Merge "Enhancement of Tacker API Resource Access Control"
This commit is contained in:
commit
e2bd3d2c0a
|
@ -0,0 +1,967 @@
|
|||
..
|
||||
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||
License.
|
||||
|
||||
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||
|
||||
|
||||
=================================================
|
||||
Enhancement of Tacker API Resource Access Control
|
||||
=================================================
|
||||
|
||||
https://blueprints.launchpad.net/tacker/+spec/enhance-api-policy
|
||||
|
||||
Problem description
|
||||
===================
|
||||
|
||||
In the current implementation, the Tacker API policy only supports whether the
|
||||
user can access the API, but does not determine whether the user can access the
|
||||
object on which the API call operates. However, in commercial networks, telecom
|
||||
operators need finer-grained access control for API resources. For example, only
|
||||
engineers of Company A are allowed to operate VNF/CNF of Company A, but
|
||||
engineers of other companies cannot.
|
||||
|
||||
The oslo.policy [#oslo.policy]_ supports the function to compare API attributes
|
||||
to object attributes. For example:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
"os_nfv_orchestration_api:vnf_instances:show" : "project_id:%(project_id)s"
|
||||
|
||||
The project_id string before the colon is an API attribute, namely the project
|
||||
ID of the API user. It is compared with the project ID of the object (in this
|
||||
case, a VNF instance). More precisely, it is compared with the project_id
|
||||
field of that object in the database. If the two values are equal, permission is
|
||||
granted.
|
||||
|
||||
Based on this function, this specification describes implements of fine-grained
|
||||
access control based on user and VNF information for API resources.
|
||||
|
||||
Proposed change
|
||||
===============
|
||||
The following changes are needed:
|
||||
|
||||
#. Add additional attributes to resources when be created.
|
||||
#. Change the API process to support Tacker policy checker.
|
||||
#. Add the Tacker policy filter to the list API processes.
|
||||
#. Convert special roles to API attributes in context.
|
||||
#. Add a configuration option.
|
||||
#. Policy and roles samples.
|
||||
|
||||
Add Additional Attributes to Resources When Be Created
|
||||
------------------------------------------------------
|
||||
|
||||
#. Register Vim API
|
||||
|
||||
+ Put an area attribute into request parameter 'extra'. It will be stored
|
||||
into DB by later API process.
|
||||
|
||||
#. Create VNF instance API v1/v2
|
||||
|
||||
+ Get area attribute from default Vim, then put it in the 'extra' field of
|
||||
VimConnectionInfo object in VnfInstance object, and then store it into DB.
|
||||
|
||||
#. Instantiate VNF instance v1/v2
|
||||
|
||||
+ Get Vim info by vim_id in VimConnectionInfo from request body.
|
||||
+ Get area attribute from Vim info, then put it in the 'extra' field of
|
||||
VimConnectionInfo object in InstantiateVnfRequest object, and then store it
|
||||
into DB.
|
||||
|
||||
.. note::
|
||||
Area attribute is a area-region pair. The value of this attribute is a string
|
||||
in the format of "area@region".
|
||||
|
||||
Change the API Process to Support Tacker Policy Checker
|
||||
-------------------------------------------------------
|
||||
|
||||
In the current implementation, the Tacker API process did not pass in the
|
||||
attributes of the accessed resource when calling the policy function. However,
|
||||
those attributes are needed by enhanced Tacker API policy function to determine
|
||||
if a user can access the resource or not. Therefore, we should modify the API
|
||||
process. Get the attributes required by policy checker from the database and
|
||||
pass them to policy checker when calling.
|
||||
|
||||
The flow of a policy check in API process to support enhanced Tacker policy.
