Bug 1042158 - [RFE][heat]: Improve request scoping based on policy/context
Summary: [RFE][heat]: Improve request scoping based on policy/context
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-heat
Version: unspecified
Hardware: Unspecified
OS: Unspecified
urgent
high
Target Milestone: ga
: 5.0 (RHEL 7)
Assignee: RHOS Maint
QA Contact: Amit Ugol
URL: https://blueprints.launchpad.net/heat...
Whiteboard: upstream_milestone_icehouse-3 upstrea...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-12-12 21:13 UTC by RHOS Integration
Modified: 2014-09-08 05:42 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
This enhancement supports better security policy control. It is required because providing a secure environment for the Orchestration runtime is essential. Now, users can customize the security policies used by Orchestration.
Clone Of:
Environment:
Last Closed: 2014-07-22 19:09:00 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description RHOS Integration 2013-12-12 21:13:57 UTC 
Cloned from launchpad blueprint https://blueprints.launchpad.net/heat/+spec/request-scoping-policy.

Description:

Currently there are several issues related to request scoping and policy in Heat:
- The ReST API can't be controlled via policy.json
- The default request scope (DB filter) is always per tenant, but in theory we support the owner_is_tenant option, where if set to False the scope should be per-user not per tenant
- We don't respect policy based admin-ness, is_admin in the context is always ignored, so there's no way to potentially provide project admins access to management-api functionality (on a per-project basis)

We should overhaul our handling of policy so it's more consistent and comprehensive, then deployers will have much more control when specifying site-specific RBAC policies.

Specification URL (additional information):

None
Note You need to log in before you can comment on or make changes to this bug.