[openstack-dev] [Congress]Authorization mechanisms for each user

Tim Hinrichs tim at styra.com
Fri Apr 15 15:43:54 UTC 2016


Hi Yuki,

As Masahito mentioned, the usual way to authorize API calls in OpenStack is
through policy.json.  If I remember right, you can make a decision about
whether an API call is permitted using (i) all the values in the API call
and (ii) the Keystone role of the user making the request.  I'm not sure if
you can also use the actual userID of the person making the request or not,
but as soon as you get to 10 users, you'll end up grouping individual users
into roles anyway.

That said, Congress would be valuable for authorization decisions IF those
decisions require information other than (i) values in the API call and
(ii) the role of the user making the request.  For example, if you wanted
to stop someone from deleting a Neutron network whenever there is a Nova VM
attached to that network with status ACTIVE, then policy.json isn't
adequate, and Congress makes sense.

So as Masahito mentioned, if you provide more details about your use case
(in particular what kinds of information you need for making authorization
decisions), we can help you pick the right tool.

Tim




On Fri, Apr 15, 2016 at 1:06 AM Masahito MUROI <muroi.masahito at lab.ntt.co.jp>
wrote:

> Hi Yuki,
>
> This sounds interesting. AFAIK, there is no similar use-case you mentioned.
>
> On 2016/04/15 10:13, Yuki Nisiwaki wrote:
> > Hi openstacker working on congress.
> >
> > I want to implement the authorization mechanisms for each user, not role
> > base.
> > For example, User A can change security group, But User B can’t change
> > security group like IAM feature of AWS.
> >
> > In order to achieve it,
> > I’m considering whether can I utilize Congress feature.
> > I am thinking somehow that I can achieve it by following step.
> > 1. create policy for each user with datalog in congress
> > 2. prepare the wsgi filter for each project that works confirming
> > authorization of each user to Congress.
> Could you clarify your usecase? I think it can be done by roles and
> modifying policy.json. If you assume A and B are under some conditions,
> what kind of condition do you want to use?
>
> btw, I added [Congress] prefix in the subject.
>
> >
> > I think this use-case is very popular and there is someone who think
> > same thing.
> > But There is no information about it in any website (blog, presentation
> > in summit).
> > So why is there anyone who achieve it?
> > or does this approach have anxious point?
> > If you are interested in this approach or think same thing, I want to
> > know it.
> >
> >
> > Best regards
> >
> > Yuki Nishiwaki
> > NTT Communitions
> > Technology development
> > Cloud Core Technology Unit
> >
> >
> >
> __________________________________________________________________________
> > OpenStack Development Mailing List (not for usage questions)
> > Unsubscribe:
> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >
>
> best regards,
> Masahito
>
>
> --
> 室井 雅仁(Masahito MUROI)
> Software Innovation Center, NTT
> Tel: +81-422-59-4539
>
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160415/6e977044/attachment.html>


More information about the OpenStack-dev mailing list