[openstack-dev] Remove tenant/project ID from Nova v3 API URLs

Bhandaru, Malini K malini.k.bhandaru at intel.com
Tue May 14 08:58:10 UTC 2013


What if the request comes in with a domain scoped token, for example an admin user for the domain with access to
all the tenants in the domain.  If the tenant-id is eliminated from the url, the tenant-id of interest must still be provided as
a post field to retrict the resources in a get/put/delete.
Regards
Malini

-----Original Message-----
From: Jorge Williams [mailto:jorge.williams at rackspace.com] 
Sent: Tuesday, May 14, 2013 1:34 AM
To: OpenStack Development Mailing List
Subject: Re: [openstack-dev] Remove tenant/project ID from Nova v3 API URLs

Need access to the project_id outside of the nova source and available via REST somehow. I also need a way of accessing the data from other OpenStack APIs for resources outside of nova.

Here's the reason why:  Keystone v3 has the concept of polices in arbitrary languages such as XACML. XACML implementations are essentially attribute based access control systems. Usually there is a Policy Enforcement Point (PEP) which is a separate application that intercepts requests to a service and together with a Policy Decision Point (PDP) grants access to a request by taking a look at attributes of the user, the request itself, the resource, or the environment (current-time etc.).

Currently the project_id of the resource is an attribute of the request, because it is in the URI.  If you remove it from the URI I lose access to it  all together and that means I can't write polices which refer to the project_id of the resource.  I think that's a big deal.

The default built in policy that says that the project_id that the token is scoped must match the project_id of the resource works fine for most deployments, but operators should be able to define their own polices.

-jOrGe W.



On May 13, 2013, at 12:00 PM, Jason Kölker wrote:

> On Mon, May 13, 2013 at 11:19 AM, Jorge Williams 
> <jorge.williams at rackspace.com> wrote:
>> Here's what I'm asking for though:  At the API level, I'd like to tell that that a server belongs to Tenant Y.  How do I do that?  The X-Tenant-Id simply tells me that the token is scoped to Tenant X, it tells me nothing about the server.
> 
> The api looks up the server via conductor or direct db, the query is 
> scoped to the access permissions of the token. The api then has access 
> to the project_id field on the server object and can enforce further 
> restrictions should any extensions need to. Doing scoping via the URl 
> string is insecure. As an API consumer, you have the result of the 
> operation so you have the project_id in the return results to compare 
> at your leisure (except for delete, but I'm not sure what a use case 
> would be to add in the tenant_id in the url just for that, you already 
> have the server_id which was more than likely the result of a get 
> anyway).
> 
> Happy Hacking!
> 
> 7-11
> 
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


_______________________________________________
OpenStack-dev mailing list
OpenStack-dev at lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



More information about the OpenStack-dev mailing list