airship/deckhand
Code Issues Proposed changes
Files
582dee6fb9ae893a5f271de0f1da7db523a0c744
deckhand/doc/source/index.rst
Felipe Monteiro 582dee6fb9 DECKHAND-61: oslo.policy integration 
This PS implements oslo.policy integration in Deckhand.
The policy.py file implements 2 types of functions for
performing policy enforcement in Deckhand: authorize,
which is a decorator that is used directly around
falcon on_HTTP_VERB methods that raises a 403 immediately
if policy enforcement fails; and conditional_authorize,
to be used inside controller code conditionally.

For example, since Deckhand has two types of documents
with respect to security -- encrypted and cleartext
documents -- policy enforcement is conditioned on the
type of the documents' metadata.storagePolicy.

Included in this PS:
  - policy framework implementation
  - policy in code and policy documentation for all
    Deckhand policies
  - modification of functional test script to override
    default admin-only policies with custom policy file
    dynamically created using lax permissions
  - bug fix for filtering out deleted documents (and
    its predecessors in previous revisions) for
    PUT /revisions/{revision_id}/documents
  - policy documentation
  - basic unit tests for policy enforcement framework
  - allow functional tests to be filtered via regex

Due to the size of this PS, functional tests related to
policy enforcement will be done in a follow up.

Change-Id: If418129f9b401091e098c0bd6c7336b8a5cd2359
2017-10-07 18:43:28 +01:00

1.7 KiB
Raw Blame History

Welcome to Deckhand's documentation!

Deckhand is a document-based configuration storage service built with auditability and validation in mind. It serves as the back-end storage service for UCP.

Deckhand's primary responsibilities include validating and storing YAML documents that are layered together to produce finalized documents, containing site configuration data, including sensitive data. Secrets can be stored using specialized secret storage management services like Barbican and later substituted into finalized or "rendered" documents.

The service understands a variety of document formats, the combination of which describe the manner in which Deckhand renders finalized documents for consumption by other UCP services.

User's Guide

policy-enforcement

Developer's Guide

HACKING testing

Glossary

glossary

View Git Blame Copy Permalink