← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1602081] [NEW] Use oslo.context's policy dict

 

Public bug reported:

This is a cross project goal to standardize the values available to
policy writers and to improve the basic oslo.context object. It is part
of the follow up work to bug #1577996 and bug #968696.

There has been an ongoing problem for how we define the 'admin' role.
Because tokens are project scoped having the 'admin' role on any project
granted you the 'admin' role on all of OpenStack. As a solution to this
keystone defined an is_admin_project field so that keystone defines a
single project that your token must be scoped to to perform admin
operations. This has been implemented.

The next phase of this is to make all the projects understand the X-Is-
Admin-Project header from keystonemiddleware and pass it to oslo_policy.
However this pattern of keystone changes something and then goes to
every project to fix it has been repeated a number of times now and we
would like to make it much more automatic.

Ongoing work has enhanced the base oslo.context object to include both
the load_from_environ and to_policy_values methods. The
load_from_environ classmethod takes an environment dict with all the
standard auth_token and oslo middleware headers and loads them into
their standard place on the context object.

The to_policy_values() then creates a standard credentials dictionary
with all the information that should be required to enforce policy from
the context. The combination of these two methods means in future when
authentication information needs to be passed to policy it can be
handled entirely by oslo.context and does not require changes in each
individual service.

Note that in future a similar pattern will hopefully be employed to
simplify passing authentication information over RPC to solve the
timeout issues. This is a prerequisite for that work.

There are a few common problems in services that are required to make
this work:

1. Most service context.__init__ functions take and discard **kwargs.
This is so if the context.from_dict receives arguments it doesn't know
how to handle (possibly because new things have been added to the base
to_dict) it ignores them. Unfortunately to make the load_from_environ
method work we need to pass parameters to __init__ that are handled by
the base class.

To make this work we simply have to do a better job of using from_dict.
Instead of passing everything to __init__ and ignoring what we don't
know we have from_dict extract only the parameters that context knows
how to use and call __init__ with those.

2. The parameters passed to the base context.__init__ are old. Typically
they are user and tenant where most services expect user_id and
project_id. There is ongoing work to improve this in oslo.context but
for now we have to ensure that the subclass correctly sets and uses the
right variable names.

3. Some services provide additional information to the policy
enforcement method. To continue to make this function we will simply
override the to_policy_values method in the subclasses.

** Affects: cinder
     Importance: Undecided
     Assignee: Jamie Lennox (jamielennox)
         Status: In Progress

** Affects: glance
     Importance: Undecided
         Status: New

** Affects: heat
     Importance: Undecided
     Assignee: Jamie Lennox (jamielennox)
         Status: In Progress

** Affects: neutron
     Importance: Undecided
         Status: New

** Affects: nova
     Importance: Undecided
         Status: New

** Also affects: glance
   Importance: Undecided
       Status: New

** Also affects: nova
   Importance: Undecided
       Status: New

** Also affects: cinder
   Importance: Undecided
       Status: New

** Also affects: heat
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1602081

Title:
  Use oslo.context's policy dict

Status in Cinder:
  In Progress
Status in Glance:
  New
Status in heat:
  In Progress
Status in neutron:
  New
Status in OpenStack Compute (nova):
  New

Bug description:
  This is a cross project goal to standardize the values available to
  policy writers and to improve the basic oslo.context object. It is
  part of the follow up work to bug #1577996 and bug #968696.

  There has been an ongoing problem for how we define the 'admin' role.
  Because tokens are project scoped having the 'admin' role on any
  project granted you the 'admin' role on all of OpenStack. As a
  solution to this keystone defined an is_admin_project field so that
  keystone defines a single project that your token must be scoped to to
  perform admin operations. This has been implemented.

  The next phase of this is to make all the projects understand the X
  -Is-Admin-Project header from keystonemiddleware and pass it to
  oslo_policy. However this pattern of keystone changes something and
  then goes to every project to fix it has been repeated a number of
  times now and we would like to make it much more automatic.

  Ongoing work has enhanced the base oslo.context object to include both
  the load_from_environ and to_policy_values methods. The
  load_from_environ classmethod takes an environment dict with all the
  standard auth_token and oslo middleware headers and loads them into
  their standard place on the context object.

  The to_policy_values() then creates a standard credentials dictionary
  with all the information that should be required to enforce policy
  from the context. The combination of these two methods means in future
  when authentication information needs to be passed to policy it can be
  handled entirely by oslo.context and does not require changes in each
  individual service.

  Note that in future a similar pattern will hopefully be employed to
  simplify passing authentication information over RPC to solve the
  timeout issues. This is a prerequisite for that work.

  There are a few common problems in services that are required to make
  this work:

  1. Most service context.__init__ functions take and discard **kwargs.
  This is so if the context.from_dict receives arguments it doesn't know
  how to handle (possibly because new things have been added to the base
  to_dict) it ignores them. Unfortunately to make the load_from_environ
  method work we need to pass parameters to __init__ that are handled by
  the base class.

  To make this work we simply have to do a better job of using
  from_dict. Instead of passing everything to __init__ and ignoring what
  we don't know we have from_dict extract only the parameters that
  context knows how to use and call __init__ with those.

  2. The parameters passed to the base context.__init__ are old.
  Typically they are user and tenant where most services expect user_id
  and project_id. There is ongoing work to improve this in oslo.context
  but for now we have to ensure that the subclass correctly sets and
  uses the right variable names.

  3. Some services provide additional information to the policy
  enforcement method. To continue to make this function we will simply
  override the to_policy_values method in the subclasses.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1602081/+subscriptions


Follow ups