MagnetoDB/specs/rbac

MagnetoDB RBAC
Launchpad: RBAC

Role based access control of apis.

Problem description
Currently there is no way to control the access to apis. Right now there is a simple check in magnetodb which only checks whether the project present in the user's token is same as the project being used in the URL. In short, to create a table in a project the user needs to have a keystone token scoped to that project.

Proposed change

 * 1) Implement role based access control in all apis like all other openstack projects. A file called policy.json would reside in the config directory wherein the magnetodb administrator can specify rules to control access to an api.
 * 2) Enforcement of rules is going to be based only on roles and project_ids. It means that we will use project_id and role from keystone token to enforce rules. The rule engine supports a combination of rules through 'AND', 'OR', 'NOT' clause.
 * 3) The list of apis which are going to be restricted is:
 * 4) create_table
 * 5) delete_table
 * 6) describe_table
 * 7) list_table
 * 8) put_item
 * 9) get_item
 * 10) update_item
 * 11) query
 * 12) scan
 * 13) batch_write
 * 14) batch_get
 * 15) For e.g. A rule such as this "mdb:create_table": "role:admin" would allow any user with admin role to create table in any project.  A rule like "mdb:create_table":"role:admin or tenant:(tenant_id)s". This would enforce the user either to have an admin role or create a table in his project only. A rule like "mdb:create_table": "" would allow everyone to access that api.A rule like "mdb:create_table": "!" wouldn't allow anyone to access that api.

Alternatives
Continue to have the relaxed approach like now.

Security impact
With this change magnetodb would be more secure and administrators would be able to give fine-grained access control to users.

Notifications Impact
None

Other End User Impact
None

Performance Impact
Each time an api call is made to magnetodb, the rule will be checked. As the file policy.json is cached in memory there would be little performance impact.

Other Deployer Impact
Existing deployers of magnetodb can modify policy.json to suit their previous model of authorization.

Developer Impact
None

Implementation
There would be some modification needed in the way context is built. Some more fields need to be added to context. Code for rule checking can be reused from other openstack projects. Appropriate checks for rules have to placed in all api calls.

Assignee(s)
Primary assignee:

Other contributors: 

Work Items

 * 1) Define rules to enforce.
 * 2) List out apis to enforce rules.
 * 3) Enforce policy on each api call.
 * 4) Mock policy in existing unit-tests to make them pass.
 * 5) Write unit-tests for policy.

Dependencies
None.

Documentation Impact
Policy section should be added here http://magnetodb.readthedocs.org/