Jump to: navigation, search

Difference between revisions of "PolicyDatabase"

(Importing.a policy file to the Database Schema)
(Importing.a policy file to the Database Schema)
Line 274: Line 274:
ok    "identity:list_regions": "",
ok    "identity:list_regions": "",
ok    "identity:create_region": "rule:admin_required",
ok    "identity:create_region": "rule:admin_required",
==   "identity:ec2_create_credential": "rule:admin_or_owner",
ok   "identity:ec2_create_credential": "rule:admin_or_owner",
     "identity:create_trust": "user_id:%(trust.trustor_user_id)s",
     "identity:create_trust": "user_id:%(trust.trustor_user_id)s",
     "identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
     "identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
Line 303: Line 303:
| "000008" || "C00001" || "identity:ec2_create_credential-rule:admin_or_owner_001"
| "000008" || "C00001" || "identity:ec2_create_credential-rule:admin_or_owner_001"
| "000009" || "C00005" || "identity:ec2_create_credential-service"
| "000009" || "C00008" || "identity:ec2_create_credential-action"
| "000009" || "C00002" || "identity:ec2_create_credential-rule:admin_or_owner_002"
| "00000A" || "C00005" || "identity:ec2_create_credential-service"
| "00000A" || "C00008" || "identity:ec2_create_credential-action"
| "00000A" || "C00004" || "identity:ec2_create_credential-rule:admin_or_owner_003"
| Exemplo || Exemplo || Exemplo
| Exemplo || Exemplo || Exemplo

Revision as of 22:13, 26 February 2015

Policy Relational Database Schema for Openstack


This document describes a relational database schema that stores security policies for Openstack. This schema reflects the current policy engine rules, stored in policy.json files.

Database Schema

The following figure presents the database schema to store security policies in Openstack.

Policy Database Schema

The purpose of all these tables are described below.


Represents the Openstack Policy. This is a superset of all conditions that needs to be verified in the whole system.

Policies are stored in the Disjunctive Normal Form (DNF). This means they are converted to simple conditions combined by the AND logical operator, which are combined by the OR logical operator.

Eg.: Suppose C1, C2, C3, C4, C5 and C6 are conditions to be verified, a policy can be written as:

      (C1 and C2 and C3) or C4 or (C5 and C6)

This structure is represented by the tree below.

                /    |    \
             AND    AND    AND
           /  | \    |    /   \
          C1 C2 C3  C4   C5   C6

We can say that all policies in Openstack are implicitly combined using the OR logical operator. It means we can see entries in a policy.json files as follows: (action: "identity:get_user" AND rule: "voadmin") OR (action: "identity:list_users" AND rule: "admin_required") OR ...

That makes the Policy entry a super "OR" composed by multiple "AND" entries.

In the example above, you can say a rule can be recursively decomposed in OR or AND statements. But, at the end, they can be transformed into DNF by recursively applying the following rules:

  1. (A OR B) AND C = (A AND C) OR (B AND C)
  2. (A OR B) AND (C OR D) = (A AND C) OR (A AND D) OR (B AND C) OR (B AND D)

At the end, all entries in all files will be combined in a super "OR" structure.

The description field is optional, and can describe the meaning of the Policy.

The version represents the date and time of it's last change (or creation, if no changes are done). When a policy is modified, this field is updated. A copy of the old version should be kept in another table/database in order to make it possible to roll back to a previous version. This mechanism is not detailed in this document.

The enabled field must be set to "TRUE" in order to the policy be verified.

Policies can be optionally scoped in the future. This means that they are only visible and valid for a given Domain or Project. This is important in order to keep them completely isolated for tenant's privacy.


Scoped policies are only visible and valid for a given Domain or Project. A scope of a policy is composed by a type, which can be "Domain" or "Project", and the value of "Domain id" or "Project id" to be verified. Scopes can optionally have a description.

OR Rule

Each Openstack Policy is composed by one "OR structure". This structure is formed by multiple "AND structures".

When an OR expression is evaluated:

  • If the result of one "AND condition" is "TRUE", the access is granted.
  • Otherwise, the "AND conditions" continue to be verified.
  • If all "AND conditions" are "FALSE", the access is denied.

The OR Rule can have a label, that should be a simple description of its purpose. Usually, it represents the "OR structure of Policy x".

Just like the Policy, the version represents the date and time of it's last change (or creation, if no changes are done). When a OR condition is modified, this field is updated. A copy of the old version should be kept in another table/database in order to make it possible to roll back to a previous version. This mechanism is not detailed in this document.

The enabled field must be set to "TRUE" in order to the OR rule be verified.

AND Rule

Each "OR Rule" is composed by multiple "AND structures". An "AND structure" is formed by multiple conditions.

