[openstack-dev] [Solum][Pecan][Security] Pecan SecureController vs. Nova policy

Georgy Okrokvertskhov gokrokvertskhov at mirantis.com
Wed Jan 8 16:41:29 UTC 2014


Hi Kurt,

As for WSGI middleware I think about Pecan hooks which can be added before
actual controller call. Here is an example how we added a hook for keystone
information collection:
https://review.openstack.org/#/c/64458/4/solum/api/auth.py

What do you think, will this approach with Pecan hooks work?

Thanks
Georgy


On Tue, Jan 7, 2014 at 2:25 PM, Kurt Griffiths <kurt.griffiths at rackspace.com
> wrote:

>  You might also consider doing this in WSGI middleware:
>
>  Pros:
>
>    - Consolidates policy code in once place, making it easier to audit
>    and maintain
>    - Simple to turn policy on/off – just don’t insert the middleware when
>    off!
>    - Does not preclude the use of oslo.policy for rule checking
>    - Blocks unauthorized requests before they have a chance to touch the
>    web framework or app. This reduces your attack surface and can improve
>    performance   (since the web framework has yet to parse the request).
>
> Cons:
>
>    - Doesn't work for policies that require knowledge that isn’t
>    available this early in the pipeline (without having to duplicate a lot of
>    code)
>    - You have to parse the WSGI environ dict yourself (this may not be a
>    big deal, depending on how much knowledge you need to glean in order to
>    enforce the policy).
>    - You have to keep your HTTP path matching in sync with with your
>    route definitions in the code. If you have full test coverage, you will
>    know when you get out of sync. That being said, API routes tend to be quite
>    stable in relation to to other parts of the code implementation once you
>    have settled on your API spec.
>
> I’m sure there are other pros and cons I missed, but you can make your own
> best judgement whether this option makes sense in Solum’s case.
>
>   From: Doug Hellmann <doug.hellmann at dreamhost.com>
> Reply-To: OpenStack Dev <openstack-dev at lists.openstack.org>
> Date: Tuesday, January 7, 2014 at 6:54 AM
> To: OpenStack Dev <openstack-dev at lists.openstack.org>
> Subject: Re: [openstack-dev] [Solum][Pecan][Security] Pecan
> SecureController vs. Nova policy
>
>
>
>
> On Mon, Jan 6, 2014 at 6:26 PM, Georgy Okrokvertskhov <
> gokrokvertskhov at mirantis.com> wrote:
>
>> Hi Dough,
>>
>>  Thank you for pointing to this code. As I see you use OpenStack policy
>> framework but not Pecan security features. How do you implement fine grain
>> access control like user allowed to read only, writers and admins. Can you
>> block part of API methods for specific user like access to create methods
>> for specific user role?
>>
>
>  The policy enforcement isn't simple on/off switching in ceilometer, so
> we're using the policy framework calls in a couple of places within our API
> code (look through v2.py for examples). As a result, we didn't need to
> build much on top of the existing policy module to interface with pecan.
>
>  For your needs, it shouldn't be difficult to create a couple of
> decorators to combine with pecan's hook framework to enforce the policy,
> which might be less complex than trying to match the operating model of the
> policy system to pecan's security framework.
>
>  This is the sort of thing that should probably go through Oslo and be
> shared, so please consider contributing to the incubator when you have
> something working.
>
>  Doug
>
>
>
>>
>>  Thanks
>> Georgy
>>
>>
>> On Mon, Jan 6, 2014 at 2:45 PM, Doug Hellmann <
>> doug.hellmann at dreamhost.com> wrote:
>>
>>>
>>>
>>>
>>>  On Mon, Jan 6, 2014 at 2:56 PM, Georgy Okrokvertskhov <
>>> gokrokvertskhov at mirantis.com> wrote:
>>>
>>>>  Hi,
>>>>
>>>>  In Solum project we will need to implement security and ACL for Solum
>>>> API. Currently we use Pecan framework for API. Pecan has its own security
>>>> model based on SecureController class. At the same time OpenStack widely
>>>> uses policy mechanism which uses json files to control access to specific
>>>> API methods.
>>>>
>>>>  I wonder if someone has any experience with implementing security and
>>>> ACL stuff with using Pecan framework. What is the right way to provide
>>>> security for API?
>>>>
>>>
>>>   In ceilometer we are using the keystone middleware and the policy
>>> framework to manage arguments that constrain the queries handled by the
>>> storage layer.
>>>
>>>
>>> http://git.openstack.org/cgit/openstack/ceilometer/tree/ceilometer/api/acl.py
>>>
>>>  and
>>>
>>>
>>> http://git.openstack.org/cgit/openstack/ceilometer/tree/ceilometer/api/controllers/v2.py#n337
>>>
>>>  Doug
>>>
>>>
>>>
>>>>
>>>>  Thanks
>>>>  Georgy
>>>>
>>>> _______________________________________________
>>>> OpenStack-dev mailing list
>>>> OpenStack-dev at lists.openstack.org
>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>>
>>>>
>>>
>>> _______________________________________________
>>> OpenStack-dev mailing list
>>> OpenStack-dev at lists.openstack.org
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>
>>>
>>
>>
>>   --
>> Georgy Okrokvertskhov
>> Technical Program Manager,
>> Cloud and Infrastructure Services,
>> Mirantis
>> http://www.mirantis.com
>> Tel. +1 650 963 9828
>> Mob. +1 650 996 3284
>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>


-- 
Georgy Okrokvertskhov
Technical Program Manager,
Cloud and Infrastructure Services,
Mirantis
http://www.mirantis.com
Tel. +1 650 963 9828
Mob. +1 650 996 3284
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140108/91e9e62f/attachment.html>


More information about the OpenStack-dev mailing list