|
||||
|
||||
.. seqdiag::
|
||||
|
||||
seqdiag {
|
||||
Client -> Keystonemiddleware [label = "request"];
|
||||
Keystonemiddleware -> "API Process" [label = "1. Request with user info"];
|
||||
"API Process" -> TackerDB [label = "2. Get the accessed \nresources from the TackerDB"]
|
||||
"API Process" <-- TackerDB [label = "return the accessed\n resources"];
|
||||
"API Process" -> "API Process" [label = "3. Get required \nresource \nattributes \nfrom accessed \nresources"];
|
||||
"API Process" -> Context [label = "4. Invoke policy check function with accessed resource\n attributes"];
|
||||
Context -> Context [label = "5. Convert special \nroles to user\n attributes"];
|
||||
Context -> oslo.policy [label = "6. Invoke policy enforcer\n with resource attributes\n and user attributes"];
|
||||
Context <-- oslo.policy;
|
||||
"API Process" <-- Context;
|
||||
=== 7. Operate the accessed resource. ===
|
||||
Keystonemiddleware <-- "API Process" [label = "response"];
|
||||
Client <-- Keystonemiddleware [label = "response"];
|
||||
}
|
||||
|
||||
Step 3 is specialized and needs to be implemented by each API process by itself.
|
||||
The other steps are common or already exist for all API processes to be changed:
|
||||
|
||||
1. Keystonemiddleware will send request to API process with user info which
|
||||
includes user roles. Special user roles will be converted to user attributes
|
||||
in later step. This step is an existing step and does not need to be
|
||||
modified.
|
||||
2. API Process gets the accessed resources from the TackerDB. This step is
|
||||
existing and does not need to be modified.
|
||||
3. API Process gets required resource attributes from accessed resources. This
|
||||
step is newly added.
|
||||
4. API Process invokes policy check function with accessed resource attributes.
|
||||
This step is existing, but what needs to be modified is to add resource
|
||||
attributes as call parameters when calling the policy check
|
||||
function.
|
||||
5. Context converts special roles to user attributes. This step is newly added
|
||||
and whether it is executed or not will be determined by the configuration
|
||||
option described in the following section
|
||||
`Add a Configuration Option`_. For the conversion rules, please refer to the
|
||||
later section `Convert Special Roles to API Attributes in Context`_ for
|
||||
details.
|
||||
6. Context invokes policy enforcer with resource attributes and user
|
||||
attributes. This step is existing and does not need to be modified.
|
||||
7. API Process operates the accessed resource. This step is existing and does
|
||||
not need to be modified.
|
||||
|
||||
Vim API processes to be changed
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
* Vim delete
|
||||
* Vim update
|
||||
* Vim show
|
||||
|
||||
The following table shows that the attribute required by a policy checker could
|
||||
be queried by which API request parameter from which table and stored in which
|
||||
field.
|
||||
|
||||
.. list-table::
|
||||
:widths: 10 28 16 12 50
|
||||
:header-rows: 1
|
||||
|
||||
* - Attribute
|
||||
- Request Parameter
|
||||
- Table
|
||||
- Field
|
||||
- Sample
|
||||
* - area
|
||||
- vim_id
|
||||
- vims
|
||||
- extra
|
||||
- {"area": "tokyo@japan"}
|
||||
|
||||
|
||||
VNF Package API processes to be changed
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
* VNF package show
|
||||
* VNF package delete
|
||||
* VNF package update
|
||||
* VNF package read
|
||||
* VNF package fetch
|
||||
|
||||
The following table shows that the attribute required by policy check could be
|
||||
queried by which API request parameter from which table and stored in which
|
||||
field.
|
||||
|
||||
.. list-table::
|
||||
:widths: 10 28 14 12 50
|
||||
:header-rows: 1
|
||||
|
||||
* - Attribute
|
||||
- Request Parameter
|
||||
- Table
|
||||
- Field
|
||||
- Sample
|
||||
* - vendor
|
||||
- vnf_package_id
|
||||
- vnf_package_vnfd
|
||||
- vnf_provider
|
||||
- "Company"
|
||||
|
||||
VNF Instance API processes to be changed
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
The change of VNF instance API processes include v1 and v2 versions.
|
||||
|
||||
#. VNF instance create API process needs to be changed:
|
||||
The following table shows that the attribute required by policy check could
|
||||
be queried by which API request parameter from which table and stored in
|
||||
which field.
