<div dir="ltr">Hi Adam,<div><br></div><div>This looks very interesting. When do you expect to have this code available in oslo? Do you have a development guide which describes best practices for using this authorization approach?</div>
<div><br></div><div>I think that for Pecan it will be possible to get rid of @protected wrapper and use SecureController class as a parent. It has a method which will be called before each controller method call. I saw Pecan was moved to stackforge, so probably it is a good idea to talk with Pecan developers and discuss how this part of keystone can be integrated\ supported by Pecan framework.</div>
</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Jan 8, 2014 at 8:34 PM, Adam Young <span dir="ltr"><<a href="mailto:ayoung@redhat.com" target="_blank">ayoung@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>We are working on cleaning up the
Keystone code with an eye to Oslo and reuse:<br>
<br>
<a href="https://review.openstack.org/#/c/56333/" target="_blank">https://review.openstack.org/#/c/56333/</a><div><div class="h5"><br>
<br>
On 01/08/2014 02:47 PM, Georgy Okrokvertskhov wrote:<br>
</div></div></div><div><div class="h5">
<blockquote type="cite">
<div dir="ltr">Hi,
<div><br>
</div>
<div>Keep policy control in one place is a good idea. We can use
standard policy approach and keep access control configuration
in json file as it done in Nova and other projects. </div>
<div>
Keystone uses wrapper function for methods. Here is a wrapper
code: <a href="https://github.com/openstack/keystone/blob/master/keystone/common/controller.py#L111" target="_blank">https://github.com/openstack/keystone/blob/master/keystone/common/controller.py#L111</a>.
Each controller method has @protected() wrapper, so a method
information is available through python f.__name__ instead of
URL parsing. It means that some RBAC parts anyway scattered
among the code. </div>
<div><br>
</div>
<div>If we want to avoid RBAC scattered among the code we can
use URL parsing approach and have all the logic inside hook.
In pecan hook WSGI environment is already created and there is
full access to request parameters\content. We can map URL to
policy key.</div>
<div><br>
</div>
<div>So we have two options:</div>
<div>1. Add wrapper to each API method like all other project
did</div>
<div>2. Add a hook with URL parsing which maps path to policy
key.</div>
<div><br>
</div>
<div><br>
</div>
<div>Thanks</div>
<div>Georgy</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Wed, Jan 8, 2014 at 9:05 AM, Kurt
Griffiths <span dir="ltr"><<a href="mailto:kurt.griffiths@rackspace.com" target="_blank">kurt.griffiths@rackspace.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="font-size:14px;font-family:Calibri,sans-serif;word-wrap:break-word">
<div>Yeah, that could work. The main thing is to try and
keep policy control in one place if you can rather than
sprinkling it all over the place.</div>
<div><br>
</div>
<span>
<div style="border-right:medium none;padding-right:0in;padding-left:0in;padding-top:3pt;text-align:left;font-size:11pt;border-bottom:medium none;font-family:Calibri;border-top:#b5c4df 1pt solid;padding-bottom:0in;border-left:medium none">
<span style="font-weight:bold">From: </span>Georgy
Okrokvertskhov <<a href="mailto:gokrokvertskhov@mirantis.com" target="_blank">gokrokvertskhov@mirantis.com</a>><br>
<span style="font-weight:bold">Reply-To: </span>OpenStack
Dev <<a href="mailto:openstack-dev@lists.openstack.org" target="_blank">openstack-dev@lists.openstack.org</a>><br>
<span style="font-weight:bold">Date: </span>Wednesday,
January 8, 2014 at 10:41 AM
<div>
<div><br>
<span style="font-weight:bold">To: </span>OpenStack
Dev <<a href="mailto:openstack-dev@lists.openstack.org" target="_blank">openstack-dev@lists.openstack.org</a>><br>
<span style="font-weight:bold">Subject: </span>Re:
[openstack-dev] [Solum][Pecan][Security] Pecan
SecureController vs. Nova policy<br>
</div>
</div>
</div>
<div>
<div>
<div><br>
</div>
<div>
<div>
<div dir="ltr">Hi Kurt,
<div><br>
</div>
<div>As for WSGI middleware I think about
Pecan hooks which can be added before actual
controller call. Here is an example how we
added a hook for keystone information
collection: <a href="https://review.openstack.org/#/c/64458/4/solum/api/auth.py" target="_blank">https://review.openstack.org/#/c/64458/4/solum/api/auth.py</a></div>
<div><br>
</div>
<div>What do you think, will this approach
with Pecan hooks work?</div>
<div><br>
</div>
<div>Thanks</div>
<div>Georgy</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Tue, Jan 7, 2014
at 2:25 PM, Kurt Griffiths <span dir="ltr">
<<a href="mailto:kurt.griffiths@rackspace.com" target="_blank">kurt.griffiths@rackspace.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="font-size:14px;font-family:Calibri,sans-serif;word-wrap:break-word">
<div>You might also consider doing this
in WSGI middleware:</div>
<div><br>
</div>
<div>Pros: </div>
<ul>
<li>Consolidates policy code in once
place, making it easier to audit and
maintain</li>
<li>Simple to turn policy on/off –
just don’t insert the middleware
when off!</li>
<li>Does not preclude the use of
oslo.policy for rule checking </li>
<li>Blocks unauthorized requests
before they have a chance to touch
the web framework or app. This
reduces your attack surface and can
improve performance (since the web
framework has yet to parse the
request). </li>
</ul>
<div>Cons:</div>
<ul>
<li>Doesn't work for policies that
require knowledge that isn’t
available this early in the pipeline
(without having to duplicate a lot
of code)</li>
<li>You have to parse the WSGI environ
dict yourself (this may not be a big
deal, depending on how much
knowledge you need to glean in order
to enforce the policy).
