<div dir="ltr">Hi Adam,<div><br></div><div>This looks very interesting. When do you expect to have this code available in oslo? Do you have a development guide which describes best practices for using this authorization approach?</div>
<div><br></div><div>I think that for Pecan it will be possible to get rid of @protected wrapper and use SecureController class as a parent. It has a method which will be called before each controller method call. I saw Pecan was moved to stackforge, so probably it is a good idea to talk with Pecan developers and discuss how this part of keystone can be integrated\ supported by Pecan framework.</div>
</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Jan 8, 2014 at 8:34 PM, Adam Young <span dir="ltr"><<a href="mailto:ayoung@redhat.com" target="_blank">ayoung@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div bgcolor="#FFFFFF" text="#000000">
    <div>We are working on cleaning up the
      Keystone code with an eye to Oslo and reuse:<br>
      <br>
      <a href="https://review.openstack.org/#/c/56333/" target="_blank">https://review.openstack.org/#/c/56333/</a><div><div class="h5"><br>
      <br>
      On 01/08/2014 02:47 PM, Georgy Okrokvertskhov wrote:<br>
    </div></div></div><div><div class="h5">
    <blockquote type="cite">
      <div dir="ltr">Hi,
        <div><br>
        </div>
        <div>Keep policy control in one place is a good idea. We can use
          standard policy approach and keep access control configuration
          in json file as it done in Nova and other projects. </div>
        <div>
          Keystone uses wrapper function for methods. Here is a wrapper
          code: <a href="https://github.com/openstack/keystone/blob/master/keystone/common/controller.py#L111" target="_blank">https://github.com/openstack/keystone/blob/master/keystone/common/controller.py#L111</a>.
          Each controller method has @protected() wrapper, so a method
          information is available through python f.__name__ instead of
          URL parsing. It means that some RBAC parts anyway scattered
          among the code. </div>
        <div><br>
        </div>
        <div>If we want to avoid RBAC scattered among the code we can
          use URL parsing approach and have all the logic inside hook.
          In pecan hook WSGI environment is already created and there is
          full access to request parameters\content. We can map URL to
          policy key.</div>
        <div><br>
        </div>
        <div>So we have two options:</div>
        <div>1. Add wrapper to each API method like all other project
          did</div>
        <div>2. Add a hook with URL parsing which maps path to policy
          key.</div>
        <div><br>
        </div>
        <div><br>
        </div>
        <div>Thanks</div>
        <div>Georgy</div>
        <div><br>
        </div>
      </div>
      <div class="gmail_extra"><br>
        <br>
        <div class="gmail_quote">On Wed, Jan 8, 2014 at 9:05 AM, Kurt
          Griffiths <span dir="ltr"><<a href="mailto:kurt.griffiths@rackspace.com" target="_blank">kurt.griffiths@rackspace.com</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div style="font-size:14px;font-family:Calibri,sans-serif;word-wrap:break-word">
              <div>Yeah, that could work. The main thing is to try and
                keep policy control in one place if you can rather than
                sprinkling it all over the place.</div>
              <div><br>
              </div>
              <span>
                <div style="border-right:medium none;padding-right:0in;padding-left:0in;padding-top:3pt;text-align:left;font-size:11pt;border-bottom:medium none;font-family:Calibri;border-top:#b5c4df 1pt solid;padding-bottom:0in;border-left:medium none">