|
||||
|
||||
.. list-table::
|
||||
:widths: 10 28 14 12 50
|
||||
:header-rows: 1
|
||||
|
||||
* - Attribute
|
||||
- Request Parameter
|
||||
- Table
|
||||
- Field
|
||||
- Sample
|
||||
* - vendor
|
||||
- vnfdId
|
||||
- vnf_package_vnfd
|
||||
- vnf_provider
|
||||
- "Company"
|
||||
|
||||
#. VNF instance instantiate API process needs to be changed:
|
||||
The following table shows that the attribute required by policy check could
|
||||
be queried by which API request parameter from which table and stored in
|
||||
which field.
|
||||
|
||||
.. list-table::
|
||||
:widths: 10 28 14 12 50
|
||||
:header-rows: 1
|
||||
|
||||
* - Attribute
|
||||
- Request Parameter
|
||||
- Table
|
||||
- Field
|
||||
- Sample
|
||||
* - vendor
|
||||
- vnfdId
|
||||
- vnf_instances,VnfInstanceV2
|
||||
- vnf_provider,vnfProvider
|
||||
- "Company"
|
||||
|
||||
#. The following API processes need to be changed:
|
||||
|
||||
* VNF instance terminate
|
||||
* VNF instance heal
|
||||
* VNF instance delete
|
||||
* VNF instance show
|
||||
* VNF instance scale
|
||||
* VNF instance modify
|
||||
* VNF instance change_ext_conn
|
||||
* VNF instance change_vnfpkg (v2)
|
||||
|
||||
The following table shows that the attribute required by policy check could
|
||||
be queried by which API request parameter from which table and stored in
|
||||
which field.
|
||||
|
||||
.. list-table::
|
||||
:widths: 10 28 14 12 50
|
||||
:header-rows: 1
|
||||
|
||||
* - Attribute
|
||||
- Request Parameter
|
||||
- Table
|
||||
- Field
|
||||
- Sample
|
||||
* - vendor
|
||||
- vnfdId
|
||||
- vnf_instances,VnfInstanceV2
|
||||
- vnf_provider,vnfProvider
|
||||
- "Company"
|
||||
* - area
|
||||
- vnfInstanceId
|
||||
- vnf_instances,VnfInstanceV2
|
||||
- vim_connection_info/extra,vimConnectionInfo/extra
|
||||
- {"area": "tokyo@japan"}
|
||||
* - namespace(CNF)
|
||||
- vnfInstanceId
|
||||
- vnf_instances,VnfInstanceV2
|
||||
- vnf_metadata,metadata
|
||||
- {"namespace": "default"}
|
||||
|
||||
Add the Tacker Policy Filter to the List API Processes
|
||||
------------------------------------------------------
|
||||
In the current implementation, Tacker policy does not support filter for list
|
||||
API. We will add a filter based on policy rule to filter the results of the
|
||||
list operation.
|
||||
|
||||
The flow of a policy filter in API process to support enhanced Tacker policy.
|
||||
|
||||
.. seqdiag::
|
||||
|
||||
seqdiag {
|
||||
Client -> Keystonemiddleware [label = "request"];
|
||||
Keystonemiddleware -> "API Process" [label = "1. Request with user info"];
|
||||
"API Process" -> Context [label = "2. Invoke policy check\n function without resource \nattributes"];
|
||||
"API Process" <-- Context;
|
||||
"API Process" -> TackerDB [label = "3. Get the accessed resources from the database"];
|
||||
"API Process" <-- TackerDB [label = "return accessed resources"];
|
||||
"API Process" -> Context [label = "4. Get user attributes"];
|
||||
Context -> Context [label = "5. Convert special \nroles to user\n attributes"];
|
||||
"API Process" <-- Context [label = "return user attributes"];
|
||||
"API Process" -> "API Process" [label = "6. Filter the list\n operation results \nbased on policy\n rules"];
|
||||
Keystonemiddleware <-- "API Process" [label = "7. Return the filtered\n result to user"];
|
||||
Client <-- Keystonemiddleware [label = "response"];
|
||||
}
|
||||
|
||||
Step 6 is specialized and needs to be implemented by each API process by itself.