</li>
<li>You have to keep your HTTP path
matching in sync with with your
route definitions in the code. If
you have full test coverage, you
will know when you get out of sync.
That being said, API routes tend to
be quite stable in relation to to
other parts of the code
implementation once you have settled
on your API spec.</li>
</ul>
<div>I’m sure there are other pros and
cons I missed, but you can make your
own best judgement whether this option
makes sense in Solum’s case.</div>
<div><br>
</div>
<span>
<div style="border-right:medium none;padding-right:0in;padding-left:0in;padding-top:3pt;text-align:left;font-size:11pt;border-bottom:medium none;font-family:Calibri;border-top:#b5c4df 1pt solid;padding-bottom:0in;border-left:medium none">
<span style="font-weight:bold">From:
</span>Doug Hellmann <<a href="mailto:doug.hellmann@dreamhost.com" target="_blank">doug.hellmann@dreamhost.com</a>><br>
<span style="font-weight:bold">Reply-To:
</span>OpenStack Dev <<a href="mailto:openstack-dev@lists.openstack.org" target="_blank">openstack-dev@lists.openstack.org</a>><br>
<span style="font-weight:bold">Date:
</span>Tuesday, January 7, 2014 at
6:54 AM<br>
<span style="font-weight:bold">To: </span>OpenStack
Dev <<a href="mailto:openstack-dev@lists.openstack.org" target="_blank">openstack-dev@lists.openstack.org</a>><br>
<span style="font-weight:bold">Subject:
</span>Re: [openstack-dev]
[Solum][Pecan][Security] Pecan
SecureController vs. Nova policy<br>
</div>
<div>
<div>
<div><br>
</div>
<div>
<div>
<div dir="ltr">
<div class="gmail_default" style="font-size:small"><br>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On
Mon, Jan 6, 2014 at 6:26
PM, Georgy
Okrokvertskhov <span dir="ltr">
<<a href="mailto:gokrokvertskhov@mirantis.com" target="_blank">gokrokvertskhov@mirantis.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Hi
Dough,
<div><br>
</div>
<div>Thank you for
pointing to this
code. As I see you
use OpenStack
policy framework
but not Pecan
security features.
How do you
implement fine
grain access
control like user
allowed to read
only, writers and
admins. Can you
block part of API
methods for
specific user like
access to create
methods for
specific user
role?</div>
</div>
</blockquote>
<div><br>
</div>
<div>
<div class="gmail_default" style="font-size:small">The policy enforcement isn't simple on/off
switching in
ceilometer, so we're
using the policy
framework calls in a
couple of places
within our API code
(look through v2.py
for examples). As a
result, we didn't
need to build much
on top of the
existing policy
module to interface
with pecan. </div>
<div class="gmail_default" style="font-size:small"><br>
</div>
<div class="gmail_default" style="font-size:small">For your needs, it shouldn't be difficult to
create a couple of
decorators to
combine with pecan's
hook framework to
enforce the policy,
which might be less
complex than trying
to match the
operating model of
the policy system to
pecan's security
framework. </div>
<div class="gmail_default" style="font-size:small"><br>
</div>
<div class="gmail_default" style="font-size:small">This is the sort of thing that should probably
go through Oslo and
be shared, so please
consider
contributing to the
incubator when you
have something
working.</div>
<div class="gmail_default" style="font-size:small"><br>
</div>
<div class="gmail_default" style="font-size:small">Doug</div>
<br>
</div>
<div> </div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div><br>
</div>
<div>Thanks</div>
<div>Georgy</div>
</div>
<div class="gmail_extra">
<div>
<div><br>
<br>
<div class="gmail_quote">On
Mon, Jan 6,
2014 at 2:45
PM, Doug
Hellmann <span dir="ltr">
<<a href="mailto:doug.hellmann@dreamhost.com" target="_blank">doug.hellmann@dreamhost.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div style="font-size:small"><br>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">
<div>
<div>On Mon,
Jan 6, 2014 at
2:56 PM,
Georgy
Okrokvertskhov
<span dir="ltr"><<a href="mailto:gokrokvertskhov@mirantis.com" target="_blank">gokrokvertskhov@mirantis.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div dir="ltr">
<div>Hi,</div>
<div><br>
</div>
<div>In Solum
project we
will need to
implement
security and
ACL for Solum
API. Currently
we use Pecan
framework for
API. Pecan has
its own
security model
based on
SecureController
class. At the
same time
OpenStack
widely uses
policy
mechanism
which uses
json files to
control access
to specific
API methods.</div>
<div><br>
</div>
<div>I wonder
if someone has
any experience
with
implementing
security and
ACL stuff with
using Pecan
framework.
