[RFE] Policy Improvements

Bug #1526752 reported by Vladyslav Drok on 2015-12-16
4
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ironic
Fix Released
Wishlist
devananda

Bug Description

As a cloud operator I want to be able to control the kind of access that users have to Ironic's API and resources. Current Ironic behavior assumes operator is "an admin" or "not an admin", and accordingly "have access" or "no access". So if a company needs to represent a departmental hierarchy there aren't any way to do this. It would be nice to have this feature in Ironic.

Vladyslav Drok (vdrok) on 2015-12-16
description: updated
Changed in ironic:
status: New → Confirmed
importance: Undecided → Wishlist
tags: added: rfe
Vladyslav Drok (vdrok) wrote :

Copy of whiteboard:

Gerrit topic: https://review.openstack.org/#q,topic:bp/policy-improvements,n,z

Addressed by: https://review.openstack.org/221778
    Policy improvements

Changed in ironic:
assignee: nobody → Anton Arefiev (aarefiev)
Changed in ironic:
assignee: Anton Arefiev (aarefiev) → nobody
Jay Faulkner (jason-oldos) wrote :

I should have a fresh spec up about this in the next week.

Changed in ironic:
assignee: nobody → Jay Faulkner (jason-oldos)

Fix proposed to branch: master
Review: https://review.openstack.org/327437

Changed in ironic:
status: Confirmed → In Progress

Reviewed: https://review.openstack.org/327437
Committed: https://git.openstack.org/cgit/openstack/ironic-specs/commit/?id=e436e3f692faec0dbfa5fec997aba81853a60cce
Submitter: Jenkins
Branch: master

commit e436e3f692faec0dbfa5fec997aba81853a60cce
Author: Jay Faulkner <email address hidden>
Date: Wed Jun 8 17:28:46 2016 -0700

    Implement Keystone Policy Support

    Specification for keystone policy support in ironic.

    Change-Id: I2efdfd99f553c6f448d3e4ab0fc16a260345ec87
    Partial-bug: 1526752

devananda (devananda) on 2016-07-19
Changed in ironic:
assignee: Jay Faulkner (jason-oldos) → Devananda van der Veen (devananda)

Fix proposed to branch: master
Review: https://review.openstack.org/345556

Changed in ironic:
assignee: Devananda van der Veen (devananda) → Jim Rollenhagen (jim-rollenhagen)

Reviewed: https://review.openstack.org/325599
Committed: https://git.openstack.org/cgit/openstack/ironic/commit/?id=c7da7a69250fcffb6841d36710770608d603bb6a
Submitter: Jenkins
Branch: master

commit c7da7a69250fcffb6841d36710770608d603bb6a
Author: Devananda van der Veen <email address hidden>
Date: Fri Jun 3 15:43:12 2016 -0700

    Add keystone policy support to Ironic

    Implements more fine-grained policy support within our API service,
    following the oslo policy-in-code spec, while maintaining compatibility
    with the previous default policy.json file. An empty policy.json file is
    included, along with a sample file listig all supported policy settings
    and their default values.

    A new tox target "genpolicy" has been added to ease automation of
    sample policy file generation.

    All calls to policy.enforce() have been replaced with with
    policy.authorize() to avoid silent failures when a rule is undefined,
    because enforce() does not raise() if the target rule does not exist.

      NOTE: policy.enforce() is not removed by this patch, but a deprecation
      warning will be logged if it this method is invoked.

    Updates unit test coverage for the new authorize() method, as well as
    more general unit test updates for some of the new rules.

    Partial-bug: #1526752
    Change-Id: Ie4398f840601d027e2fe209c17d854421687c7b7

Changed in ironic:
assignee: Jim Rollenhagen (jim-rollenhagen) → Devananda van der Veen (devananda)

Reviewed: https://review.openstack.org/345556
Committed: https://git.openstack.org/cgit/openstack/ironic/commit/?id=a5c26972b28018083e0a76c0dbc41d738ca84fff
Submitter: Jenkins
Branch: master

commit a5c26972b28018083e0a76c0dbc41d738ca84fff
Author: Devananda van der Veen <email address hidden>
Date: Thu Jul 21 09:18:12 2016 -0700

    Update documentation for keystone policy support

    This change adds information about keystone policy support in the
    following places:

    * api-ref: add notes to the Nodes reference, indicating that
      password and configdrive contents may be hidden in responses
    * deploy security guide: add a section about limiting API access
      by using the new policies and roles
    * deploy install guide: add instructions for creating the necessary
      Roles with the Identity service
    * dev quickstart guide: use devstack "demo" user throughout the guide,
      and add a note about why. Incidentally, switch to using "openstack"
      client instead of "ironic" and "nova" clients.

    Partial-bug: #1526752
    Change-Id: I392cabbf04badabd8ae7bb00a914b0a06db3d421

Reviewed: https://review.openstack.org/326768
Committed: https://git.openstack.org/cgit/openstack/ironic/commit/?id=dc0dad97737dcd0dadd1a56eb094cd76207229f0
Submitter: Jenkins
Branch: master

commit dc0dad97737dcd0dadd1a56eb094cd76207229f0
Author: Devananda van der Veen <email address hidden>
Date: Tue Jun 7 17:22:20 2016 -0700

    Mask instance secrets in API responses

    This change adds a new policy setting, "show_instance_secrets", whose
    behavior mirrors that of the existing "show_passwords" policy setting.

    Whereas "show_passwords" has historically blocked all sensitive
    information from the node's driver_info field, the new setting blocks
    all sensitive information from the node's instance_info field, including
    image_url.

    The name of the old setting, "show_passwords", is not being changed at
    this time because such a change is not backwards-compatible. Instead,
    the documentation string for this setting has been changed to clarify
    what it does. Note that the behavior has not actually changed.

    Note that this change moves the policy.check("show_password") call from
    the Pecan hook into the API's Nodes() class, where the
    policy.check("show_instance_secrets") is also added. This makes the code
    a little cleaner and more maintainable, especially if we want to add any
    more checks like this in the future.

    As a result of this cleanup, the ironic-specific
    RequestContext.show_password property is removed.

    Partial-bug: #1530972
    Partial-bug: #1526752
    Related-bug: #1613903

    Change-Id: I48493c53971cdab3b9122897e51322e19ce2f600

Heh, this was completed in Newton.

tags: added: rfe-approved
removed: rfe
Changed in ironic:
status: In Progress → Fix Released

Change abandoned by Devananda van der Veen (<email address hidden>) on branch: master
Review: https://review.openstack.org/345076

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Related blueprints