|
||||
The other steps are common or already exist steps for all API processes to be
|
||||
changed:
|
||||
|
||||
1. Keystonemiddleware will send request to API process with user info which
|
||||
includes user roles. Special user roles will be converted to user attributes
|
||||
in later step. This step is an existing step and does not need to be
|
||||
modified.
|
||||
2. API Process invokes policy check function without resource attributes. This
|
||||
step is an existing step and does not need to be modified.
|
||||
3. API Process gets the accessed resources from the database. This step is an
|
||||
existing step and does not need to be modified.
|
||||
4. API Process gets user attributes from context. This step is newly added and
|
||||
common.
|
||||
5. Context converts special roles to user attributes, this step is newly added
|
||||
and depends on the configuration option described in the following section
|
||||
`Add a Configuration Option`_. For the conversion rules, please refer to the
|
||||
later section `Convert Special Roles to API Attributes in Context`_ for
|
||||
details.
|
||||
6. API Process filters the list operation results based on policy rules. This
|
||||
step is newly added.
|
||||
7. API Process returns the filtered result to user. This step is existing and
|
||||
does not need to be modified.
|
||||
|
||||
The List API Processes to be changed
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#. For Vim list API, the following attributes are supported by Tacker policy
|
||||
filter.
|
||||
|
||||
.. list-table::
|
||||
:widths: 10 14 12 50
|
||||
:header-rows: 1
|
||||
|
||||
* - Attribute
|
||||
- Table
|
||||
- Field
|
||||
- Sample
|
||||
* - area
|
||||
- vims
|
||||
- extra
|
||||
- {"area": "tokyo@japan"}
|
||||
|
||||
#. For VNF package list API, the following attributes are supported by Tacker
|
||||
policy filter.
|
||||
|
||||
.. list-table::
|
||||
:widths: 10 14 12 50
|
||||
:header-rows: 1
|
||||
|
||||
* - Attribute
|
||||
- Table
|
||||
- Field
|
||||
- Sample
|
||||
* - vendor
|
||||
- vnf_package_vnfd
|
||||
- vnf_provider
|
||||
- "Company"
|
||||
|
||||
#. For VNF instance list API, the following attributes are supported by Tacker
|
||||
policy filter.
|
||||
|
||||
.. list-table::
|
||||
:widths: 10 14 12 50
|
||||
:header-rows: 1
|
||||
|
||||
* - Attribute
|
||||
- Table
|
||||
- Field
|
||||
- Sample
|
||||
* - vendor
|
||||
- vnf_instances,VnfInstanceV2
|
||||
- vnf_provider,vnfProvider
|
||||
- "Company"
|
||||
* - area
|
||||
- vnf_instances,VnfInstanceV2
|
||||
- vim_connection_info/extra,vimConnectionInfo/extra
|
||||
- {"area": "tokyo@japan"}
|
||||
* - namespace(CNF)
|
||||
- vnf_instances,VnfInstanceV2
|
||||
- vnf_metadata,metadata
|
||||
- {"namespace": "default"}
|
||||
|
||||
|
||||
Convert Special Roles to API Attributes in Context
|
||||
--------------------------------------------------
|
||||
Special Roles' Naming Rules
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
We will define some special roles, and the naming of these roles follows the
|
||||
following rules.
|
||||
|
||||
#. The role name consists of three parts: prefix + "_" + [attribute
|
||||
value/special value]
|
||||
#. Supported prefixes, attribute values and special values are shown in the
|
||||
following table:
|
||||
|
||||
.. list-table::
|
||||
:widths: 10 14 12 50
|
||||
:header-rows: 1
|
||||
|
||||
* - Prefix
|
||||
- Attribute value
|
||||
- Special value
|
||||
- Sample
|
||||
* - AREA
|
||||
- area value
|
||||
- all@all, all@{region_value}
|
||||
- AREA_tokyo@japan, AREA_all@all, AREA_all@japan
|
||||
* - VENDOR
|
||||
- vendor value
|
||||
- all
|
||||
- VENDOR_vendor_A, VENDOR_all
|
||||
* - NAMESPACE
|
||||
- namespace value
|
||||
- all
|
||||
- NAMESPACE_default, NAMESPACE_all
|
||||
|
||||
.. note::
|
||||
|
||||
As "all" is treated as a special value, the above attribute of resource
|
||||
cannot use "all" as the attribute value.
