">doug.hellmann@dreamhost.com</a>><br>
<span style="font-weight:bold">Reply-To:
</span>OpenStack Dev <<a
moz-do-not-send="true"
href="mailto:openstack-dev@lists.openstack.org"
target="_blank">openstack-dev@lists.openstack.org</a>><br>
<span style="font-weight:bold">Date:
</span>Tuesday, January 7, 2014 at
6:54 AM<br>
<span style="font-weight:bold">To: </span>OpenStack
Dev <<a moz-do-not-send="true"
href="mailto:openstack-dev@lists.openstack.org"
target="_blank">openstack-dev@lists.openstack.org</a>><br>
<span style="font-weight:bold">Subject:
</span>Re: [openstack-dev]
[Solum][Pecan][Security] Pecan
SecureController vs. Nova policy<br>
</div>
<div>
<div>
<div><br>
</div>
<div>
<div>
<div dir="ltr">
<div class="gmail_default"
style="font-size:small"><br>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On
Mon, Jan 6, 2014 at 6:26
PM, Georgy
Okrokvertskhov <span
dir="ltr">
<<a
moz-do-not-send="true"
href="mailto:gokrokvertskhov@mirantis.com" target="_blank">gokrokvertskhov@mirantis.com</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px
#ccc
solid;padding-left:1ex">
<div dir="ltr">Hi
Dough,
<div><br>
</div>
<div>Thank you for
pointing to this
code. As I see you
use OpenStack
policy framework
but not Pecan
security features.
How do you
implement fine
grain access
control like user
allowed to read
only, writers and
admins. Can you
block part of API
methods for
specific user like
access to create
methods for
specific user
role?</div>
</div>
</blockquote>
<div><br>
</div>
<div>
<div
class="gmail_default"
style="font-size:small">The policy enforcement isn't simple on/off
switching in
ceilometer, so we're
using the policy
framework calls in a
couple of places
within our API code
(look through v2.py
for examples). As a
result, we didn't
need to build much
on top of the
existing policy
module to interface
with pecan. </div>
<div
class="gmail_default"
style="font-size:small"><br>
</div>
<div
class="gmail_default"
style="font-size:small">For your needs, it shouldn't be difficult to
create a couple of
decorators to
combine with pecan's
hook framework to
enforce the policy,
which might be less
complex than trying
to match the
operating model of
the policy system to
pecan's security
framework. </div>
<div
class="gmail_default"
style="font-size:small"><br>
</div>
<div
class="gmail_default"
style="font-size:small">This is the sort of thing that should probably
go through Oslo and
be shared, so please
consider
contributing to the
incubator when you
have something
working.</div>
<div
class="gmail_default"
style="font-size:small"><br>
</div>
<div
class="gmail_default"
style="font-size:small">Doug</div>
<br>
</div>
<div> </div>
<blockquote
class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px
#ccc
solid;padding-left:1ex">
<div dir="ltr">
<div><br>
</div>
<div>Thanks</div>
<div>Georgy</div>
</div>
<div
class="gmail_extra">
<div>
<div><br>
<br>
<div
class="gmail_quote">On
Mon, Jan 6,
2014 at 2:45
PM, Doug
Hellmann <span
dir="ltr">
<<a
moz-do-not-send="true"
href="mailto:doug.hellmann@dreamhost.com" target="_blank">doug.hellmann@dreamhost.com</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0
0 0
.8ex;border-left:1px
#ccc
solid;padding-left:1ex">
<div dir="ltr">
<div
style="font-size:small"><br>
</div>
<div
class="gmail_extra"><br>
<br>
<div
class="gmail_quote">
<div>
<div>On Mon,
Jan 6, 2014 at
2:56 PM,
Georgy
Okrokvertskhov
<span
dir="ltr"><<a
moz-do-not-send="true" href="mailto:gokrokvertskhov@mirantis.com"
target="_blank">gokrokvertskhov@mirantis.com</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0px
0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div dir="ltr">
<div>Hi,</div>
<div><br>
</div>
<div>In Solum
project we
will need to
implement
security and
ACL for Solum
API. Currently
we use Pecan
framework for
API. Pecan has
its own
security model
based on
SecureController
class. At the
same time
OpenStack
widely uses
policy
mechanism
which uses
json files to
control access
to specific
API methods.</div>
<div><br>
</div>
<div>I wonder
if someone has
any experience
with
implementing
security and
ACL stuff with
using Pecan
framework.
