Pass Targets to Glance's Policy Enforcer

SecurityImpact Change-Id: If5047942f03915cc4b1e42a586cf403a4eceab58
2015-01-21 19:36:03 -06:00 · 2015-01-21 19:36:03 -06:00 · a9fde2dee6
commit a9fde2dee6
parent 224ade269d
1 changed files with 248 additions and 0 deletions
--- a/specs/kilo/pass-targets-to-policy-enforcer.rst
+++ b/specs/kilo/pass-targets-to-policy-enforcer.rst
@ -0,0 +1,248 @@
 ..
 This work is licensed under a Creative Commons Attribution 3.0 Unported
 License.
 http://creativecommons.org/licenses/by/3.0/legalcode
 ========================================
 Pass Targets to Glance's Policy Enforcer
 ========================================
 https://blueprints.launchpad.net/glance/+spec/pass-targets-to-policy-enforcer
 Currently it's possible to define custom rules in Glance's ``policy.json``
 that rely on attributes other than a user's roles. Unfortunately, if you
 attempt to apply one of those rules, it will always cause the user to be
 prevented from performing the associated action. This specification proposes
 that we pass the proper target objects to the enforcer so these rules can be
 used and properly enforced.
 Problem description
 ===================
 Currently, Glance promises that permissions can be configured in the
 ``policy.json`` file but any rule other than a role check currently
 results in a ``403 Forbidden`` response. As this is a promised feature,
 implementing this specification is merely fixing the already promised
 behaviour.
 It is not possible to restrict access to actions in Glance's ``policy.json``
 based on anything other than a user's roles. The policy enforcer that Glance
 extends from oslo expects a dictionary-like object to be passed as a target of
 the action. Every method that uses the policy enforcer and enforces the policy
 defined for the corresponding action currently passes an empty dictionary
 (``{}``) which provides absolutely no data about the actual target.
 If we define a rule similar to the following::
   "tenant_is_owner": "tenant%(owner)s"
 And we apply it to an action, e.g.,
 ::
   "delete_image": "rule:tenant_is_owner"
 Then every request to delete any image will be denied with a 403
 (Unauthorized) response from Glance's API. The reason stems from how the rule
 is parsed and the target is passed in. The ``"rule:tenant_is_owner"`` rule
 will be parsed as a ``GenericCheck``. These checks are split on the ``:`` into
 a ``kind`` and a ``match`` (roughly, ``"<kind>:<match>"``). The match portion
 is then interpolated with the target, i.e.,
 .. code-block:: python
   match = self.match % target
 So using our example above, we would do
 .. code-block:: python
   match = "%(owner)s" % {}
 Except that this raises a ``KeyError`` which means the check immediately
 returns ``False`` and fails. In this particular instance (deleting an image),
 if we passed an instance of ``glance.api.policy.ImageTarget``, then what would
 instead happen is that the interpolation would succeed.
 Proposed change
 ===============
 The solution for image-based resources is simple. We have the ``image`` on the
 policy proxies that relate to images. We simply pass that to
 ``glance.api.policy.ImageTarget`` and pass the resulting instance to the
 policy enforcer so it can be accessed like a dictionary when interpolated.
 For members and tasks, there is no target class that we can use. These are
 very thin classes that could easily be written.
 Once we have the appropriately defined target classes, we would then update
 the places where the policy is enforced to use instances of those target
 classes.
 With proper targets in place, we can also implement safer default policy rules
 for operators who rely solely on the default ``policy.json`` file.
 Alternatives
 ------------
 Custom rule creation based on attributes of the target object could be
 disabled. This would severely limit an operator's ability to restrict actions
 based on a user's tenant and other properties of the target of the action.
 Data model impact
 -----------------
 None
 REST API impact
 ---------------
 None
 Security impact
 ---------------
 This will give operators a significant amount of control over the security of
 their Glance installations. Currently they can only restrict actions based on
 roles which may be sufficient in some cases. If the operator, however, wishes
 to restrict access based on other factors (besides role) they cannot do this.
 If they try to do it, there is no indication that it will not work but they
 can essentially produce a Denial of Service to users who should be able to
 perform actions based on the policy defined.
 Notifications impact
 --------------------
 None
 Other end user impact
 ---------------------
 None
 Performance Impact
 ------------------
 None
 Other deployer impact
 ---------------------
 To leverage the fixes in this specification, operators need to update their
 versions of ``policy.json`` used in their deployments. To write a rule,
 operators need to know that there are three values provided by glance that can
 be used in a rule on the left side of the colon (``:``). Those values are the
 current user's credentials in the form of:
 - role
 - tenant
 - owner
 The left side of the colon can also contain any value that Python can
 understand, e.g.,:
 - ``True``
 - ``False``
 - ``"a string"``
 - &c.
 Role checks are going to continue to work exactly as they already do. If the
 role defined in the check is one that the user holds, then that will pass,
 e.g., ``role:admin``.
 Using ``tenant`` and ``owner`` will only work with Images or actions that
 interact with an image. Consider the following rule::
    tenant:%(owner)s
 This will use the ``tenant`` value of the currently authenticated user. It
 will also use ``owner`` from the image it is acting upon. If those two
 values are equivalent the check will pass. All attributes on an image (as well
 as extra image properties) are available for use on the right side of the
 colon. The most useful are the following:
 - ``owner``
 - ``protected``
 - ``is_public``
 An operator, therefore, could construct a set of rules like the following::
    {
        "not_protected": "False:%(protected)s",
        "is_owner": "tenant:%(owner)s",
        "not_protected_and_is_owner": "rule:not_protected and rule:is_owner",
        "delete_image": "rule:not_protected_and_is_owner"
    }
 Developer impact
 ----------------
 None
 Implementation
 ==============
 Assignee(s)
 -----------
 Primary assignee:
  icordasc
 Reviewers
 ---------
 Core reviewer(s):
  nikhil-komawar
  jokke
 Other reviewer(s):
  kragniz
 Work Items
 ----------
 - Create appropriate target classes
 - Use target classes to proxy targets to the policy enforcer
 - Add tests demonstrating that generic checks now work
 - Add better documentation surrounding policy rules to the existing
  documentation
 Dependencies
 ============
 None
 Testing
 =======
 Functional tests will be added where specific ``policy.json`` files are loaded
 to test access control of different targets.
 Documentation Impact
 ====================
 There is no direct impact, but the existing ``policy.json`` documentation is
 thin and only describes what each rule controls. It does not describe the
 available target information or how to write rules.
 References
 ==========
 Related bugs:
 - https://bugs.launchpad.net/glance/+bug/1253963
 - https://bugs.launchpad.net/glance/+bug/1346648
 Initial work at an implementation:
 - https://review.openstack.org/#/c/146651/
 Glance meeting discussion on 2015 January 15:
 - http://eavesdrop.openstack.org/meetings/glance/2015/glance.2015-01-15-14.02.log.html