582dee6fb9
This PS implements oslo.policy integration in Deckhand.
The policy.py file implements 2 types of functions for
performing policy enforcement in Deckhand: authorize,
which is a decorator that is used directly around
falcon on_HTTP_VERB methods that raises a 403 immediately
if policy enforcement fails; and conditional_authorize,
to be used inside controller code conditionally.
For example, since Deckhand has two types of documents
with respect to security -- encrypted and cleartext
documents -- policy enforcement is conditioned on the
type of the documents' metadata.storagePolicy.
Included in this PS:
- policy framework implementation
- policy in code and policy documentation for all
Deckhand policies
- modification of functional test script to override
default admin-only policies with custom policy file
dynamically created using lax permissions
- bug fix for filtering out deleted documents (and
its predecessors in previous revisions) for
PUT /revisions/{revision_id}/documents
- policy documentation
- basic unit tests for policy enforcement framework
- allow functional tests to be filtered via regex
Due to the size of this PS, functional tests related to
policy enforcement will be done in a follow up.
Change-Id: If418129f9b401091e098c0bd6c7336b8a5cd2359
2.3 KiB
Rest API Policy Enforcement
Policy enforcement in Deckhand leverages the oslo.policy
library like all OpenStack projects. The implementation is located in
deckhand.policy. Two types of policy authorization exist in
Deckhand:
- Decorator-level authorization used for wrapping around
falcon"on{HTTP_VERB}" methods. In this case, if policy authorization fails a 403 Forbidden is always raised.- Conditional authorization, which means that the policy is only enforced if a certain set of conditions are true.
Deckhand, for example, will only conditionally enforce listing
encrypted documents if a document's metadata.storagePolicy
is "encrypted".
Policy Implementation
Deckhand uses authorize from oslo.policy as
the latter supports both enforce and
authorize. authorize is stricter because it'll
raise an exception if the policy action is not registered under
deckhand.policies (which enumerates all the legal policy
actions and their default rules). This means that attempting to enforce
anything not found in deckhand.policies will error out with
a 'Policy not registered' message.
deckhand.policy
Sample Policy File
The following is a sample Deckhand policy file for adaptation and use. It is auto-generated from Deckhand when this documentation is built, so if you are having issues with an option, please compare your version of Deckhand with the version of this documentation.
The sample configuration can also be viewed in file form.
_static/deckhand.policy.yaml.sample