                  <span style="font-weight:bold">From: </span>Georgy
                  Okrokvertskhov <<a href="mailto:gokrokvertskhov@mirantis.com" target="_blank">gokrokvertskhov@mirantis.com</a>><br>
                  <span style="font-weight:bold">Reply-To: </span>OpenStack
                  Dev <<a href="mailto:openstack-dev@lists.openstack.org" target="_blank">openstack-dev@lists.openstack.org</a>><br>
                  <span style="font-weight:bold">Date: </span>Wednesday,
                  January 8, 2014 at 10:41 AM
                  <div>
                    <div><br>
                      <span style="font-weight:bold">To: </span>OpenStack
                      Dev <<a href="mailto:openstack-dev@lists.openstack.org" target="_blank">openstack-dev@lists.openstack.org</a>><br>
                      <span style="font-weight:bold">Subject: </span>Re:
                      [openstack-dev] [Solum][Pecan][Security] Pecan
                      SecureController vs. Nova policy<br>
                    </div>
                  </div>
                </div>
                <div>
                  <div>
                    <div><br>
                    </div>
                    <div>
                      <div>
                        <div dir="ltr">Hi Kurt,
                          <div><br>
                          </div>
                          <div>As for WSGI middleware I think about
                            Pecan hooks which can be added before actual
                            controller call. Here is an example how we
                            added a hook for keystone information
                            collection: <a href="https://review.openstack.org/#/c/64458/4/solum/api/auth.py" target="_blank">https://review.openstack.org/#/c/64458/4/solum/api/auth.py</a></div>
                          <div><br>
                          </div>
                          <div>What do you think, will this approach
                            with Pecan hooks work?</div>
                          <div><br>
                          </div>
                          <div>Thanks</div>
                          <div>Georgy</div>
                        </div>
                        <div class="gmail_extra"><br>
                          <br>
                          <div class="gmail_quote">On Tue, Jan 7, 2014
                            at 2:25 PM, Kurt Griffiths <span dir="ltr">
                              <<a href="mailto:kurt.griffiths@rackspace.com" target="_blank">kurt.griffiths@rackspace.com</a>></span>
                            wrote:<br>
                            <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                              <div style="font-size:14px;font-family:Calibri,sans-serif;word-wrap:break-word">
                                <div>You might also consider doing this
                                  in WSGI middleware:</div>
                                <div><br>
                                </div>
                                <div>Pros: </div>
                                <ul>
                                  <li>Consolidates policy code in once
                                    place, making it easier to audit and
                                    maintain</li>
                                  <li>Simple to turn policy on/off –
                                    just don’t insert the middleware
                                    when off!</li>
                                  <li>Does not preclude the use of
                                    oslo.policy for rule checking </li>
                                  <li>Blocks unauthorized requests
                                    before they have a chance to touch
                                    the web framework or app. This
                                    reduces your attack surface and can
                                    improve performance   (since the web
                                    framework has yet to parse the
                                    request). </li>
                                </ul>
                                <div>Cons:</div>
                                <ul>
                                  <li>Doesn't work for policies that
                                    require knowledge that isn’t
                                    available this early in the pipeline
                                    (without having to duplicate a lot
                                    of code)</li>
                                  <li>You have to parse the WSGI environ
                                    dict yourself (this may not be a big
                                    deal, depending on how much
                                    knowledge you need to glean in order
                                    to enforce the policy).
                                  </li>
                                  <li>You have to keep your HTTP path
                                    matching in sync with with your
                                    route definitions in the code. If
                                    you have full test coverage, you
                                    will know when you get out of sync.
                                    That being said, API routes tend to
                                    be quite stable in relation to to
                                    other parts of the code
                                    implementation once you have settled
                                    on your API spec.</li>
                                </ul>
                                <div>I’m sure there are other pros and
                                  cons I missed, but you can make your
                                  own best judgement whether this option
                                  makes sense in Solum’s case.</div>
                                <div><br>
                                </div>
                                <span>
                                  <div style="border-right:medium none;padding-right:0in;padding-left:0in;padding-top:3pt;text-align:left;font-size:11pt;border-bottom:medium none;font-family:Calibri;border-top:#b5c4df 1pt solid;padding-bottom:0in;border-left:medium none">

