[openstack-dev] view-only use case but APIs are admin-only

Bak, Ed (HPCS Fort Collins) ed.bak2 at hp.com
Thu Jun 20 14:27:34 UTC 2013 

The work described below has been completed with a few changes from the original description.  This change is for nova only.

1.       The require_admin_context has been removed in cases where it overrode the policy set in policy.json

2.       Error handling has been cleaned up.  All calls should return an HTTP 403 when a policy check fails.

3.       A number of apis which were grouped together under a single policy have been broken out so more granular policies can be defined.

The default rule still exists.  Blank rules in the policy.json still default to true.  This was done to maintain backward compatibility.

The change is https://review.openstack.org/#/c/32762  It still needs one more core reviewer to approve it.



From: Michael J Fork [mailto:mjfork at us.ibm.com]
Sent: Wednesday, May 01, 2013 3:57 PM
To: OpenStack Development Mailing List
Subject: Re: [openstack-dev] view-only use case but APIs are admin-only


"Bak, Ed (HPCS Fort Collins)" <ed.bak2 at hp.com> wrote on 04/25/2013 12:58:07 PM:

> From: "Bak, Ed (HPCS Fort Collins)" <ed.bak2 at hp.com>
> To: OpenStack Development Mailing List <openstack-dev at lists.openstack.org>,
> Date: 04/25/2013 03:18 PM
> Subject: Re: [openstack-dev] view-only use case but APIs are admin-only
>
> We also have a need for various explicit roles which we can’t put in
> place because of this issue.    I have also noticed cases where
> certain rules aren’t granular enough and several  places where an
> incorrect policy returns an HTTP 500 instead of an HTTP 403.  I’m
> willing to fix all of this but I would like some buy in on a
> solution before I submit the code in order to minimize rework.  I
> can turn this discussion into a blueprint if that is more
> appropriate.  I would like to propose the following;
>
> 1.       Remove the require_admin_context everywhere.  Access to
> actions will then only be controlled through roles specified through
> policy.json.
> 2.       Fix the cases where a single rule can apply to multiple
> actions.  In most cases the groupings make sense, but making things
> as granular as possible will allow everyone to define rules and
> roles in the most flexible way possible.
> 3.       Fix the error handling so that invalid permissions always
> return a 403.
> 4.       Remove the concept of a default rule.  In order to avoid
> inadvertently opening up any current admin only functions, the
> default behavior when a rule is not specified should be a failure (
> or maybe require admin in this case ).

+1 to all these proposals (and to turning this into a blueprint).

Just for clarity, are you talking about fixing Nova only or across all the projects?

Michael

-------------------------------------------------
Michael Fork
Architect, OpenStack Development
IBM Systems & Technology Group
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130620/3e428f88/attachment.html>

More information about the OpenStack-dev mailing list