Jump to: navigation, search

Difference between revisions of "DynamicPolicies"

(Roadmap)
(Roadmap)
Line 40: Line 40:
 
*** '''TODO: Create Spec'''
 
*** '''TODO: Create Spec'''
 
** Policy Storage Backend
 
** Policy Storage Backend
 +
*** [https://review.openstack.org/#/c/133814 Policy rules mangaged from a database]
 
*** [https://review.openstack.org/#/c/184926/ API spec for managing Attribute hierarchies in the Policy database]
 
*** [https://review.openstack.org/#/c/184926/ API spec for managing Attribute hierarchies in the Policy database]
 
*** [https://review.openstack.org/#/c/184903/ Basic API spec for managing Policy rules in a database]
 
*** [https://review.openstack.org/#/c/184903/ Basic API spec for managing Policy rules in a database]
Line 55: Line 56:
 
** [https://review.openstack.org/#/c/134655/ Fetch policy.json from server]
 
** [https://review.openstack.org/#/c/134655/ Fetch policy.json from server]
  
=== As a domain admin, I want to define roles that are meaningful to my business ===
+
=== US 3 - As a domain admin, I want to define roles that are meaningful to my business ===
  
 
'''Depends On:''' ''None''
 
'''Depends On:''' ''None''
Line 65: Line 66:
 
** [https://review.openstack.org/#/c/133855/ Add support for domain specific roles. (Name-spaced Roles)]
 
** [https://review.openstack.org/#/c/133855/ Add support for domain specific roles. (Name-spaced Roles)]
  
=== US 3 - As a user, I want to define role hierarchies, allowing one to only delegate a subset of her roles ===
+
=== US 4 - As a user, I want to define role hierarchies, allowing one to only delegate a subset of her roles ===
  
 
'''Depends On:''' ''None''
 
'''Depends On:''' ''None''
Line 75: Line 76:
 
** [https://review.openstack.org/#/c/125704/ Hierarchical Roles]
 
** [https://review.openstack.org/#/c/125704/ Hierarchical Roles]
  
=== US 4 - As a deployer, I want to have better default policies, distinguishing different admin scopes ===
+
=== US 5 - As a deployer, I want to have better default policies, distinguishing different admin scopes ===
  
'''Depends On:''' ''US 3 - As a user, I want to define role hierarchies, allowing one to only delegate a subset of her roles''
+
'''Depends On:''' ''US 4 - As a user, I want to define role hierarchies, allowing one to only delegate a subset of her roles''
 
<br />
 
<br />
  
Line 85: Line 86:
 
** Improve Default Policies
 
** Improve Default Policies
 
*** '''TODO: Create Spec'''
 
*** '''TODO: Create Spec'''
 +
** [https://review.openstack.org/#/c/134657/ Default Policy]
 +
** [https://review.openstack.org/#/c/134656/ unified policy file]

Revision as of 13:40, 16 June 2015

Dynamic Policies

Improving Access Control on OpenStack


Weekly Meeting

TBD


Background

OpenStack uses a Role-Based Access Control mechanism to manage authorization, which defines if a user is able to perform actions on resources based on the roles he has assigned on them. Resources include VMs, volumes, networks, etc and are organized into projects, which are owned by domains. Users have roles assigned on domains or projects.

Users get domain or project scoped tokens, which contains the roles the user has assigned on them, and pass this token along to services in requests to perform actions on resources. The services check the roles and the scope from the token against the rules defined for the requested action on the policy.json file to determine if the user has enough privileges.


Evolution

  • How to evolve the policies management mechanism, which currently uses an out-of-band mechanism to update the policy.json files ?
  • How to improve delegation mechanism, allowing users to only delegate a subset of their roles, which may be customized per domain ?
  • How to provide better default policies, fixing the bug in which an admin anywhere is admin everywhere ?

Roadmap

US 1 - As a cloud admin, I want to manage Policies via API

Depends On: None

Description Bla ...


US 2 - As a cloud admin, I want to have services using the Policies I have defined via API

Depends On: US 1 - As a cloud admin, I want to manage Policies via API

Description Bla ...

US 3 - As a domain admin, I want to define roles that are meaningful to my business

Depends On: None

Description Bla ...

US 4 - As a user, I want to define role hierarchies, allowing one to only delegate a subset of her roles

Depends On: None

Description Bla ...

US 5 - As a deployer, I want to have better default policies, distinguishing different admin scopes

Depends On: US 4 - As a user, I want to define role hierarchies, allowing one to only delegate a subset of her roles

Description Bla ...