Use oslo.context's policy dict
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Cinder |
Fix Released
|
High
|
Jamie Lennox | ||
Glance |
Fix Released
|
Undecided
|
Jamie Lennox | ||
Ironic |
Fix Released
|
Wishlist
|
Vladyslav Drok | ||
OpenStack Compute (nova) |
Fix Released
|
Undecided
|
Jamie Lennox | ||
OpenStack Heat |
Fix Released
|
Undecided
|
Jamie Lennox | ||
OpenStack Identity (keystone) |
Fix Released
|
High
|
Adam Young | ||
OpenStack Shared File Systems Service (Manila) |
Fix Released
|
Medium
|
Goutham Pacha Ravi |
Bug Description
This is a cross project goal to standardize the values available to policy writers and to improve the basic oslo.context object. It is part of the follow up work to bug #1577996 and bug #968696.
There has been an ongoing problem for how we define the 'admin' role. Because tokens are project scoped having the 'admin' role on any project granted you the 'admin' role on all of OpenStack. As a solution to this keystone defined an is_admin_project field so that keystone defines a single project that your token must be scoped to to perform admin operations. This has been implemented.
The next phase of this is to make all the projects understand the X-Is-Admin-Project header from keystonemiddleware and pass it to oslo_policy. However this pattern of keystone changes something and then goes to every project to fix it has been repeated a number of times now and we would like to make it much more automatic.
Ongoing work has enhanced the base oslo.context object to include both the load_from_environ and to_policy_values methods. The load_from_environ classmethod takes an environment dict with all the standard auth_token and oslo middleware headers and loads them into their standard place on the context object.
The to_policy_values() then creates a standard credentials dictionary with all the information that should be required to enforce policy from the context. The combination of these two methods means in future when authentication information needs to be passed to policy it can be handled entirely by oslo.context and does not require changes in each individual service.
Note that in future a similar pattern will hopefully be employed to simplify passing authentication information over RPC to solve the timeout issues. This is a prerequisite for that work.
There are a few common problems in services that are required to make this work:
1. Most service context.__init__ functions take and discard **kwargs. This is so if the context.from_dict receives arguments it doesn't know how to handle (possibly because new things have been added to the base to_dict) it ignores them. Unfortunately to make the load_from_environ method work we need to pass parameters to __init__ that are handled by the base class.
To make this work we simply have to do a better job of using from_dict. Instead of passing everything to __init__ and ignoring what we don't know we have from_dict extract only the parameters that context knows how to use and call __init__ with those.
2. The parameters passed to the base context.__init__ are old. Typically they are user and tenant where most services expect user_id and project_id. There is ongoing work to improve this in oslo.context but for now we have to ensure that the subclass correctly sets and uses the right variable names.
3. Some services provide additional information to the policy enforcement method. To continue to make this function we will simply override the to_policy_values method in the subclasses.
Changed in cinder: | |
assignee: | nobody → Jamie Lennox (jamielennox) |
status: | New → In Progress |
Changed in heat: | |
assignee: | nobody → Jamie Lennox (jamielennox) |
status: | New → In Progress |
Changed in glance: | |
assignee: | nobody → haobing1 (haobing1) |
Changed in taskflow: | |
assignee: | nobody → haobing1 (haobing1) |
Changed in neutron: | |
status: | New → Triaged |
Changed in glance: | |
assignee: | haobing1 (haobing1) → Jamie Lennox (jamielennox) |
Changed in neutron: | |
assignee: | nobody → Jamie Lennox (jamielennox) |
Changed in glance-store: | |
assignee: | nobody → haobing1 (haobing1) |
Changed in os-brick: | |
assignee: | nobody → haobing1 (haobing1) |
tags: | added: oslo |
Changed in neutron: | |
status: | Triaged → In Progress |
milestone: | none → newton-3 |
Changed in neutron: | |
importance: | Undecided → High |
no longer affects: | taskflow |
no longer affects: | os-brick |
no longer affects: | glance-store |
Changed in neutron: | |
milestone: | newton-3 → newton-rc1 |
Changed in cinder: | |
assignee: | Jamie Lennox (jamielennox) → Adam Young (ayoung) |
Changed in neutron: | |
milestone: | newton-rc1 → ocata-1 |
Changed in cinder: | |
importance: | Undecided → High |
Changed in neutron: | |
milestone: | ocata-1 → newton-rc2 |
tags: | added: newton-rc-potential |
Changed in cinder: | |
assignee: | Adam Young (ayoung) → Jamie Lennox (jamielennox) |
Changed in neutron: | |
milestone: | newton-rc2 → ocata-1 |
tags: | removed: newton-rc-potential |
Changed in neutron: | |
importance: | High → Low |
Changed in ironic: | |
status: | New → Confirmed |
importance: | Undecided → Wishlist |
Changed in ironic: | |
assignee: | nobody → monika (monikaparkar25) |
Changed in ironic: | |
assignee: | monika (monikaparkar25) → Vladyslav Drok (vdrok) |
status: | Confirmed → In Progress |
Changed in neutron: | |
milestone: | ocata-1 → ocata-2 |
Changed in keystone: | |
milestone: | ocata-1 → ocata-2 |
Changed in neutron: | |
assignee: | Jamie Lennox (jamielennox) → Ihar Hrachyshka (ihar-hrachyshka) |
Changed in keystone: | |
milestone: | ocata-2 → ocata-3 |
Changed in keystone: | |
milestone: | ocata-3 → none |
no longer affects: | neutron |
Changed in keystone: | |
status: | Fix Committed → Fix Released |
Changed in manila: | |
assignee: | nobody → Goutham Pacha Ravi (gouthamr) |
Changed in manila: | |
importance: | Undecided → Medium |
status: | New → In Progress |
milestone: | none → wallaby-3 |
Changed in manila: | |
status: | In Progress → Fix Released |
Reviewed: https:/ /review. openstack. org/314889 /git.openstack. org/cgit/ openstack/ glance/ commit/ ?id=ca501cba929 60d0d9cffc346eb d47d39fbce32e8
Committed: https:/
Submitter: Jenkins
Branch: master
commit ca501cba92960d0 d9cffc346ebd47d 39fbce32e8
Author: Jamie Lennox <email address hidden>
Date: Wed May 4 17:10:40 2016 +1000
Use oslo.context features
In an effort to standardize policy and authentication values
oslo.context has new features such as from_environ which constructs a
standard oslo.context object from the environment variables created by
auth_token middleware and to_policy_values which emit a standard
credentials target for writing common policy files across services.
Use these standard functions when dealing with contexts and policy in
glance.
Closes-Bug: #1602081 80d6c6914b2c934 6a17a0ed489
Change-Id: I40582cb34818b9