When an AND expression is evaluated:

  • If the result of one "condition" is "FALSE", the result is "FALSE".
  • Otherwise, the "conditions" continue to be verified.
  • If all "AND conditions" are "TRUE", the result is "TRUE".

The AND Rule can have a label, that should be a simple description of its purpose.

Just like the Policy and the OR Rule, the version represents the date and time of it's last change (or creation, if no changes are done). When a AND condition is modified, this field is updated. A copy of the old version should be kept in another table/database in order to make it possible to roll back to a previous version. This mechanism is not detailed in this document.

The enabled field must be set to "TRUE" in order to the AND rule be verified.


A condition represents the basic element of a policy. The policy engine will verify if the content of the "attribute" field matches with the "value" one. No operator is provided, since it is always, implicitly, the equals (==) operator. A value can be a literal (eg. a string or a number) or a variable, which will be interpreted by the Policy Engine.

Attributes can be of different types, for instance:

  • Action

Policies in Openstack are assigned to Actions. Actions are represented in the policy.json file by "service:action" entries. They serve as triggers for the Policy Engines to know which rule will be verified. In this database model, they are stored as conditions.

  • Role

Roles in Openstack represent Subjects. A user in a domain or project can be directly assigned to roles, or can be part of a group which is assigned to a role. A Role condition will make Policy Engines to verify if the user has a specific role.

  • Other types

Despite Openstack uses an RBAC engine, it allows other types of attribute checking in their policies. For instance, the entry below verifies if the user's id matches with the content of the variable user_id. user_id:%(user_id)s The "user_id" is also considered as an Attribute type in this database model.

Labels are descriptions to the Condition. For instance, the condition "user_id:%(user_id)s" has the label "owner". Conditions are not mandatory (can be NULL).


Each type of attribute must have an entry in this table. An attribute has an id and a label. Eg. 1 - Action, 2 - Role, 3 - User_id, ...

Or_Rule_has_And_Rule | And_Rule_has_Condition

OR rules and AND rules are combined in the Or_Rule_has_And_Rule table. Similarly, AND rules and conditions are combined in the And_Rule_has_Condition table. These tables represent a many to many relationship of their components.

This allows a single "AND" entry to be part of multiple "OR Rules", or a single condition to be part of multiple "AND Rules". Therefore, when a "AND" entry or condition is modified, it affects all the "OR Rules" or "AND Rules" (respectively) which reffers to it.

Supported Operations

Policies stored in the database will support CRUD operations on policies, and also complex SQL queries, for instance, to find out which are the necessary conditions to perform a given action.

Besides these, two operations will also be supported:

  • Import policy.json file into the database: In this operation, policies conflicts will be eliminated. Duplicate rules will also be removed.
  • Export policies from database to new policy.json files. These new files will reflect the managed set of rules. It's important to say that, since rules are decomposed to DNF and not stored in it's original syntax, the new generated policy files will be semantically equivalent to their original, but can be syntactically different.

Importing.a policy file to the Database Schema

To show how the Database Scheme is applicable, we present a database representation for the following lines of Keystone's policy.json.

   "admin_required": "role:admin or is_admin:1",
   "service_role": "role:service",
   "service_or_admin": "rule:admin_required or rule:service_role",
   "owner" : "user_id:%(user_id)s",
   "admin_or_owner": "rule:admin_required or rule:owner",
   "default": "rule:admin_required",
   "identity:list_regions": "",
   "identity:create_region": "rule:admin_required",
   "identity:ec2_create_credential": "rule:admin_or_owner",
   "identity:create_trust": "user_id:%(trust.trustor_user_id)s",
   "identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",


id description or_rule_id version enabled scope_id
"a2f57b" "Openstack Security Policy" "5e98b2" "2015-02-26 14:00:00" TRUE NULL


id label version enabled
"5e98b2" "OR Rule for Openstack Security Policy" "2015-02-26 14:00:01" TRUE


id label version enabled
"000001" "role: admin" "2015-02-26 14:01:01" TRUE
"000002" "is_admin:1" "2015-02-26 14:01:02" TRUE
"000003" "role: service" "2015-02-26 14:01:03" TRUE
"000004" "user_id:%(user_id)s" "2015-02-26 14:01:04" TRUE
"000005" "identity:list_regions" "2015-02-26 14:01:05" TRUE
"000006" "identity:create_region_001" "2015-02-26 14:01:06" TRUE
"000007" "identity:create_region_002" "2015-02-26 14:01:07" TRUE
"000008" "identity:ec2_create_credential_001" "2015-02-26 14:01:08" TRUE
"000009" "identity:ec2_create_credential_002" "2015-02-26 14:01:09" TRUE
"00000A" "identity:ec2_create_credential_003" "2015-02-26 14:01:10" TRUE
"00000B" "identity:create_trust" "2015-02-26 14:01:11" TRUE
"00000C" "user_id:%(trust.trustor_user_id)s" "2015-02-26 14:01:12" TRUE
"00000D" "identity:ec2_delete_credential_001" "2015-02-26 14:01:13" TRUE
"00000E" "identity:ec2_delete_credential_002" "2015-02-26 14:01:14" TRUE
"00000F" "identity:ec2_delete_credential_003" "2015-02-26 14:01:15" TRUE