What is the
right way to
provide
security for
API?</div>
</div>
</blockquote>
<div><br>
</div>
</div>
</div>
<div>
<div style="font-size:small">In
ceilometer we
are using the
keystone
middleware and
the policy
framework to
manage
arguments that
constrain the
queries
handled by the
storage layer.</div>
<div style="font-size:small"><br>
</div>
<div style="font-size:small"><a href="http://git.openstack.org/cgit/openstack/ceilometer/tree/ceilometer/api/acl.py" target="_blank">http://git.openstack.org/cgit/openstack/ceilometer/tree/ceilometer/api/acl.py</a></div>
<div style="font-size:small"><br>
</div>
<div style="font-size:small">and</div>
<div style="font-size:small"><br>
</div>
<div style="font-size:small"><a href="http://git.openstack.org/cgit/openstack/ceilometer/tree/ceilometer/api/controllers/v2.py#n337" target="_blank">http://git.openstack.org/cgit/openstack/ceilometer/tree/ceilometer/api/controllers/v2.py#n337</a></div>
<div style="font-size:small"><br>
</div>
<div style="font-size:small">Doug</div>
<br>
</div>
<div> </div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div dir="ltr">
<div><br>
</div>
<div>Thanks</div>
<span><font color="#888888">
<div>Georgy</div>
</font></span></div>
<br>
_______________________________________________<br>
OpenStack-dev
mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</div>
<br>
_______________________________________________<br>
OpenStack-dev
mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
</div>
</div>
<span><font color="#888888">--
<br>
Georgy
Okrokvertskhov<br>
Technical
Program Manager,<br>
Cloud and
Infrastructure
Services,<br>
Mirantis<br>
<a href="http://www.mirantis.com/" target="_blank">http://www.mirantis.com</a><br>
Tel. <a href="tel:%2B1%20650%20963%209828" value="+16509639828" target="_blank">+1
650 963 9828</a><br>
Mob. <a href="tel:%2B1%20650%20996%203284" value="+16509963284" target="_blank">+1
650 996 3284</a><br>
</font></span></div>
<br>
_______________________________________________<br>
OpenStack-dev mailing
list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</div>
</div>
</div>
</span></div>
<br>
_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
Georgy Okrokvertskhov<br>
Technical Program Manager,<br>
Cloud and Infrastructure Services,<br>
Mirantis<br>
<a href="http://www.mirantis.com/" target="_blank">http://www.mirantis.com</a><br>
Tel. <a href="tel:%2B1%20650%20963%209828" value="+16509639828" target="_blank">+1 650
963 9828</a><br>
Mob. <a href="tel:%2B1%20650%20996%203284" value="+16509963284" target="_blank">+1 650
996 3284</a><br>
</div>
</div>
</div>
</div>
</div>
</span>
</div>
<br>
_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
Georgy Okrokvertskhov<br>
Technical Program Manager,<br>
Cloud and Infrastructure Services,<br>
Mirantis<br>
<a href="http://www.mirantis.com/" target="_blank">http://www.mirantis.com</a><br>
Tel. <a href="tel:%2B1%20650%20963%209828" value="+16509639828" target="_blank">+1 650 963 9828</a><br>
Mob. <a href="tel:%2B1%20650%20996%203284" value="+16509963284" target="_blank">+1 650 996 3284</a><br>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
OpenStack-dev mailing list
<a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
</blockquote>
<br>
</div></div></div>
<br>_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br>Georgy Okrokvertskhov<br>
Technical Program Manager,<br>Cloud and Infrastructure Services,<br>
Mirantis<br>
<a href="http://www.mirantis.com/" target="_blank">http://www.mirantis.com</a><br>
Tel. +1 650 963 9828<br>
Mob. +1 650 996 3284<br>
</div>