|
||||
|
||||
Conversion rules
|
||||
~~~~~~~~~~~~~~~~
|
||||
In Tacker context, we convert these special roles into API attributes and
|
||||
provide them to Tacker policy. Please refer to the
|
||||
`Change the API Process to Support Tacker Policy Checker`_ and
|
||||
`Add the Tacker Policy Filter to the List API Processes`_ sections of this
|
||||
specification for the flow chart of this change. The conversion follows the
|
||||
following rules:
|
||||
|
||||
#. For ordinary attribute values, they will be directly converted to user
|
||||
attribute values.
|
||||
|
||||
.. list-table::
|
||||
:widths: 10 14 50
|
||||
:header-rows: 1
|
||||
|
||||
* - Prefix
|
||||
- Attribute Name
|
||||
- Sample (special role -> user attribute value)
|
||||
* - AREA
|
||||
- area
|
||||
- AREA_tokyo@japan -> {"area": ["tokyo@japan"]}
|
||||
* - VENDOR
|
||||
- vendor
|
||||
- VENDOR_vendor_A -> {"vendor": ["vendor_A"]}
|
||||
* - NAMESPACE
|
||||
- namespace value
|
||||
- NAMESPACE_default -> {"namespace": ["default"]}
|
||||
|
||||
#. For special value in policy checker, the corresponding attribute value of
|
||||
resource will be assigned to user.
|
||||
|
||||
.. list-table::
|
||||
:widths: 10 14 14 50
|
||||
:header-rows: 1
|
||||
|
||||
* - Prefix
|
||||
- Attribute Name
|
||||
- Special Value
|
||||
- Sample (resource attribute -> user attribute)
|
||||
* - AREA
|
||||
- area
|
||||
- all@all
|
||||
- {"area": "tokyo@japan"} -> {"area": ["tokyo@japan"]}
|
||||
* - AREA
|
||||
- area
|
||||
- all@{region_value}
|
||||
- same region value:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
{"area": "tokyo@japan"} -> {"area": ["tokyo@japan"]}
|
||||
|
||||
different region value:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
any -> {"area": []}
|
||||
|
||||
* - VENDOR
|
||||
- vendor
|
||||
- all
|
||||
- {"vendor": "vendor_A"} -> {"vendor": ["vendor_A"]}
|
||||
* - NAMESPACE
|
||||
- namespace value
|
||||
- all
|
||||
- {"namespace": "default"} -> {"namespace": ["default"]}
|
||||
|
||||
#. For special value "all" in policy filter, the attribute will not be used as
|
||||
a filtering attribute. Note that the "area" attribute needs to be divided
|
||||
into two parts with "@" when it is used as a filter attribute. Therefore,
|
||||
the special value "all@{region_value}" of "area" needs to be divided into
|
||||
"all" and "{region_value}". The part of "area" is not used as a filter
|
||||
attribute, but "{region_value}" should be used as a filter attribute because
|
||||
it is the special value "all".
|
||||
|
||||
Add a Configuration Option
|
||||
--------------------------
|
||||
As the function defined in this specification changes the default behavior of
|
||||
the Tacker API policy, it is suggested to add a configuration option to the
|
||||
``tacker.conf`` file. Therefore, a user can choose whether to enable this
|
||||
function or not.