id description
"A00001" "service"
"A00002" "action"
"A00003" "role"
"A00004" "is_admin"
"A00005" "user_id"


id label attribute_id value version enabled
"C00001" "role:admin" "A00003" "admin" "2015-02-26 14:02:01" TRUE
"C00002" "is_admin:1" "A00004" "1" "2015-02-26 14:02:02" TRUE
"C00003" "service_role" "A00003" "service" "2015-02-26 14:02:03" TRUE
"C00004" "owner" "A00005" "%(user_id)s" "2015-02-26 14:02:04" TRUE
"C00005" "service_identity" "A00001" "identity" "2015-02-26 14:02:05" TRUE
"C00006" "action_list_regions" "A00002" "list_regions" "2015-02-26 14:02:06" TRUE
"C00007" "action_create_region" "A00002" "create_region" "2015-02-26 14:02:07" TRUE
"C00008" "action_ec2_create_credential" "A00002" "ec2_create_credential" "2015-02-26 14:02:08" TRUE
"C00009" "action_create_trust" "A00002" "create_trust" "2015-02-26 14:02:09" TRUE
"C0000A" "user_id:%(trust.trustor_user_id)s" "A00005" "%(trust.trustor_user_id)s" "2015-02-26 14:02:10" TRUE
"C0000B" "action_ec2_delete_credential" "A00002" "ec2_delete_credential" "2015-02-26 14:02:11" TRUE
"C0000C" "user_id:%(target.credential.user_id)s" "A00005" "%(target.credential.user_id)s" "2015-02-26 14:02:12" TRUE


   "admin_required": "role:admin or is_admin:1",
   "service_role": "role:service",
   "service_or_admin": "rule:admin_required or rule:service_role",
   "owner" : "user_id:%(user_id)s",
   "admin_or_owner": "rule:admin_required or rule:owner",
   "default": "rule:admin_required",

ok "identity:list_regions": "", ok "identity:create_region": "rule:admin_required", ok "identity:ec2_create_credential": "rule:admin_or_owner",

   "identity:create_trust": "user_id:%(trust.trustor_user_id)s",
   "identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
and_rule_id condition_id Description
"000005" "C00005" "identity:list_regions-service"
"000005" "C00006" "identity:list_regions-action"
"000006" "C00005" "identity:create_region-service"
"000006" "C00007" "identity:create_region-action"
"000006" "C00001" "identity:create_region-rule:admin_required_001"
"000007" "C00005" "identity:create_region-service"
"000007" "C00007" "identity:create_region-action"
"000007" "C00002" "identity:create_region-rule:admin_required_002"
"000008" "C00005" "identity:ec2_create_credential-service"
"000008" "C00008" "identity:ec2_create_credential-action"
"000008" "C00001" "identity:ec2_create_credential-rule:admin_or_owner_001"
"000009" "C00005" "identity:ec2_create_credential-service"
"000009" "C00008" "identity:ec2_create_credential-action"
"000009" "C00002" "identity:ec2_create_credential-rule:admin_or_owner_002"
"00000A" "C00005" "identity:ec2_create_credential-service"
"00000A" "C00008" "identity:ec2_create_credential-action"
"00000A" "C00004" "identity:ec2_create_credential-rule:admin_or_owner_003"
Exemplo Exemplo Exemplo
Exemplo Exemplo Exemplo
Exemplo Exemplo Exemplo
Exemplo Exemplo Exemplo
Exemplo Exemplo Exemplo
Exemplo Exemplo Exemplo
Exemplo Exemplo Exemplo
Exemplo Exemplo Exemplo
Exemplo Exemplo Exemplo
Exemplo Exemplo Exemplo
Exemplo Exemplo Exemplo
Exemplo Exemplo Exemplo
Exemplo Exemplo Exemplo
Exemplo Exemplo Exemplo
Exemplo Exemplo Exemplo
Exemplo Exemplo Exemplo
Exemplo Exemplo Exemplo
Exemplo Exemplo Exemplo
Exemplo Exemplo Exemplo
Exemplo Exemplo Exemplo
Exemplo Exemplo Exemplo
Exemplo Exemplo Exemplo
Exemplo Exemplo Exemplo
Exemplo Exemplo Exemplo