                                    <span style="font-weight:bold">From:
                                    </span>Doug Hellmann <<a href="mailto:doug.hellmann@dreamhost.com" target="_blank">doug.hellmann@dreamhost.com</a>><br>
                                    <span style="font-weight:bold">Reply-To:
                                    </span>OpenStack Dev <<a href="mailto:openstack-dev@lists.openstack.org" target="_blank">openstack-dev@lists.openstack.org</a>><br>
                                    <span style="font-weight:bold">Date:
                                    </span>Tuesday, January 7, 2014 at
                                    6:54 AM<br>
                                    <span style="font-weight:bold">To: </span>OpenStack
                                    Dev <<a href="mailto:openstack-dev@lists.openstack.org" target="_blank">openstack-dev@lists.openstack.org</a>><br>
                                    <span style="font-weight:bold">Subject:
                                    </span>Re: [openstack-dev]
                                    [Solum][Pecan][Security] Pecan
                                    SecureController vs. Nova policy<br>
                                  </div>
                                  <div>
                                    <div>
                                      <div><br>
                                      </div>
                                      <div>
                                        <div>
                                          <div dir="ltr">
                                            <div class="gmail_default" style="font-size:small"><br>
                                            </div>
                                            <div class="gmail_extra"><br>
                                              <br>
                                              <div class="gmail_quote">On
                                                Mon, Jan 6, 2014 at 6:26
                                                PM, Georgy
                                                Okrokvertskhov <span dir="ltr">
                                                  <<a href="mailto:gokrokvertskhov@mirantis.com" target="_blank">gokrokvertskhov@mirantis.com</a>></span>
                                                wrote:<br>
                                                <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                                                  <div dir="ltr">Hi
                                                    Dough,
                                                    <div><br>
                                                    </div>
                                                    <div>Thank you for
                                                      pointing to this
                                                      code. As I see you
                                                      use OpenStack
                                                      policy framework
                                                      but not Pecan
                                                      security features.
                                                      How do you
                                                      implement fine
                                                      grain access
                                                      control like user
                                                      allowed to read
                                                      only, writers and
                                                      admins. Can you
                                                      block part of API
                                                      methods for
                                                      specific user like
                                                      access to create
                                                      methods for
                                                      specific user
                                                      role?</div>
                                                  </div>
                                                </blockquote>
                                                <div><br>
                                                </div>
                                                <div>
                                                  <div class="gmail_default" style="font-size:small">The policy enforcement isn't simple on/off
                                                    switching in
                                                    ceilometer, so we're
                                                    using the policy
                                                    framework calls in a
                                                    couple of places
                                                    within our API code
                                                    (look through v2.py
                                                    for examples). As a
                                                    result, we didn't
                                                    need to build much
                                                    on top of the
                                                    existing policy
                                                    module to interface
                                                    with pecan. </div>
                                                  <div class="gmail_default" style="font-size:small"><br>
                                                  </div>
                                                  <div class="gmail_default" style="font-size:small">For your needs, it shouldn't be difficult to
                                                    create a couple of
                                                    decorators to
                                                    combine with pecan's
                                                    hook framework to
                                                    enforce the policy,
                                                    which might be less
                                                    complex than trying
                                                    to match the
                                                    operating model of
                                                    the policy system to
                                                    pecan's security
                                                    framework. </div>
                                                  <div class="gmail_default" style="font-size:small"><br>
                                                  </div>
                                                  <div class="gmail_default" style="font-size:small">This is the sort of thing that should probably
                                                    go through Oslo and
                                                    be shared, so please
                                                    consider
                                                    contributing to the
                                                    incubator when you
                                                    have something
                                                    working.</div>
                                                  <div class="gmail_default" style="font-size:small"><br>
                                                  </div>
                                                  <div class="gmail_default" style="font-size:small">Doug</div>
                                                  <br>
                                                </div>
                                                <div> </div>
                                                <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                                                  <div dir="ltr">
                                                    <div><br>
                                                    </div>
                                                    <div>Thanks</div>
                                                    <div>Georgy</div>
                                                  </div>
                                                  <div class="gmail_extra">
                                                    <div>
                                                      <div><br>
                                                        <br>
                                                        <div class="gmail_quote">On
                                                          Mon, Jan 6,
                                                          2014 at 2:45
                                                          PM, Doug
                                                          Hellmann <span dir="ltr">
                                                          <<a href="mailto:doug.hellmann@dreamhost.com" target="_blank">doug.hellmann@dreamhost.com</a>></span>
                                                          wrote:<br>
                                                          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                                                          <div dir="ltr">
                                                          <div style="font-size:small"><br>
                                                          </div>
                                                          <div class="gmail_extra"><br>
                                                          <br>
                                                          <div class="gmail_quote">
                                                          <div>
                                                          <div>On Mon,
                                                          Jan 6, 2014 at
                                                          2:56 PM,
                                                          Georgy
                                                          Okrokvertskhov
                                                          <span dir="ltr"><<a href="mailto:gokrokvertskhov@mirantis.com" target="_blank">gokrokvertskhov@mirantis.com</a>></span>
                                                          wrote:<br>
                                                          <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">