|
||||
|
||||
.. code-block::
|
||||
|
||||
[oslo_policy]
|
||||
enhanced_tacker_policy = False
|
||||
|
||||
As a suggested implementation, when the enhanced_tacker_policy is True, the
|
||||
function of converting special roles to user attributes in context described in
|
||||
the previous chapter `Convert special roles to API attributes in context`_
|
||||
takes effect; When enhanced_tacker_policy is False, this function will not take
|
||||
effect.
|
||||
|
||||
.. note::
|
||||
|
||||
When enhanced_tacker_policy is False, special roles will not be converted to
|
||||
user attributes, then users will not have the enhanced policy attributes such
|
||||
as area, vendor and namespace(CNF). At this time, if the enhanced policy
|
||||
attributes are used as comparison attributes in the policy rule, this rule
|
||||
will prevent users from accessing any resource as the comparison result is
|
||||
always false.
|
||||
|
||||
Policy and Roles Samples
|
||||
------------------------
|
||||
|
||||
Policy Examples
|
||||
~~~~~~~~~~~~~~~
|
||||
|
||||
.. note::
|
||||
|
||||
For details on Tacker policy configuration, please refer to Tacker
|
||||
Configuration Guide [#tacker_policy]_.
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
# Decides what is required for the 'is_admin:True' check to succeed.
|
||||
"context_is_admin": "role:admin"
|
||||
|
||||
# Default rule for most non-Admin APIs.
|
||||
"admin_or_owner": "is_admin:True or project_id:%(project_id)s"
|
||||
|
||||
# Default rule for most Admin APIs.
|
||||
"admin_only": "is_admin:True"
|
||||
|
||||
# Default rule for sharing vims.
|
||||
"shared": "field:vims:shared=True"
|
||||
|
||||
# Default rule for most non-Admin APIs.
|
||||
"default": "rule:admin_or_owner"
|
||||
|
||||
# For manager
|
||||
"manager_and_owner": "rule:manager and project_id:%(project_id)s"
|
||||
|
||||
# For user
|
||||
"owner": "project_id:%(project_id)s"
|
||||
|
||||
# VIM resource attributes compare rule.
|
||||
"vim_attrs_cmp": "area:%(area)s"
|
||||
|
||||
# Register a VIM.
|
||||
# Post /v1.0/vims
|
||||
"create_vim": "@"
|
||||
|
||||
# List VIMs or show a VIM.
|
||||
# GET /v1.0/vims
|
||||
# GET /v1.0/vims/{vim_id}
|
||||
"get_vim": "rule:vim_attrs_cmp and rule:owner"
|
||||
|
||||
# Update a VIM.
|
||||
# PUT /v1.0/vims/{vim_id}
|
||||
"update_vim": "rule:vim_attrs_cmp and rule:manager_and_owner"
|
||||
|
||||
# Delete a VIM.
|
||||
# DELETE /v1.0/vims/{vim_id}
|
||||
"delete_vim": "rule:vim_attrs_cmp and rule:manager_and_owner"
|
||||
|
||||
# vnf_packages resource attributes compare rule.
|
||||
"vnf_pkg_attrs_cmp": "vendor:%(vendor)s"
|
||||
|
||||
# Create a VNF package.
|
||||
# POST /vnf_packages
|
||||
"os_nfv_orchestration_api:vnf_packages:create": "rule:admin_or_owner"
|
||||
|
||||
# Show a VNF package.
|
||||
# GET /vnf_packages/{vnf_package_id}
|
||||
"os_nfv_orchestration_api:vnf_packages:show": "rule:vnf_pkg_attrs_cmp and rule:owner"
|
||||
|
||||
# List all VNF packages.
|
||||
# GET /vnf_packages/
|
||||
"os_nfv_orchestration_api:vnf_packages:index": "rule:vnf_pkg_attrs_cmp and rule:owner"
|
||||
|
||||
# Delete a VNF package.
|
||||
# DELETE /vnf_packages/{vnf_package_id}
|
||||
"os_nfv_orchestration_api:vnf_packages:delete": "rule:vnf_pkg_attrs_cmp and rule:manager_and_owner"
