Jump to: navigation, search

DynamicPolicies

Revision as of 01:38, 19 June 2015 by Ayoung (talk | contribs) (Workflows - Liberty Scope)

Dynamic Policies

Improving Access Control on OpenStack


Weekly Meeting

TBD


Background

OpenStack uses a Role-Based Access Control mechanism to manage authorization, which defines if a user is able to perform actions on resources based on the roles he has assigned on them. Resources include VMs, volumes, networks, etc and are organized into projects, which are owned by domains. Users have roles assigned on domains or projects.

Users get domain or project scoped tokens, which contains the roles the user has assigned on them, and pass this token along to services in requests to perform actions on resources. The services check the roles and the scope from the token against the rules defined for the requested action on the policy.json file to determine if the user has enough privileges.


Evolution

  • How to evolve the policies management mechanism, which currently uses an out-of-band mechanism to update the policy.json files ?
  • How to improve delegation mechanism, allowing users to only delegate a subset of their roles, which may be customized per domain ?
  • How to provide better default policies, fixing the bug in which an admin anywhere is admin everywhere ?

Roadmap

Story 1 - As a cloud admin, I want to manage Policies via API

Depends On: None

As a cloud admin, I want to be able to create a policy and to bind it to endpoints based on their URL, which is known a priori by my CMS. Besides being able to patch, delete and show an entire policy, I want to manage rules individually.

Story 2 - As a cloud admin, I want to have services using the Policies I have defined via API

Depends On: Story 1 - As a cloud admin, I want to manage Policies via API

As a cloud admin, I want my service endpoints to be using the policies I have defined and associated to them, if any. Middleware should download the latest policy from the policy management server and cache it, based on the endpoint_url in its config file. My CMS, which knows that URL a priori will be placing this value in the middleware config.

Story 3 - As a domain admin, I want to define roles that are meaningful to my business

Depends On: None

As a domain admin, who represents, for example, a customer, I want to define a set of roles that are meaningful to them. As global roles, those can be used on assignments.

Story 4 - As an admin, I want to define role hierarchies, allowing one to only delegate a subset of her roles

Depends On: None

As an admin who can define roles, I want to be able to create them hierarchically, which means that having a role that inherit from another implies on having authorization inherited.

Story 5 - As a deployer, I want to have better default policies, distinguishing different admin scopes

Depends On: Story 4 - As a user, I want to define role hierarchies, allowing one to only delegate a subset of her roles

As a deployer, I want to have default policies defined in terms of different roles for cloud, domain and project admins. Solving the long standing but where an admin anywhere is admin everywhere. In addition, common rules should be consistent across services.

Story 6 - As a dev, I want to split policy enforcement between Middleware and the services

Depends On: Story 2 - As a cloud admin, I want to have services using the Policies I have defined via API

The enforcement of roles could be placed at Middleware, while the other constraints contained in a policy rule are enforced by the service.


Workflows - Liberty Scope

Workflow 1 - Initial Install Policy

This workflow is represented in the sequence diagram below, defining how the the install of Nova by the admin will lead to the upload of the policy files.

Dynamic Policies install sequence

Workflow 2 - Customizing Policy

This workflow is represented by the steps 4 - 5 in the sequence diagram below, defining how the policies will be customized by the admin.

Customizing Policy sequence


Workflow 3 - Updating an Existing Install

This workflow is represented by the steps 12- 13 in the sequence diagram below, defining how the Default policy for a given endpoint will be update in the server, reflecting changes in the APIs signatures. For example, when new APIs are added.


Workflow 4 - User Requests an URL

This workflow is represented by the steps 6 - 11 and 14 - 19 in the sequence diagram below, defining how the workflows above will be tied together, delivering a dynamic solution for policy customization and delivery.

Enforcing Policy sequence


Sequence Diagram