授权策略支持

https://blueprints.launchpad.net/sahara/+spec/auth-policy

Openstack 组件应该检查用户执行操作的权限。通常这些检查是基于角色的。请参阅 https://docs.openstack.org/developer/keystone/architecture.html#approach-to-authorization-policy。Sahara 也需要支持策略。

问题描述

OpenStack 管理员可能希望调整 Sahara 的授权策略。应该有一种方法来限制某些用户执行某些 Sahara 操作。

提议的变更

为所有 Sahara API 端点添加身份验证检查。这可以像其他 Openstack 组件一样完成。Oslo 库中有一个“policy”模块，可以完成所有底层工作。

策略文件的建议内容

{
    "context_is_admin": "role:admin",
    "admin_or_owner":  "is_admin:True or project_id:%(project_id)s",
    "default": "rule:admin_or_owner",

    "clusters:get_all": "",
    "clusters:create": "",
    "clusters:scale": "",
    "clusters:get": "",
    "clusters:delete": "",

    "cluster-templates:get_all": "",
    "cluster-templates:create": "",
    "cluster-templates:get": "",
    "cluster-templates:modify": "",
    "cluster-templates:delete": "",

    "node-group-templates:get_all": "",
    "node-group-templates:create": "",
    "node-group-templates:get": "",
    "node-group-templates:modify": "",
    "node-group-templates:delete": "",

    "plugins:get_all": "",
    "plugins:get": "",
    "plugins:get_version": "",
    "plugins:convert_config": "",

    "images:get_all": "",
    "images:get": "",
    "images:register": "",
    "images:unregister": "",
    "images:add_tags": "",
    "images:remove_tags": "",

    "job-executions:get_all": "",
    "job-executions:get": "",
    "job-executions:refresh_status": "",
    "job-executions:cancel": "",
    "job-executions:delete": "",

    "data-sources:get_all": "",
    "data-sources:get": "",
    "data-sources:register": "",
    "data-sources:delete": "",

    "jobs:get_all": "",
    "jobs:create": "",
    "jobs:get": "",
    "jobs:delete": "",
    "jobs:get_config_hints": "",
    "jobs:execute": "",

    "job-binaries:get_all": "",
    "job-binaries:create": "",
    "job-binaries:get": "",
    "job-binaries:delete": "",
    "job-binaries:get_data": "",

    "job-binary-internals:get_all": "",
    "job-binary-internals:create": "",
    "job-binary-internals:get": "",
    "job-binary-internals:delete": "",
    "job-binary-internals:get_data": ""
}

将 Sahara 用户和操作员分离可能是下一步。

替代方案

无。

数据模型影响

无。

REST API 影响

无。

其他最终用户影响

无。

部署者影响

无。

开发者影响

添加新的 API 将需要更改策略规则。

Sahara-image-elements impact

无。

Sahara-dashboard / Horizon 影响

无。

实现

负责人

主要负责人

alazarev (Andrew Lazarev)

工作项

• 从 oslo 添加 policy.py

• 添加配置选项以控制策略文件和设置

• 为所有 API 调用添加策略检查

• 添加单元测试

• 添加文档

依赖项

• Oslo 中的策略模块。

测试

• 单元测试

• 手动测试

文档影响

• 需要记录该功能

参考资料

• https://docs.openstack.org/developer/keystone/architecture.html#approach-to-authorization-policy

• https://docs.openstack.org/developer/keystone/api/keystone.openstack.common.policy.html

• https://docs.openstack.org/developer/keystone/configuration.html#keystone-api-protection-with-role-based-access-control-rbac