|
||||
|
||||
# Fetch the contents of an on-boarded VNF Package.
|
||||
# GET /vnf_packages/{vnf_package_id}/package_content
|
||||
"os_nfv_orchestration_api:vnf_packages:fetch_package_content": "rule:vnf_pkg_attrs_cmp and rule:owner"
|
||||
|
||||
# Upload a VNF package content.
|
||||
# PUT /vnf_packages/{vnf_package_id}/package_content
|
||||
"os_nfv_orchestration_api:vnf_packages:upload_package_content": "rule:admin_or_owner"
|
||||
|
||||
# Upload a VNF package content from URI.
|
||||
# POST /vnf_packages/{vnf_package_id}/package_content/upload_from_uri
|
||||
"os_nfv_orchestration_api:vnf_packages:upload_from_uri": "rule:admin_or_owner"
|
||||
|
||||
# Update information of VNF package.
|
||||
# PATCH /vnf_packages/{vnf_package_id}
|
||||
"os_nfv_orchestration_api:vnf_packages:patch": "rule:vnf_pkg_attrs_cmp and rule:manager_and_owner"
|
||||
|
||||
# Read the content of the VNFD within a VNF package.
|
||||
# GET /vnf_packages/{vnf_package_id}/vnfd
|
||||
"os_nfv_orchestration_api:vnf_packages:get_vnf_package_vnfd": "rule:vnf_pkg_attrs_cmp and rule:owner"
|
||||
|
||||
# Read the content of the artifact within a VNF package.
|
||||
# GET /vnf_packages/{vnfPkgId}/artifacts/{artifactPath}
|
||||
"os_nfv_orchestration_api:vnf_packages:fetch_artifact": "rule:vnf_pkg_attrs_cmp and rule:owner"
|
||||
|
||||
# vnflcm create attributes compare rule.
|
||||
"vnflcm_create_attrs_cmp": "vendor:%(vendor)s and rule:manager_and_owner"
|
||||
|
||||
# vnflcm instantiate attributes compare rule.
|
||||
"vnflcm_inst_attrs_cmp": "vendor:%(vendor)s and rule:manager_and_owner"
|
||||
|
||||
# vnflcm resource attributes compare rule.
|
||||
"vnflcm_attrs_cmp": "area:%(area)s and vendor:%(vendor)s and namespace:%(namespace)s"
|
||||
|
||||
# Get API Versions.
|
||||
# GET /vnflcm/v1/api_versions
|
||||
"os_nfv_orchestration_api:vnf_instances:api_versions": "@"
|
||||
|
||||
# Create VNF instance.
|
||||
# POST /vnflcm/v1/vnf_instances
|
||||
"os_nfv_orchestration_api:vnf_instances:create": "rule:vnflcm_create_attrs_cmp and rule:manager_and_owner"
|
||||
|
||||
# Instantiate VNF instance.
|
||||
# POST /vnflcm/v1/vnf_instances/{vnfInstanceId}/instantiate
|
||||
"os_nfv_orchestration_api:vnf_instances:instantiate": "rule:vnflcm_inst_attrs_cmp and rule:manager_and_owner"
|
||||
|
||||
# Query an Individual VNF instance.
|
||||
# GET /vnflcm/v1/vnf_instances/{vnfInstanceId}
|
||||
"os_nfv_orchestration_api:vnf_instances:show": "rule:vnflcm_attrs_cmp and rule:owner"
|
||||
|
||||
# Terminate a VNF instance.
|
||||
# POST /vnflcm/v1/vnf_instances/{vnfInstanceId}/terminate
|
||||
"os_nfv_orchestration_api:vnf_instances:terminate": "rule:vnflcm_attrs_cmp and rule:manager_and_owner"
|
||||
|
||||
# Heal a VNF instance.
|
||||
# POST /vnflcm/v1/vnf_instances/{vnfInstanceId}/heal
|
||||
"os_nfv_orchestration_api:vnf_instances:heal": "rule:vnflcm_attrs_cmp and rule:manager_and_owner"
