Difference between revisions of "PolicyDatabase"
m (→Database Schema) |
(→Database Schema) |
||
| Line 17: | Line 17: | ||
[[File:openstack-policydb.png||framed|center|Policy Database Schema]] | [[File:openstack-policydb.png||framed|center|Policy Database Schema]] | ||
| + | |||
| + | The purpose of all the tables are described below: | ||
| + | |||
| + | ==== Condition ==== | ||
| + | A condition represents the basic element of a policy. | ||
| + | The policy engine will verify if the content of the "attribute" field matches with the "value" one. | ||
| + | Attributes can be of different Attribute Types, for instance: | ||
| + | |||
| + | # Action | ||
| + | Policies in Openstack are assigned to Actions. | ||
| + | Actions are represented in the policy.json file by "service:action" entries. | ||
| + | They serve as triggers for the Policy Engines to know which rule will be verified. | ||
| + | In this database model, they are stored as conditions. | ||
| + | |||
| + | # Role | ||
| + | |||
| + | ==== Policy ==== | ||
| + | Represents the Openstack Policy. | ||
| + | We can say that all policies in Openstack are combined using the OR logical operator. | ||
| + | For instance, we can see entries in a policy.json files as follows: | ||
| + | (action: "identity:get_user" AND rule: "admin_required) OR (action: " | ||
Revision as of 14:45, 25 February 2015
Contents
Policy Relational Database Schema for Openstack
Overview
This document describes a relational database schema that stores security policies for Openstack. This schema reflects the current policy engine rules, stored in policy.json files.
Supported Operations
Policies stored in the database will support CRUD operations on policies, and also complex SQL queries, for instance, to find out which are the necessary conditions to perform a given action.
Besides these, two operations will also be supported:
- Import policy.json file into the database: In this operation, policies conflicts will be eliminated. Duplicate rules will also be removed.
- Export policies from database to new policy.json files. These new files will reflect the managed set of rules.
Database Schema
The following figure presents the database schema to store security policies in Openstack.
The purpose of all the tables are described below:
Condition
A condition represents the basic element of a policy. The policy engine will verify if the content of the "attribute" field matches with the "value" one. Attributes can be of different Attribute Types, for instance:
- Action
Policies in Openstack are assigned to Actions. Actions are represented in the policy.json file by "service:action" entries. They serve as triggers for the Policy Engines to know which rule will be verified. In this database model, they are stored as conditions.
- Role
Policy
Represents the Openstack Policy. We can say that all policies in Openstack are combined using the OR logical operator. For instance, we can see entries in a policy.json files as follows: (action: "identity:get_user" AND rule: "admin_required) OR (action: "