                                                          <div dir="ltr">
                                                          <div>Hi,</div>
                                                          <div><br>
                                                          </div>
                                                          <div>In Solum
                                                          project we
                                                          will need to
                                                          implement
                                                          security and
                                                          ACL for Solum
                                                          API. Currently
                                                          we use Pecan
                                                          framework for
                                                          API. Pecan has
                                                          its own
                                                          security model
                                                          based on
                                                          SecureController
                                                          class. At the
                                                          same time
                                                          OpenStack
                                                          widely uses
                                                          policy
                                                          mechanism
                                                          which uses
                                                          json files to
                                                          control access
                                                          to specific
                                                          API methods.</div>
                                                          <div><br>
                                                          </div>
                                                          <div>I wonder
                                                          if someone has
                                                          any experience
                                                          with
                                                          implementing
                                                          security and
                                                          ACL stuff with
                                                          using Pecan
                                                          framework.
                                                          What is the
                                                          right way to
                                                          provide
                                                          security for
                                                          API?</div>
                                                          </div>
                                                          </blockquote>
                                                          <div><br>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          <div>
                                                          <div style="font-size:small">In
                                                          ceilometer we
                                                          are using the
                                                          keystone
                                                          middleware and
                                                          the policy
                                                          framework to
                                                          manage
                                                          arguments that
                                                          constrain the
                                                          queries
                                                          handled by the
                                                          storage layer.</div>
                                                          <div style="font-size:small"><br>
                                                          </div>
                                                          <div style="font-size:small"><a href="http://git.openstack.org/cgit/openstack/ceilometer/tree/ceilometer/api/acl.py" target="_blank">http://git.openstack.org/cgit/openstack/ceilometer/tree/ceilometer/api/acl.py</a></div>

                                                          <div style="font-size:small"><br>
                                                          </div>
                                                          <div style="font-size:small">and</div>
                                                          <div style="font-size:small"><br>
                                                          </div>
                                                          <div style="font-size:small"><a href="http://git.openstack.org/cgit/openstack/ceilometer/tree/ceilometer/api/controllers/v2.py#n337" target="_blank">http://git.openstack.org/cgit/openstack/ceilometer/tree/ceilometer/api/controllers/v2.py#n337</a></div>

                                                          <div style="font-size:small"><br>
                                                          </div>
                                                          <div style="font-size:small">Doug</div>
                                                          <br>
                                                          </div>
                                                          <div> </div>
                                                          <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">

                                                          <div dir="ltr">
                                                          <div><br>
                                                          </div>
                                                          <div>Thanks</div>
                                                          <span><font color="#888888">
                                                          <div>Georgy</div>
                                                          </font></span></div>
                                                          <br>
_______________________________________________<br>
                                                          OpenStack-dev
                                                          mailing list<br>
                                                          <a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
                                                          <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>

