<?xml version="1.0"?>
<feed xmlns="http://www.w3.org/2005/Atom" xml:lang="en">
		<id>https://wiki.openstack.org/w/index.php?action=history&amp;feed=atom&amp;title=Neutron%2FMake-authz-orthogonal</id>
		<title>Neutron/Make-authz-orthogonal - Revision history</title>
		<link rel="self" type="application/atom+xml" href="https://wiki.openstack.org/w/index.php?action=history&amp;feed=atom&amp;title=Neutron%2FMake-authz-orthogonal"/>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Neutron/Make-authz-orthogonal&amp;action=history"/>
		<updated>2026-07-07T08:18:23Z</updated>
		<subtitle>Revision history for this page on the wiki</subtitle>
		<generator>MediaWiki 1.28.2</generator>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Neutron/Make-authz-orthogonal&amp;diff=24679&amp;oldid=prev</id>
		<title>ThierryCarrez: ThierryCarrez moved page Quantum/Make-authz-orthogonal to Neutron/Make-authz-orthogonal</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Neutron/Make-authz-orthogonal&amp;diff=24679&amp;oldid=prev"/>
				<updated>2013-06-21T15:54:49Z</updated>
		
		<summary type="html">&lt;p&gt;ThierryCarrez moved page &lt;a href=&quot;/wiki/Quantum/Make-authz-orthogonal&quot; class=&quot;mw-redirect&quot; title=&quot;Quantum/Make-authz-orthogonal&quot;&gt;Quantum/Make-authz-orthogonal&lt;/a&gt; to &lt;a href=&quot;/wiki/Neutron/Make-authz-orthogonal&quot; title=&quot;Neutron/Make-authz-orthogonal&quot;&gt;Neutron/Make-authz-orthogonal&lt;/a&gt;&lt;/p&gt;
&lt;table class=&quot;diff diff-contentalign-left&quot; data-mw=&quot;interface&quot;&gt;
				&lt;tr style='vertical-align: top;' lang='en'&gt;
				&lt;td colspan='1' style=&quot;background-color: white; color:black; text-align: center;&quot;&gt;← Older revision&lt;/td&gt;
				&lt;td colspan='1' style=&quot;background-color: white; color:black; text-align: center;&quot;&gt;Revision as of 15:54, 21 June 2013&lt;/td&gt;
				&lt;/tr&gt;&lt;tr&gt;&lt;td colspan='2' style='text-align: center;' lang='en'&gt;&lt;div class=&quot;mw-diff-empty&quot;&gt;(No difference)&lt;/div&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/table&gt;</summary>
		<author><name>ThierryCarrez</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Neutron/Make-authz-orthogonal&amp;diff=19224&amp;oldid=prev</id>
		<title>Salvatore-orlando: Created page with &quot;= Make Quantum Authorization Configurable =  Please note this specification is still being drafted. Your early feedback is welcome.  == High level description ==  The quantum ...&quot;</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Neutron/Make-authz-orthogonal&amp;diff=19224&amp;oldid=prev"/>
				<updated>2013-03-20T09:33:43Z</updated>
		
