From 228e37954b37befe13d8180d1a1656c94c6a6308 Mon Sep 17 00:00:00 2001 From: Samuel de Medeiros Queiroz Date: Mon, 29 Jun 2015 09:15:29 -0300 Subject: [PATCH] policy: Dynamic Policies Overlay Adds to ``oslo.policy`` the capability to overlay rules in policy file with custom rules received as a regular Python dict. This feature will be used by Keystone Middleware in the context of ``Dynamic Policies``, which will fetch the custom policy rules from Keystone server and ask ``oslo.policy`` to do the overlay processing, i.e write them to the policy file. Partially-Implements: bp dynamic-policies-delivery Change-Id: I0b960f999a9e52880450a5c18f7f88119be41566 --- specs/liberty/dynamic-policies-overlay.rst | 151 +++++++++++++++++++++ 1 file changed, 151 insertions(+) create mode 100644 specs/liberty/dynamic-policies-overlay.rst diff --git a/specs/liberty/dynamic-policies-overlay.rst b/specs/liberty/dynamic-policies-overlay.rst new file mode 100644 index 0000000..bb174e7 --- /dev/null +++ b/specs/liberty/dynamic-policies-overlay.rst @@ -0,0 +1,151 @@ +.. + +========================== + Dynamic Policies Overlay +========================== + +https://blueprints.launchpad.net/oslo?searchtext=dynamic-policies-overlay + +`Dynamic Policies `_ aims to +improve access control in OpenStack by improving the mechanisms in which +policies are defined and delivered to service endpoints. + +One step of dynamic delivery of policies is to overlay the existing service +endpoint's local policy file with the custom rules defined in +``Keystone server``. This overlay task is delegated to ``oslo.policy``. + +Problem description +=================== + +Alice the Cloud Deployer +------------------------ + +Alice is the kind of person who loves new features and eagerly awaits for new +OpenStack features like ``Dynamic Policies`` to enable them in her cloud. + +With that feature, she expects to be able to define her custom policy rules in +``Keystone server`` and have those applied to service endpoints transparently. + +Behind the scenes, ``Keystone Middleware`` will fetch the ``Dynamic Policy``, +which contains the custom policy rules, for the service it is serving and ask +``oslo.policy`` to overlay the ``Stock Policy``, which is the existing local +policy file. + +Proposed change +=============== + +Based on the ``Dynamic Policy`` and on the existing ``policy_file`` and +``policy_dirs`` options, add to ``oslo.policy`` the capability to overlay +rules in the ``Stock Policy``. + +When there is a rule clashing, the rule from ``Dynamic Policy`` always +overrides the rule in ``Stock Policy``. It means that any customization made +directly in the ``Stock Policy`` will be lost if there is an entry for it in +the ``Dynamic Policy``. + +Alternatives +------------ + +Make ``Keystone Middleware`` itself do the overlay logic, however it seems to +not be a task for it at all, since ``oslo.policy`` is the one which does handle +policy files and owns the config options defining where such file is placed. + +Impact on Existing APIs +----------------------- + +None + +Security impact +--------------- + +This change touches policy rules, which are sensitive data since they define +access control to service APIs in OpenStack. + +Performance Impact +------------------ + +None + +Configuration Impact +-------------------- + +None + +Developer Impact +---------------- + +None + +Testing Impact +-------------- + +None + +Implementation +============== + +Assignee(s) +----------- + +Primary assignee: + Samuel de Medeiros Queiroz - samueldmq + +Other contributors: + Adam Young - ayoung + Morgan Fainberg - mdrnstm + +Milestones +---------- + +Target Milestone for completion: Liberty-2 + +Work Items +---------- + +* Create a new function that receives as input the ``Dynamic Policy`` as a + Python dict and write them to the ``Stock Policy``, i.e the existing local + policy file, using override strategy when a clashing occurs. + +Incubation +========== + +Adoption +-------- + +Any service using the ``Dynamic Policies`` mechanism for access controll will +be using the proposed change through ``Keystone Middleware``, which means that +adoption is transparent to services. + +Library +------- + +The proposed change will affect the ``oslo.policy`` library. + +Anticipated API Stabilization +----------------------------- + +None + +Documentation Impact +==================== + +None besides the regular Python code level documentation. + +Dependencies +============ + +A list of related specs defining the dynamic delivery of policies can be found +under the topic `dynamic-policies-delivery `_. + +References +========== + +None + + +.. note:: + + This work is licensed under a Creative Commons Attribution 3.0 + Unported License. + http://creativecommons.org/licenses/by/3.0/legalcode +