Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1056391 - [RFE][oslo]: policy.json - Checking resource field against constant
Summary: [RFE][oslo]: policy.json - Checking resource field against constant
Keywords:
Status: CLOSED UPSTREAM
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: RFEs
Version: unspecified
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: ---
Assignee: RHOS Maint
QA Contact:
URL: https://blueprints.launchpad.net/oslo...
Whiteboard: upstream_milestone_none upstream_stat...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-01-22 05:10 UTC by RHOS Integration
Modified: 2015-03-19 17:10 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-03-19 17:10:35 UTC


Attachments (Terms of Use)

Description RHOS Integration 2014-01-22 05:10:29 UTC
Cloned from launchpad blueprint https://blueprints.launchpad.net/oslo/+spec/policy-constant-check.

Description:

Keystone policy engine currently allows 4 kinds of rules:

* rule:<rulename> (class `RuleCheck`) allows making recursive rules,
  by checking that <rulename> is True;

* role:<rolename> (class `RoleCheck`) checks that <rolename> belongs
  to the roles associated with the token;

* http:<targeturl> (class `HttpCheck`) uses an external policy engine,
  by calling <targeturl>;

* <credential>:<match> (class `GenericCheck`) allows checking a
  credential (provided through the token) against a string or any
  field of a resource being processed (user, role, domain, project,
  ...)


The feature proposed in this blueprint consists in allowing the
platform administrator to have resources' fields compared against
constants in its policy.json files, without using an external policy 
engine.

For instance, to avoid deleting users by mistake, the platform
administrator may want to ensure that a user's `enabled` field is set
to `False`, prior to deleting it. To do that, he wishes to set the
following rule into its Keystone policy.json file:

"identity:delete_user": "'False':%(target.user.enabled)s",


Class to update:
https://github.com/openstack/oslo-incubator/blob/master/openstack/common/policy.py#L833


Specification URL (additional information):

None


Note You need to log in before you can comment on or make changes to this bug.