[openstack-dev] [cross-project] RBAC Policy Basics

Adam Young ayoung at redhat.com
Wed Jun 17 16:47:05 UTC 2015


Policy is supposed to allow access control to work across multiple 
services and endpoints.   However, each service has specified policy 
differently.

Here are some of the basic working assumptions for policy enforcement we 
can use to work towards consistent enforcement.

1) A policy rule should specify:
       Where do I find the scope in this request?
       What role does the token need to contain in order to access this 
the API?

Roles are not global.  Roles are always scoped to something.  Just 
because someone has "admin"  on one project or domain does not mean they 
should have it everywhere.  However, we have found a need to have a 
global override.  This is a way a cloud admin that can go into any API 
anywhere and fix things.Even if we keep the mechanism, I assume it will 
take a few iterations to phase out having this specified on each rule.


2) Policy rules should be namespaced by API type.

for example,   All of the Keystone policy rule targets start with:
     "identity:"

such as

|"identity:ec2_get_credential": "rule:admin_required or (rule:owner and 
user_id:%(target.credential.user_id)s)"|

This means that Glance, Neutron, Nova, and Keystone should be able to 
share a policy file.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150617/0b13df12/attachment.html>


More information about the OpenStack-dev mailing list