[openstack-dev] A (probably) interesting authZ question

Salvatore Orlando sorlando at nicira.com
Tue Apr 30 22:57:00 UTC 2013


Hi,

I am sending this to a broader audience since recently for a patch on
openstack-network we've come across a peculiar authZ problem, which might
have been already solved in some other project.
Basically some API resources have composite attributes, ie: attributes
whose value is a dict.
In some case there might be a need to authorize access to such attributes.

For instance, in this specific case we have:

"router" : {
   <... some router stuff ..>
   "external_gateway_info" : {
        "network_id": "some_uuid",
        "enable_snat": "true"
   }
   < .. some more router stuff ... >
}

and we would like to say that the policy for setting enable_snat must be
rule:admin_only.
there are several options, among which:

1) this way of doing authZ does not make sense at all. authZ should be
enforced on resources not single attributes
2) If the particular attribute comes from some specific extension, instead
of policing access one should be allowed to turn administratively on/off
the extension itself
3) We should have a rule check for sub-attributes (like FieldCheck in
quantum/policy.py).
4) The enable_snat attribute should be moved to the first-level resource,
and authZ checked as with any other attribute

any opinion on the subject would be greatly appreciated.

Regards,
Salvatore
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130430/ae12f737/attachment.html>


More information about the OpenStack-dev mailing list