Difference between revisions of "MagnetoDB/specs/rbac"
(→= References) |
|||
| Line 54: | Line 54: | ||
==== Documentation Impact ==== | ==== Documentation Impact ==== | ||
Policy section should be added here http://magnetodb.readthedocs.org/ | Policy section should be added here http://magnetodb.readthedocs.org/ | ||
| − | ==== References === | + | ==== References ==== |
None | None | ||
Revision as of 06:40, 10 October 2014
MagnetoDB RBAC
Launchpad: RBAC
Role based access control of apis.
Problem description
Currently there is no way to control the access to apis. Right now there is a simple check in magnetodb which only checks whether the project present in the user's token is same as the project being used in the URL. In short, to create a table in a project the user needs to have a keystone token scoped to that project.
Proposed change
- Implement role based access control in all apis like all other openstack projects. A file called policy.json would reside in the config directory wherein the magnetodb administrator can specify rules to control access to an api.
- For e.g. A rule such as this "mdb:create_table": "role:admin" would allow any user with admin role to create table in any project.
- The above rule could be made stricter by "mdb:create_table":"role:admin and project_id:(project_id)s". This would allow someone with admin role to create table in his own project only.
- Similarly other rules could be implemented as per administrative requirement.
Alternatives
Continue to have the relaxed approach like now.
Security impact
With this change magnetodb would be more secure and administrators would be able to give fine-grained access control to users.
Notifications Impact
None
Other End User Impact
None
Performance Impact
Each time an api call is made to magnetodb, the rule will be checked. As the file policy.json is cached in memory there would be little performance impact.
Other Deployer Impact
Existing deployers of magnetodb can modify policy.json to suit their previous model of authorization.
Developer Impact
None
Implementation
There would be some modification needed in the way context is built. Some more fields need to be added to context. Code for rule checking can be reused from other openstack projects. Appropriate checks for rules have to placed in all api calls.
Assignee(s)
Primary assignee:
<ajayaa>
Other contributors:
<None>
Work Items
- Define rules to enforce.
- List out apis to enforce rules.
- Enforce policy on each api call.
- Mock policy in existing unit-tests to make them pass.
- Write unit-tests for policy.
Dependencies
None.
Documentation Impact
Policy section should be added here http://magnetodb.readthedocs.org/
References
None