                                                          <br>
                                                          </blockquote>
                                                          </div>
                                                          <br>
                                                          </div>
                                                          </div>
                                                          <br>
_______________________________________________<br>
                                                          OpenStack-dev
                                                          mailing list<br>
                                                          <a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
                                                          <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>

                                                          <br>
                                                          </blockquote>
                                                        </div>
                                                        <br>
                                                        <br clear="all">
                                                        <div><br>
                                                        </div>
                                                      </div>
                                                    </div>
                                                    <span><font color="#888888">--
                                                        <br>
                                                        Georgy
                                                        Okrokvertskhov<br>
                                                        Technical
                                                        Program Manager,<br>
                                                        Cloud and
                                                        Infrastructure
                                                        Services,<br>
                                                        Mirantis<br>
                                                        <a href="http://www.mirantis.com/" target="_blank">http://www.mirantis.com</a><br>
                                                        Tel. <a href="tel:%2B1%20650%20963%209828" value="+16509639828" target="_blank">+1
                                                          650 963 9828</a><br>
                                                        Mob. <a href="tel:%2B1%20650%20996%203284" value="+16509963284" target="_blank">+1
                                                          650 996 3284</a><br>
                                                      </font></span></div>
                                                  <br>
_______________________________________________<br>
                                                  OpenStack-dev mailing
                                                  list<br>
                                                  <a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
                                                  <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
                                                  <br>
                                                </blockquote>
                                              </div>
                                              <br>
                                            </div>
                                          </div>
                                        </div>
                                      </div>
                                    </div>
                                  </div>
                                </span></div>
                              <br>
_______________________________________________<br>
                              OpenStack-dev mailing list<br>
                              <a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
                              <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
                              <br>
                            </blockquote>
                          </div>
                          <br>
                          <br clear="all">
                          <div><br>
                          </div>
                          -- <br>
                          Georgy Okrokvertskhov<br>
                          Technical Program Manager,<br>
                          Cloud and Infrastructure Services,<br>
                          Mirantis<br>
                          <a href="http://www.mirantis.com/" target="_blank">http://www.mirantis.com</a><br>
                          Tel. <a href="tel:%2B1%20650%20963%209828" value="+16509639828" target="_blank">+1 650
                            963 9828</a><br>
                          Mob. <a href="tel:%2B1%20650%20996%203284" value="+16509963284" target="_blank">+1 650
                            996 3284</a><br>
                        </div>
                      </div>
                    </div>
                  </div>
                </div>
              </span>
            </div>
            <br>
            _______________________________________________<br>
            OpenStack-dev mailing list<br>
            <a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
            <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
            <br>
          </blockquote>
        </div>
        <br>
        <br clear="all">
        <div><br>
        </div>
        -- <br>
        Georgy Okrokvertskhov<br>
        Technical Program Manager,<br>
        Cloud and Infrastructure Services,<br>
        Mirantis<br>
        <a href="http://www.mirantis.com/" target="_blank">http://www.mirantis.com</a><br>
        Tel. <a href="tel:%2B1%20650%20963%209828" value="+16509639828" target="_blank">+1 650 963 9828</a><br>
        Mob. <a href="tel:%2B1%20650%20996%203284" value="+16509963284" target="_blank">+1 650 996 3284</a><br>
      </div>
      <br>
      <fieldset></fieldset>
      <br>
      <pre>_______________________________________________
OpenStack-dev mailing list
<a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
    </blockquote>
    <br>
  </div></div></div>

<br>_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br>Georgy Okrokvertskhov<br>
Technical Program Manager,<br>Cloud and Infrastructure Services,<br>
Mirantis<br>
<a href="http://www.mirantis.com/" target="_blank">http://www.mirantis.com</a><br>
Tel. +1 650 963 9828<br>
Mob. +1 650 996 3284<br>
</div>