Trove 策略支持

Trove 需要为用户提供对哪些用户/角色可以访问哪些 API 的更细粒度的控制。Oslo Policy 库为所有 OpenStack 服务提供 RBAC 策略执行的支持。

Launchpad 蓝图:https://blueprints.launchpad.net/trove/+spec/trove-policy

问题描述

目前,Trove 还没有统一的基于角色的访问控制方式。它需要为用户提供对哪些用户/角色可以访问哪些 API 的更细粒度的控制。

提议的变更

在所有面向用户的 API 上添加 Oslo 策略检查调用。1 另请参阅 附录 以获取建议规则列表。

这些检查将通过 Oslo policy ‘enforce’ 调用在每个 Trove API 的开头实现。

该调用将获得额外信息,目标对象的父级 ‘tenant_id’(也称为所有者)(例如,trove-delete API 中的已删除实例,configuration-patch API 中的更新配置组)。这将允许用户在其规则中使用这些信息。

没有特定目标的动作(例如,trove-create、trove-list)将获得目标本身作为目标。

涉及多条规则的动作将同时检查所有规则。一个很好的例子是 trove-create。如果策略不允许创建用户或应用模块,则最终用户也不应允许创建带有初始用户和应用模块的新实例。

使用的 Policy 引擎将为 >= 1.9.0,它支持新的注册策略规则。虽然完全向后兼容,但注册规则允许进行更强大的开发。

配置

数据库

公共 API

如果请求未被策略框架授权,则所有 API 调用都可能引发 ‘PolicyNotAuthorized’(HTTP 403)。默认访问规则将设置为模拟当前行为(即,用户可以自由在其自己的租户上执行操作)。

公共 API 安全

Python API

CLI (python-troveclient)

内部 API

Guest Agent

备选方案

Dashboard 影响 (UX)

实现

负责人

Petr Malik <pmalik@tesora.com>

里程碑

Ocata-1

工作项

工作将以单个补丁集交付。

升级影响

依赖项

将需要 Python 库 ‘oslo.policy>=1.9.0’。

测试

将添加单元测试以覆盖策略框架。场景测试将测试默认行为(与现有行为匹配)。

文档影响

公开的策略规则和 policy.json 文件应记录在案(参见 附录)。

参考资料

1

有关规则引擎和 policy.json 文件的信息 https://docs.openstack.org/mitaka/config-reference/policy-json-file.html

附录

‘policy.json’ 的建议内容(注意:默认情况下,数据存储和 flavor API 没有限制)

{
    "admin_or_owner":  "role:admin or is_admin:True or tenant:%(tenant)s",
    "default": "rule: admin_or_owner",

    "instance:create": "rule:admin_or_owner",
    "instance:delete": "rule:admin_or_owner",
    "instance:index": "rule:admin_or_owner",
    "instance:show": "rule:admin_or_owner",
    "instance:update": "rule:admin_or_owner",
    "instance:edit": "rule:admin_or_owner",
    "instance:restart": "rule:admin_or_owner",
    "instance:resize_volume": "rule:admin_or_owner",
    "instance:resize_flavor": "rule:admin_or_owner",
    "instance:reset_password": "rule:admin_or_owner",
    "instance:promote_to_replica_source": "rule:admin_or_owner",
    "instance:eject_replica_source": "rule:admin_or_owner",
    "instance:configuration": "rule:admin_or_owner",
    "instance:guest_log_list": "rule:admin_or_owner",
    "instance:backups": "rule:admin_or_owner",
    "instance:module_list": "rule:admin_or_owner",
    "instance:module_apply": "rule:admin_or_owner",
    "instance:module_remove": "rule:admin_or_owner",

    "instance:extension:root:create": "rule:admin_or_owner",
    "instance:extension:root:delete": "rule:admin_or_owner",
    "instance:extension:root:index": "rule:admin_or_owner",

    "instance:extension:user:create": "rule:admin_or_owner",
    "instance:extension:user:delete": "rule:admin_or_owner",
    "instance:extension:user:index": "rule:admin_or_owner",
    "instance:extension:user:show": "rule:admin_or_owner",
    "instance:extension:user:update": "rule:admin_or_owner",
    "instance:extension:user:update_all": "rule:admin_or_owner",

    "instance:extension:user_access:update": "rule:admin_or_owner",
    "instance:extension:user_access:delete": "rule:admin_or_owner",
    "instance:extension:user_access:index": "rule:admin_or_owner",

    "instance:extension:database:create": "rule:admin_or_owner",
    "instance:extension:database:delete": "rule:admin_or_owner",
    "instance:extension:database:index": "rule:admin_or_owner",
    "instance:extension:database:show": "rule:admin_or_owner",

    "cluster:create": "rule:admin_or_owner",
    "cluster:delete": "rule:admin_or_owner",
    "cluster:index": "rule:admin_or_owner",
    "cluster:show": "rule:admin_or_owner",
    "cluster:show_instance": "rule:admin_or_owner",
    "cluster:action": "rule:admin_or_owner",

    "cluster:extension:root:create": "rule:admin_or_owner",
    "cluster:extension:root:delete": "rule:admin_or_owner",
    "cluster:extension:root:index": "rule:admin_or_owner",

    "backup:create": "rule:admin_or_owner",
    "backup:delete": "rule:admin_or_owner",
    "backup:index": "rule:admin_or_owner",
    "backup:show": "rule:admin_or_owner",

    "configuration:create": "rule:admin_or_owner",
    "configuration:delete": "rule:admin_or_owner",
    "configuration:index": "rule:admin_or_owner",
    "configuration:show": "rule:admin_or_owner",
    "configuration:instances": "rule:admin_or_owner",
    "configuration:update": "rule:admin_or_owner",
    "configuration:edit": "rule:admin_or_owner",

    "configuration-parameter:index": "rule:admin_or_owner",
    "configuration-parameter:show": "rule:admin_or_owner",
    "configuration-parameter:index_by_version": "rule:admin_or_owner",
    "configuration-parameter:show_by_version": "rule:admin_or_owner",

    "datastore:index": "",
    "datastore:show": "",
    "datastore:version_show": "",
    "datastore:version_show_by_uuid": "",
    "datastore:version_index": "",
    "datastore:list_associated_flavors": "",
    "datastore:list_associated_volume_types": "",

    "flavor:index": "",
    "flavor:show": "",

    "limits:index": "rule:admin_or_owner",

    "module:create": "rule:admin_or_owner",
    "module:delete": "rule:admin_or_owner",
    "module:index": "rule:admin_or_owner",
    "module:show": "rule:admin_or_owner",
    "module:instances": "rule:admin_or_owner",
    "module:update": "rule:admin_or_owner"
}