openstack/ironic-inspector
Code Issues Proposed changes
Files
15ebcf32ce802baeeeffae421db3e5582cce9783
ironic-inspector/releasenotes/notes/policy-engine-c44828e3131e6c62.yaml
Pavlo Shchelokovskyy 198ef70c2b Add request context and policy enforcement 
this patch introduces an oslo.policy-based API access policy
enforcement engine to ironic-inspector.
As part of implementation, a proper oslo.context-based request
context is also generated and assigned to each request.

Short overview of changes:

- added custom RequestContext class

  - extends oslo.context to handle of "is_public_api" flag
    (False by default)

- added context to request in each API route

  - '/continue' api sets the "is_public_api" flag to True

- added documented definitions for API access policies and their
  defaults
- added enforcement of these policies on API requests
- added oslo.policy-specific entry points to setup.cfg
- added autogenerated policy sample file with defaults
- added documentation with autogenerated policies

Change-Id: Iff6f98fa9950d78608f0a7c325d132c11a1383b3
Closes-Bug: #1719812
2017-10-13 11:55:52 +00:00

36 lines
1.5 KiB
YAML
Raw Blame History

---
features:
- |
Added an API access policy enforcment (based on oslo.policy rules).
Similar to other OpenStack services, operators now can configure
fine-grained access policies using ``policy.yaml`` file.
See example ``policy.yaml.sample`` file included in the code tree
for the list of available policies and their default rules.
This file can also be generated from the code tree
with ``tox -egenpolicy`` command.
See ``oslo.policy`` package documentation for more information
on using and configuring API access policies.
upgrade:
- |
Due to the choice of default values for API access policies rules,
some API parts of the ironic-inspector service will become available
to wider range of users after upgrade:
- general access to the whole API is by default granted to a user
with either ``admin``, ``administrator`` or ``baremetal_admin``
role (previously it allowed access only to a user with ``admin``
role)
- listing of current introspections and showing a given
introspection is by default also allowed to the user with the
``baremetal_observer`` role
If these access policies are not suiting a given deployment before
upgrade, operator will have to create a ``policy.json`` file
in the inspector configuration folder (usually ``/etc/inspector``)
that redefines the API rules as required.
See ``oslo.policy`` package documentation for more information
on using and configuring API access policies.
View Git Blame Copy Permalink