		<summary type="html">&lt;p&gt;Created page with &amp;quot;= Make Quantum Authorization Configurable =  Please note this specification is still being drafted. Your early feedback is welcome.  == High level description ==  The quantum ...&amp;quot;&lt;/p&gt;
&lt;p&gt;&lt;b&gt;New page&lt;/b&gt;&lt;/p&gt;&lt;div&gt;= Make Quantum Authorization Configurable =&lt;br /&gt;
&lt;br /&gt;
Please note this specification is still being drafted. Your early feedback is welcome.&lt;br /&gt;
&lt;br /&gt;
== High level description ==&lt;br /&gt;
&lt;br /&gt;
The quantum codebase is now a bit 'polluted' by policy checks spread throughout db logic and sometimes even plugin logic.&lt;br /&gt;
While per se this is not harmful, it has some drawbacks:&lt;br /&gt;
1) There's no uniformity of style in policy.json&lt;br /&gt;
2) Understanding how authorization works is not trivial, as the checks might be somewhere else in the code&lt;br /&gt;
3) Developers have to explicitly worry about authZ logic, which is mixed with 'business' logic&lt;br /&gt;
4) It is hard for users to understand how to tune authZ in their setup by editing policy.json&lt;br /&gt;
&lt;br /&gt;
The aim of this blueprint is therefore to decouple authorization from request processing.&lt;br /&gt;
We are now in a situation were several policy checks are explicitly performed in the code:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;nowiki&amp;gt;&lt;br /&gt;
salvatore@ubuntu:~/git/quantum$ find ./quantum/db ./quantum/plugins ./quantum/extensions -name \*.py | xargs grep -n &amp;quot;policy.check&amp;quot;&lt;br /&gt;
./quantum/db/l3_db.py:775:        return policy.check(context,&lt;br /&gt;
./quantum/db/servicetype_db.py:205:        return policy.check(context,&lt;br /&gt;
./quantum/plugins/nicira/nicira_nvp_plugin/QuantumPlugin.py:806:        return policy.check(context, action, resource)&lt;br /&gt;
./quantum/plugins/nec/nec_plugin.py:139:        return policy.check(context, action, resource)&lt;br /&gt;
./quantum/plugins/linuxbridge/lb_quantum_plugin.py:275:        return policy.check(context, action, resource)&lt;br /&gt;
./quantum/plugins/hyperv/hyperv_quantum_plugin.py:197:        return policy.check(context, action, resource)&lt;br /&gt;
./quantum/plugins/bigswitch/plugin.py:1233:        return policy.check(context, action, resource)&lt;br /&gt;
./quantum/plugins/openvswitch/ovs_quantum_plugin.py:347:        return policy.check(context, action, resource)&lt;br /&gt;
./quantum/plugins/brocade/QuantumPlugin.py:447:        return policy.check(context, action, resource)&lt;br /&gt;
salvatore@ubuntu:~/git/quantum$ find ./quantum/db ./quantum/plugins ./quantum/extensions -name \*.py | xargs grep -n &amp;quot;policy.enforce&amp;quot;&lt;br /&gt;
./quantum/db/l3_db.py:320:            policy.enforce(context,&lt;br /&gt;
./quantum/db/l3_db.py:400:            policy.enforce(context,&lt;br /&gt;
./quantum/db/l3_db.py:780:        return policy.enforce(context,&lt;br /&gt;
./quantum/plugins/nicira/nicira_nvp_plugin/QuantumPlugin.py:809:        return policy.enforce(context, action, resource)&lt;br /&gt;
./quantum/plugins/nec/nec_plugin.py:142:        policy.enforce(context, action, resource)&lt;br /&gt;
./quantum/plugins/linuxbridge/lb_quantum_plugin.py:278:        policy.enforce(context, action, resource)&lt;br /&gt;
./quantum/plugins/hyperv/hyperv_quantum_plugin.py:200:        policy.enforce(context, action, resource)&lt;br /&gt;
./quantum/plugins/bigswitch/plugin.py:1236:        policy.enforce(context, action, resource)&lt;br /&gt;
./quantum/plugins/openvswitch/ovs_quantum_plugin.py:350:        policy.enforce(context, action, resource)&lt;br /&gt;
./quantum/extensions/agentscheduler.py:43:        policy.enforce(request.context,&lt;br /&gt;
./quantum/extensions/agentscheduler.py:52:        policy.enforce(request.context,&lt;br /&gt;
./quantum/extensions/agentscheduler.py:61:        policy.enforce(request.context,&lt;br /&gt;
./quantum/extensions/agentscheduler.py:72:        policy.enforce(request.context,&lt;br /&gt;
./quantum/extensions/agentscheduler.py:81:        policy.enforce(request.context,&lt;br /&gt;
./quantum/extensions/agentscheduler.py:92:        policy.enforce(request.context,&lt;br /&gt;
./quantum/extensions/agentscheduler.py:103:        policy.enforce(request.context,&lt;br /&gt;
./quantum/extensions/agentscheduler.py:114:        policy.enforce(request.context,&lt;br /&gt;
&amp;lt;/nowiki&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Resulting in explicit policy actions in policy.json:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;nowiki&amp;gt;&lt;br /&gt;
    &amp;quot;extension:provider_network:view&amp;quot;: &amp;quot;rule:admin_only&amp;quot;,&lt;br /&gt;
    &amp;quot;extension:provider_network:set&amp;quot;: &amp;quot;rule:admin_only&amp;quot;,&lt;br /&gt;
    &amp;quot;extension:router:view&amp;quot;: &amp;quot;rule:regular_user&amp;quot;,&lt;br /&gt;
    &amp;quot;extension:router:set&amp;quot;: &amp;quot;rule:admin_only&amp;quot;,&lt;br /&gt;
    &amp;quot;extension:router:add_router_interface&amp;quot;: &amp;quot;rule:admin_or_owner&amp;quot;,&lt;br /&gt;
    &amp;quot;extension:router:remove_router_interface&amp;quot;: &amp;quot;rule:admin_or_owner&amp;quot;,&lt;br /&gt;
    &amp;quot;extension:port_binding:view&amp;quot;: &amp;quot;rule:admin_only&amp;quot;,&lt;br /&gt;
    &amp;quot;extension:port_binding:set&amp;quot;: &amp;quot;rule:admin_only&amp;quot;,&lt;br /&gt;
&amp;lt;/nowiki&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Once this blueprint is implemented, authZ policy processing should either entirely happen in the base controller class, or (see work item list below) be moved into a separate authZ middleware thus making authZ pluggable as well.&lt;br /&gt;
&lt;br /&gt;
== Work items ==&lt;br /&gt;
&lt;br /&gt;
# 1 - Ensure the policy engine can process authZ for member actions, such as add_router_interface&lt;br /&gt;
# 2 - Allow the policy engine to process also extended resources&lt;br /&gt;
# 3 - Allow the base controller to perform 'view' authZ checking (strip off fields that should not be visibile according to the current rights)&lt;br /&gt;
# 4 - Ensure all extension use the base controller/resource framework (in particular agent extensions)&lt;br /&gt;
# 5 - Move authZ processing from the base controller to a separate middleware in the wsgi pipeline (this might make #4 unnecessary).&lt;br /&gt;
&lt;br /&gt;
Please note that at the moment this blueprint will commit to the first four items as the feasibility of the fifth has not yet been assessed.&lt;br /&gt;
&lt;br /&gt;
== API Changes ==&lt;br /&gt;
&lt;br /&gt;
No Changes&lt;br /&gt;
&lt;br /&gt;
== Data Model Changes ==&lt;br /&gt;
&lt;br /&gt;
No Changes&lt;br /&gt;
&lt;br /&gt;
== Policy File Changes ==&lt;br /&gt;
&lt;br /&gt;
Policy.json will not anymore have 'extension:' rules, which will be replaced by rules like the following:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;nowiki&amp;gt;&lt;br /&gt;
&amp;quot;create_network:provider:network_type&amp;quot;: &amp;quot;rule:admin_only&amp;quot;&lt;br /&gt;
&amp;lt;/nowiki&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Plugin changes  ==&lt;br /&gt;
&lt;br /&gt;
At the end of this blueprint no plugin should have code explicitly checking or enforcing authZ policies&lt;/div&gt;</summary>
		<author><name>Salvatore-orlando</name></author>	</entry>

	</feed>