← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #78078

[Bug 1825336] [NEW] [RFE] Tag based policy

  Thread PreviousDate PreviousThread Next 
Public bug reported:

It's not directly related to Neutron though, Neutron have been used
tagging concept widely so that I think it's good place to start with.
Also, I felt this feature allows rbac_policy functionality to be
achieved in a slightly more generic way.


What I want to achieve is tag based policy. The scenario that I imagine like this


1. Admin attach tag to several resource. (Network / Service Provider ...)

2. Tags attached in project exposed in auth_token so that credential
used oslo.policy can take tagging list.

3. Admin add specific rule in oslo.policy like this

"get_network": "project_tags:%(tags)s"

4. Then users can access limited resources which only matched to their
tag.


I think changing for the implementation belongs to several components though (oslo.context / oslo.policy / keystone / nova ...), LoC is not so much since there were already many building blocks can be used.

I already posted the keystone side for the feature that I said in (2):
https://bugs.launchpad.net/keystone/+bug/1807697

It seems that the feedback from the service use directly this feature
can give a little more power to this RFE. So I will be appreciated to
what Neutron folks think about it.

Thanks in advance.

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1825336

Title:
  [RFE] Tag based policy

Status in neutron:
  New

Bug description:
  It's not directly related to Neutron though, Neutron have been used
  tagging concept widely so that I think it's good place to start with.
  Also, I felt this feature allows rbac_policy functionality to be
  achieved in a slightly more generic way.

  
  What I want to achieve is tag based policy. The scenario that I imagine like this

  
  1. Admin attach tag to several resource. (Network / Service Provider ...)

  2. Tags attached in project exposed in auth_token so that credential
  used oslo.policy can take tagging list.

  3. Admin add specific rule in oslo.policy like this

  "get_network": "project_tags:%(tags)s"

  4. Then users can access limited resources which only matched to their
  tag.

  
  I think changing for the implementation belongs to several components though (oslo.context / oslo.policy / keystone / nova ...), LoC is not so much since there were already many building blocks can be used.

  I already posted the keystone side for the feature that I said in (2):
  https://bugs.launchpad.net/keystone/+bug/1807697

  It seems that the feedback from the service use directly this feature
  can give a little more power to this RFE. So I will be appreciated to
  what Neutron folks think about it.

  Thanks in advance.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1825336/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next