What is the
right way to
provide
security for
API?</div>
</div>
</blockquote>
<div><br>
</div>
</div>
</div>
<div>
<div
style="font-size:small">In
ceilometer we
are using the
keystone
middleware and
the policy
framework to
manage
arguments that
constrain the
queries
handled by the
storage layer.</div>
<div
style="font-size:small"><br>
</div>
<div
style="font-size:small"><a
moz-do-not-send="true"
href="http://git.openstack.org/cgit/openstack/ceilometer/tree/ceilometer/api/acl.py"
target="_blank">http://git.openstack.org/cgit/openstack/ceilometer/tree/ceilometer/api/acl.py</a></div>
<div
style="font-size:small"><br>
</div>
<div
style="font-size:small">and</div>
<div
style="font-size:small"><br>
</div>
<div
style="font-size:small"><a
moz-do-not-send="true"
href="http://git.openstack.org/cgit/openstack/ceilometer/tree/ceilometer/api/controllers/v2.py#n337"
target="_blank">http://git.openstack.org/cgit/openstack/ceilometer/tree/ceilometer/api/controllers/v2.py#n337</a></div>
<div
style="font-size:small"><br>
</div>
<div
style="font-size:small">Doug</div>
<br>
</div>
<div> </div>
<blockquote
class="gmail_quote"
style="margin:0px
0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div dir="ltr">
<div><br>
</div>
<div>Thanks</div>
<span><font
color="#888888">
<div>Georgy</div>
</font></span></div>
<br>
_______________________________________________<br>
OpenStack-dev
mailing list<br>
<a
moz-do-not-send="true"
href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
<a
moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"
target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</div>
<br>
_______________________________________________<br>
OpenStack-dev
mailing list<br>
<a
moz-do-not-send="true"
href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
<a
moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"
target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
</div>
</div>
<span><font
color="#888888">--
<br>
Georgy
Okrokvertskhov<br>
Technical
Program Manager,<br>
Cloud and
Infrastructure
Services,<br>
Mirantis<br>
<a
moz-do-not-send="true"
href="http://www.mirantis.com/" target="_blank">http://www.mirantis.com</a><br>
Tel. <a
moz-do-not-send="true"
href="tel:%2B1%20650%20963%209828" value="+16509639828" target="_blank">+1
650 963 9828</a><br>
Mob. <a
moz-do-not-send="true"
href="tel:%2B1%20650%20996%203284" value="+16509963284" target="_blank">+1
650 996 3284</a><br>
</font></span></div>
<br>
_______________________________________________<br>
OpenStack-dev mailing
list<br>
<a
moz-do-not-send="true"
href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
<a
moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"
target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</div>
</div>
</div>
</span></div>
<br>
_______________________________________________<br>
OpenStack-dev mailing list<br>
<a moz-do-not-send="true"
href="mailto:OpenStack-dev@lists.openstack.org"
target="_blank">OpenStack-dev@lists.openstack.org</a><br>
<a moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"
target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
Georgy Okrokvertskhov<br>
Technical Program Manager,<br>
Cloud and Infrastructure Services,<br>
Mirantis<br>
<a moz-do-not-send="true"
href="http://www.mirantis.com/"
target="_blank">http://www.mirantis.com</a><br>
Tel. <a moz-do-not-send="true"
href="tel:%2B1%20650%20963%209828"
value="+16509639828" target="_blank">+1 650
963 9828</a><br>
Mob. <a moz-do-not-send="true"
href="tel:%2B1%20650%20996%203284"
value="+16509963284" target="_blank">+1 650
996 3284</a><br>
</div>
</div>
</div>
</div>
</div>
</span>
</div>
<br>
_______________________________________________<br>
OpenStack-dev mailing list<br>
<a moz-do-not-send="true"
href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
<a moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"
target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
Georgy Okrokvertskhov<br>
Technical Program Manager,<br>
Cloud and Infrastructure Services,<br>
Mirantis<br>
<a moz-do-not-send="true" href="http://www.mirantis.com/"
target="_blank">http://www.mirantis.com</a><br>
Tel. +1 650 963 9828<br>
Mob. +1 650 996 3284<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
OpenStack-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
</blockquote>
<br>
</body>
</html>