Trove Policy Support¶

Trove needs to provide users with more fine-grained control over which users/roles can access which APIs. The Oslo Policy library provides support for RBAC policy enforcement across all OpenStack services.

Launchpad Blueprint: https://blueprints.launchpad.net/trove/+spec/trove-policy

Problem Description¶

Trove currently does not have a unified way of role-based access control. It needs to provide users with more fine-grained control over which users/roles can access which APIs.

Proposed Change¶

Add Oslo policy check calls on all user-facing APIs. 1 Also see Appendix for the list of proposed rules.

The checks will be implemented by means of Oslo policy ‘enforce’ call at the beginning of each Trove API.

The call will be given extra information, parent ‘tenant_id’ (AKA the owner), on the target object (e.g. deleted instance in trove-delete API, updated configuration group in configuration-patch API). This will allow users to use this information within their rules.

Actions that do not have a particular target (e.g. trove-create, trove-list) will get the tenant itself as the target.

Actions that involve multiple rules will check all of them simultaneously. One good example of this is trove-create. If the policy does not allow creating users or applying modules the end user should not be allowed to create a new instance with initial users and modules applied either.

The Policy engine used will be >= 1.9.0 which supports new registered policy rules. While being fully backwards-compatible the registered rules allow for more robust development.

Configuration¶

None

Database¶

None

Public API¶

All API calls may rise ‘PolicyNotAuthorized’ (HTTP 403) if the request is not authorized by the policy framework. The default access rules will be set to mimic the current behavior (i.e. users can freely execute operations on their own tenant).

Public API Security¶

None

Python API¶

None

CLI (python-troveclient)¶

None

Internal API¶

None

Guest Agent¶

None

Alternatives¶

None

Dashboard Impact (UX)¶

None

Implementation¶

Assignee(s)¶

Petr Malik <pmalik@tesora.com>

Milestones¶

Ocata-1

Work Items¶

Work will be delivered in a single patch set.

Upgrade Implications¶

None

Dependencies¶

Python library ‘oslo.policy>=1.9.0’ will be required.

Testing¶

Unittests will be added to cover the policy framework. Scenario tests will be testing the default behavior (matching the existing behavior).

Documentation Impact¶

The exposed policy rules and policy.json file should be documented (see Appendix).

References¶

1: Information on the rule engine and policy.json file http://docs.openstack.org/mitaka/config-reference/policy-json-file.html

Appendix¶

Proposed contents of ‘policy.json’ (Note: datastore and flavor APIs are unrestricted by default):

{
    "admin_or_owner":  "role:admin or is_admin:True or tenant:%(tenant)s",
    "default": "rule: admin_or_owner",

    "instance:create": "rule:admin_or_owner",
    "instance:delete": "rule:admin_or_owner",
    "instance:index": "rule:admin_or_owner",
    "instance:show": "rule:admin_or_owner",
    "instance:update": "rule:admin_or_owner",
    "instance:edit": "rule:admin_or_owner",
    "instance:restart": "rule:admin_or_owner",
    "instance:resize_volume": "rule:admin_or_owner",
    "instance:resize_flavor": "rule:admin_or_owner",
    "instance:reset_password": "rule:admin_or_owner",
    "instance:promote_to_replica_source": "rule:admin_or_owner",
    "instance:eject_replica_source": "rule:admin_or_owner",
    "instance:configuration": "rule:admin_or_owner",
    "instance:guest_log_list": "rule:admin_or_owner",
    "instance:backups": "rule:admin_or_owner",
    "instance:module_list": "rule:admin_or_owner",
    "instance:module_apply": "rule:admin_or_owner",
    "instance:module_remove": "rule:admin_or_owner",

    "instance:extension:root:create": "rule:admin_or_owner",
    "instance:extension:root:delete": "rule:admin_or_owner",
    "instance:extension:root:index": "rule:admin_or_owner",

    "instance:extension:user:create": "rule:admin_or_owner",
    "instance:extension:user:delete": "rule:admin_or_owner",
    "instance:extension:user:index": "rule:admin_or_owner",
    "instance:extension:user:show": "rule:admin_or_owner",
    "instance:extension:user:update": "rule:admin_or_owner",
    "instance:extension:user:update_all": "rule:admin_or_owner",

    "instance:extension:user_access:update": "rule:admin_or_owner",
    "instance:extension:user_access:delete": "rule:admin_or_owner",
    "instance:extension:user_access:index": "rule:admin_or_owner",

    "instance:extension:database:create": "rule:admin_or_owner",
    "instance:extension:database:delete": "rule:admin_or_owner",
    "instance:extension:database:index": "rule:admin_or_owner",
    "instance:extension:database:show": "rule:admin_or_owner",

    "cluster:create": "rule:admin_or_owner",
    "cluster:delete": "rule:admin_or_owner",
    "cluster:index": "rule:admin_or_owner",
    "cluster:show": "rule:admin_or_owner",
    "cluster:show_instance": "rule:admin_or_owner",
    "cluster:action": "rule:admin_or_owner",

    "cluster:extension:root:create": "rule:admin_or_owner",
    "cluster:extension:root:delete": "rule:admin_or_owner",
    "cluster:extension:root:index": "rule:admin_or_owner",

    "backup:create": "rule:admin_or_owner",
    "backup:delete": "rule:admin_or_owner",
    "backup:index": "rule:admin_or_owner",
    "backup:show": "rule:admin_or_owner",

    "configuration:create": "rule:admin_or_owner",
    "configuration:delete": "rule:admin_or_owner",
    "configuration:index": "rule:admin_or_owner",
    "configuration:show": "rule:admin_or_owner",
    "configuration:instances": "rule:admin_or_owner",
    "configuration:update": "rule:admin_or_owner",
    "configuration:edit": "rule:admin_or_owner",

    "configuration-parameter:index": "rule:admin_or_owner",
    "configuration-parameter:show": "rule:admin_or_owner",
    "configuration-parameter:index_by_version": "rule:admin_or_owner",
    "configuration-parameter:show_by_version": "rule:admin_or_owner",

    "datastore:index": "",
    "datastore:show": "",
    "datastore:version_show": "",
    "datastore:version_show_by_uuid": "",
    "datastore:version_index": "",
    "datastore:list_associated_flavors": "",
    "datastore:list_associated_volume_types": "",

    "flavor:index": "",
    "flavor:show": "",

    "limits:index": "rule:admin_or_owner",

    "module:create": "rule:admin_or_owner",
    "module:delete": "rule:admin_or_owner",
    "module:index": "rule:admin_or_owner",
    "module:show": "rule:admin_or_owner",
    "module:instances": "rule:admin_or_owner",
    "module:update": "rule:admin_or_owner"
}

Trove Policy Support

Trove Policy Support¶

Problem Description¶

Proposed Change¶

Configuration¶

Database¶

Public API¶

Public API Security¶

Python API¶

CLI (python-troveclient)¶

Internal API¶

Guest Agent¶

Alternatives¶

Dashboard Impact (UX)¶

Implementation¶

Assignee(s)¶

Milestones¶

Work Items¶

Upgrade Implications¶

Dependencies¶

Testing¶

Documentation Impact¶

References¶

Appendix¶

trove-specs 0.0.1.dev180

Page Contents