[RFE] Tag based policy
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Won't Fix
|
Wishlist
|
Unassigned |
Bug Description
It's not directly related to Neutron though, Neutron have been used tagging concept widely so that I think it's good place to start with. Also, I felt this feature allows rbac_policy functionality to be achieved in a slightly more generic way.
What I want to achieve is tag based policy. The scenario that I imagine like this
1. Admin attach tag to several resource. (Network / Service Provider ...)
2. Tags attached in project exposed in auth_token so that credential used oslo.policy can take tagging list.
3. Admin add specific rule in oslo.policy like this
"get_network": "project_
4. Then users can access limited resources which only matched to their tag.
I think changing for the implementation belongs to several components though (oslo.context / oslo.policy / keystone / nova ...), LoC is not so much since there were already many building blocks can be used.
I already posted the keystone side for the feature that I said in (2):
https:/
It seems that the feedback from the service use directly this feature can give a little more power to this RFE. So I will be appreciated to what Neutron folks think about it.
Thanks in advance.
tags: | added: rfe |
Changed in neutron: | |
importance: | Undecided → Wishlist |
We already have role based access control for some of resources (like networks or qos policies). We also have "regular" policy.json mechanism which can be used to define some access "levels" for users.
So I'm affraid if adding 3rd mechanism is really good idea. Maybe we should focus on e.g. improving rbac instead? Or maybe it's completly fine to have both things in place - I really don't know but I think that this should be discussed first :)