Jump to: navigation, search

Difference between revisions of "DynamicPolicies"

(Evolution)
(Dynamic Policies)
Line 29: Line 29:
 
== Roadmap ==
 
== Roadmap ==
  
=== Manage Policies via API ===
+
=== As a cloud admin, I want to manage Policies via API ===
  
* Initial policies are uploaded from projects to the policy management server
+
Description Bla ...
* Policy updates in the policy management server may occur at any time through the API
 
* The latest policy for a given endpoint is fetched/cached by middleware
 
* Middleware stores it in the directory the service is expecting to find it when doing enforcement
 
  
=== Improve Delegation ===
+
* Specs
 +
** Policy Management API
 +
*** '''TODO: Create Spec'''
 +
** Policy Storage Backend
 +
*** [https://review.openstack.org/#/c/184926/ API spec for managing Attribute hierarchies in the Policy database]
 +
*** [https://review.openstack.org/#/c/184903/ Basic API spec for managing Policy rules in a database]
 +
*** [https://review.openstack.org/#/c/185126/ Policy Mapping API]
  
* Roles may contain other roles, meaning that authorization is inherited to the higher role
+
=== As a cloud admin, I want to have services using the Policies I have defined via API ===
* In addition, users are only able to delegate a subset of their roles on a given scope
 
* Roles could be customized in a domain basis, enabling customers to define whatever is more meaningful to them
 
  
=== Better Default Policies ===
+
Description Bla ...
  
* As consequence of a better delegation mechanism, better default policies will be provided, fixing the bug #968696 (admin anywhere is admin everywhere)
+
* Specs
 +
** [https://review.openstack.org/#/c/134655/ Fetch policy.json from server]
 +
 
 +
=== As a domain admin, I want to define roles that are meaningful to my business ===
 +
 
 +
Description Bla ...
 +
 
 +
* Specs
 +
** [https://review.openstack.org/#/c/133855/ Add support for domain specific roles. (Name-spaced Roles)]
 +
 
 +
=== As a user, I want to delegate only a subset of my roles ===
 +
 
 +
Description Bla ...
 +
 
 +
* Specs
 +
** [https://review.openstack.org/#/c/125704/ Hierarchical Roles]
 +
 
 +
=== As a deployer, I want to have better default policies, distinguishing different admin scopes ===
 +
 
 +
Description Bla ...
 +
 
 +
* Specs
 +
** Improve Default Policies
 +
*** '''TODO: Create Spec'''

Revision as of 13:16, 16 June 2015

Dynamic Policies

Improving Access Control on OpenStack


Weekly Meeting

TBD

Background

OpenStack uses a Role-Based Access Control mechanism to manage authorization, which defines if a user is able to perform actions on resources based on the roles he has assigned on them. Resources include VMs, volumes, networks, etc and are organized into projects, which are owned by domains. Users have roles assigned on domains or projects.

Users get domain or project scoped tokens, which contains the roles the user has assigned on them, and pass this token along to services in requests to perform actions on resources. The services check the roles and the scope from the token against the rules defined for the requested action on the policy.json file to determine if the user has enough privileges.

Evolution

  • How to evolve the policies management mechanism, which currently uses an out-of-band mechanism to update the policy.json files ?
  • How to improve delegation mechanism, allowing users to only delegate a subset of their roles, which may be customized per domain ?
  • How to provide better default policies, fixing the bug in which an admin anywhere is admin everywhere ?

Roadmap

As a cloud admin, I want to manage Policies via API

Description Bla ...

As a cloud admin, I want to have services using the Policies I have defined via API

Description Bla ...

As a domain admin, I want to define roles that are meaningful to my business

Description Bla ...

As a user, I want to delegate only a subset of my roles

Description Bla ...

As a deployer, I want to have better default policies, distinguishing different admin scopes

Description Bla ...

  • Specs
    • Improve Default Policies
      • TODO: Create Spec
Retrieved from "https://wiki.openstack.org/w/index.php?title=DynamicPolicies&oldid=83521"