openstack team mailing list archive

Thread
Date

Re: Question about Keystone RBAC

To: Shake Chen <shake.chen@xxxxxxxxx>
From: Dolph Mathews <dolph.mathews@xxxxxxxxx>
Date: Wed, 3 Oct 2012 23:54:04 -0500
Cc: "MS. Faraji" <ms.faraji@xxxxxxxxxxx>, Dolph Mathews <dolph.mathews@xxxxxxxxxxxxx>, "openstack@xxxxxxxxxxxxxxxxxxx" <openstack@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <CAO__-NYEhvsME47kXx==-k8pu1VRuBWPyRKQp3uDrGSkwd6v1g@mail.gmail.com>

That will provided by Identity API v3, currently in draft:
https://github.com/openstack/identity-api/blob/master/openstack-identity-api/src/markdown/identity-api-v3.md

The "when" is first dependent on:

1) Identity API v3 support in keystone
https://review.openstack.org/#/c/12106/
2) Identity API v3 support in keystoneclient
https://review.openstack.org/#/c/12806/
3) services need to consume the centralized policy info, probably through
common middleware
4) adding UI support in horizon

An open question: are you looking to modify policy per service or do you
need policy granularity per endpoint?

-Dolph


On Wed, Oct 3, 2012 at 7:29 PM, Shake Chen <shake.chen@xxxxxxxxx> wrote:

> Hi
>
> I also have question about RBAC.
>
> when we can setting the roles permission in Horizon?
>
>
> On Thu, Oct 4, 2012 at 2:56 AM, Dolph Mathews <dolph.mathews@xxxxxxxxxxxxx
> > wrote:
>
>>  (replying on list)
>>
>>  RBAC policy enforce is already implemented on consuming services and
>> default policies are provided by policy.json files (e.g.
>> https://github.com/openstack/nova/blob/master/etc/nova/policy.json ).
>>
>>  We haven't yet implemented a method for services to consume policy
>> blobs from Identity API v3, /v3/policies (which itself is still in
>> development), rather than loading policy.json files.
>>
>>  For an example of scoping RBAC per project, see the admin_or_owner rule
>> in nova's policy.json above.
>>
>>  As for the efficiency of policy storage, I'm not clear on what your
>> concerns are?
>>
>>  -Dolph
>>   ------------------------------
>> *From:* MS. Faraji [ms.faraji@xxxxxxxxxxx]
>> *Sent:* Wednesday, October 03, 2012 1:34 PM
>> *To:* Dolph Mathews
>> *Subject:* Question about Keystone RBAC
>>
>>   Hi,
>>
>> I sent an email to inquire about RBAC implementation in Keystone before,
>> and you generously shared your information. However, there are a couple of
>> questions that I have in mind.
>> I searched the Internet and documents; however, I did not find useful
>> information about them. I hope you can help me to find it out.
>>
>> 1) Consider the enforce API is implemented, which side should use it?
>> Service or Keystone itself. If Keystone uses this function, how does it
>> know about the action that a user
>> wants to perform on a resource. If service call it as an API, what is the
>> endpoint? How services use authorization in Keystone?
>>
>> 2) Can roles and associated actions be defined in the scope of project or
>> domain? For example demo can do release in project 1 but not in project 2.
>>
>> 3) Is the plain storage of capabilities ( no data structure) efficient?
>> In terms of required storage space and later lookups.
>>
>> Thanks in advance for your help and assistance,
>> I look forward to your response.
>>
>>
>> Moh,
>>
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~openstack
>> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
>> Unsubscribe : https://launchpad.net/~openstack
>> More help   : https://help.launchpad.net/ListHelp
>>
>>
>
>
> --
> Shake Chen
>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp
>
>

References

Re: Question about Keystone RBAC
From: Dolph Mathews, 2012-10-03
Re: Question about Keystone RBAC
From: Shake Chen, 2012-10-04