Ceilometer

Policy.json based RBAC does not work on ceilometer events api

Bug #1461767 reported by Divya K Konoor on 2015-06-04

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	Ceilometer	Fix Released	Medium	Divya K Konoor	Ceilometer 5.0.0 "liberty"
	keystonemiddleware	Invalid	Medium	Divya K Konoor

Bug Description

The events api RBAC cannot be configured using the ceilometer policy.json . There are 2 reasons for this:

1. This is because /ceilometer/api/controllers/v2/events.py>>EventsController.get_all , get_one etc implementation uses the decorator @v2_utils.requires_admin, which mandates the user to be an admin.
RBAC rules for each REST call must be configurable and controlled via the respective policy.json file and not hardcoded in this manner.

2. Even if we fix problem 1 above by removing the requires_admin decorator and by enforcing the policy via oslo_policy , ownership based rbac rules will not apply for events. (Ownership based rules implies stuff like "owner": "user_id:%(user_id)s" etc , where we can specifically define that the REST call output is available only to the owner of the data (like a specific user or a project). There are multiple cases for eg. in the case of audit data , where the data should be seen only either by the owner of the data or an admin from within a specific project - and not by admins from other projects). For this requirement, the event object should have user and project related information , which it doesn't currently have as seen below.

{
"raw":{

},
"traits":[

      ],
      "generated":"2015-06-02T12:34:12.449000",
      "message_id":"b80ef947-091c-43a1-8df6-81173a0d4780",
      "event_type":"audit.http.request"
   }

Divya K Konoor (dikonoor) on 2015-06-16

Changed in ceilometer:
assignee:	nobody → Divya K Konoor (dikonoor)

gordon chung (chungg) on 2015-06-17

Changed in ceilometer:
status:	New → Triaged
importance:	Undecided → Medium

Revision history for this message

Divya K Konoor (dikonoor) wrote on 2015-07-05:

IRC chat with Gordon : http://eavesdrop.openstack.org/irclogs/%23openstack-ceilometer/%23openstack-ceilometer.2015-06-22.log.html

Gordon,
Please take a look at the changesets below :
1a). https://review.openstack.org/#/c/198536/ >> I have defined two new traits for the audit events and made rbac changes to enable policy engine based permissions
b) https://review.openstack.org/#/c/198555/ >> changes to keystonemiddleware
2. https://review.openstack.org/#/c/196624/ >> this is by changing the event schema..I think as per our last discussion we don't want to follow this.

Steve Martinelli (stevemar) on 2015-07-06

Changed in keystonemiddleware:
assignee:	nobody → Divya K Konoor (dikonoor)
status:	New → In Progress
importance:	Undecided → Medium

Revision history for this message

Steve Martinelli (stevemar) wrote on 2015-07-06:

keystonemiddleware patch: https://review.openstack.org/#/c/198555/

OpenStack Infra (hudson-openstack) on 2015-07-07

Changed in ceilometer:
status:	Triaged → In Progress

Revision history for this message

Divya K Konoor (dikonoor) wrote on 2015-07-07:

Listed below is the summary of conversation with Steve on this defect:

1. We can do away without the Keystonemiddleware changes. As the Keystonemiddleware.audit already sends user and project information as part of the event , ceilometer can extract info from there. Thus, https://review.openstack.org/#/c/198555/ can be abandoned.

2. Instead of changing the Event schema to add user_id and project_id as the base attributes, I added these as Traits by defining them in the events_definition file for the audit event types.

3 . I re-used the rbac.enforce method and made some changes so that it is able to better utilize the oslo policy engine.

Revision history for this message

Divya K Konoor (dikonoor) wrote on 2015-07-08:

With the changes in https://review.openstack.org/#/c/198536/ , the Traits for an event will now have two additional Traits namely project_id and user_id as seen below.

[
{
"raw":{

      },
      "traits":[
         {
            "type":"string",
            "name":"project_id",
            "value":"openstack:b01a2c00d9f9402cb795c76d721d70c9"
         },
         {
            "type":"string",
            "name":"typeURI",
            "value":"http://schemas.dmtf.org/cloud/audit/1.0/event"
         },
         {
            "type":"string",
            "name":"eventTime",
            "value":"2015-07-07T07:35:57.394448+0000"
         },
         {
            "type":"string",
            "name":"initiator_host_address",
            "value":"9.77.123.191"
         },
         {
            "type":"string",
            "name":"user_id",
            "value":"openstack:0688b01e6439ca32d698d20789d52169126fb41fb1a4ddafcebb97d854e836c9"

Revision history for this message

Matthew Edmonds (edmondsw) wrote on 2015-07-29:

Proposed a spec to address this: https://review.openstack.org/#/c/207141/

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-08-11: Change abandoned on ceilometer (master)

Change abandoned by Divya K Konoor (<email address hidden>) on branch: master
Review: https://review.openstack.org/198536
Reason: BP events-rbac will take care of this . Abandoning this review request.

Revision history for this message

gordon chung (chungg) wrote on 2015-09-15:

see spec

Changed in ceilometer:
status:	In Progress → Fix Committed
milestone:	none → liberty-rc1

Thierry Carrez (ttx) on 2015-09-25

Changed in ceilometer:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2015-10-15

Changed in ceilometer:
milestone:	liberty-rc1 → 5.0.0

Revision history for this message

Steve Martinelli (stevemar) wrote on 2015-11-27:

looks like this was resolved in ceilometer

Changed in keystonemiddleware:
status:	In Progress → Invalid

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.