|
||||
|
||||
# Scale a VNF instance.
|
||||
# POST /vnflcm/v1/vnf_instances/{vnfInstanceId}/scale
|
||||
"os_nfv_orchestration_api:vnf_instances:scale": "rule:vnflcm_attrs_cmp and rule:manager_and_owner"
|
||||
|
||||
# Query an Individual VNF LCM operation occurrence.
|
||||
# GET /vnflcm/v1/vnf_lcm_op_occs/{vnfLcmOpOccId}
|
||||
"os_nfv_orchestration_api:vnf_instances:show_lcm_op_occs": "rule:admin_or_owner"
|
||||
|
||||
# Query VNF LCM operation occurrence.
|
||||
# GET /vnflcm/v1/vnf_lcm_op_occs
|
||||
"os_nfv_orchestration_api:vnf_instances:list_lcm_op_occs": "rule:admin_or_owner"
|
||||
|
||||
# Query VNF instances.
|
||||
# GET /vnflcm/v1/vnf_instances
|
||||
"os_nfv_orchestration_api:vnf_instances:index": "rule:vnflcm_attrs_cmp and rule:owner"
|
||||
|
||||
# Delete an Individual VNF instance.
|
||||
# DELETE /vnflcm/v1/vnf_instances/{vnfInstanceId}
|
||||
"os_nfv_orchestration_api:vnf_instances:delete": "rule:vnflcm_attrs_cmp and rule:manager_and_owner"
|
||||
|
||||
# Update an Individual VNF instance.
|
||||
# PATCH /vnflcm/v1/vnf_instances/{vnfInstanceId}
|
||||
"os_nfv_orchestration_api:vnf_instances:update_vnf": "rule:vnflcm_attrs_cmp and rule:manager_and_owner"
|
||||
|
||||
# Rollback a VNF instance.
|
||||
# POST /vnflcm/v1/vnf_lcm_op_occs/{vnfLcmOpOccId}/rollback
|
||||
"os_nfv_orchestration_api:vnf_instances:rollback": "rule:admin_or_owner"
|
||||
|
||||
# Cancel a VNF instance.
|
||||
# POST /vnflcm/v1/vnf_lcm_op_occs/{vnfLcmOpOccId}/cancel
|
||||
"os_nfv_orchestration_api:vnf_instances:cancel": "rule:admin_or_owner"
|
||||
|
||||
# Fail a VNF instance.
|
||||
# POST /vnflcm/v1/vnf_lcm_op_occs/{vnfLcmOpOccId}/fail
|
||||
"os_nfv_orchestration_api:vnf_instances:fail": "rule:admin_or_owner"
|
||||
|
||||
# Retry a VNF instance.
|
||||
# POST /vnflcm/v1/vnf_lcm_op_occs/{vnfLcmOpOccId}/retry
|
||||
"os_nfv_orchestration_api:vnf_instances:retry": "rule:admin_or_owner"
|
||||
|
||||
# Change external VNF connectivity.
|
||||
# POST /vnflcm/v1/vnf_instances/{vnfInstanceId}/change_ext_conn
|
||||
"os_nfv_orchestration_api:vnf_instances:change_ext_conn": "rule:vnflcm_attrs_cmp and rule:manager_and_owner"
|
||||
|
||||
# Get API Versions.
|
||||
# GET /vnflcm/v2/api_versions
|
||||
"os_nfv_orchestration_api_v2:vnf_instances:api_versions": "@"
|
||||
|
||||
# Create VNF instance.
|
||||
# POST /vnflcm/v2/vnf_instances
|
||||
"os_nfv_orchestration_api_v2:vnf_instances:create": "rule:vnflcm_create_attrs_cmp and rule:manager_and_owner"
|
||||
|
||||
# Query VNF instances.
|
||||
# GET /vnflcm/v2/vnf_instances
|
||||
"os_nfv_orchestration_api_v2:vnf_instances:index": "rule:vnflcm_attrs_cmp and rule:owner"
|
||||
|
||||
# Query an Individual VNF instance.
|
||||
# GET /vnflcm/v2/vnf_instances/{vnfInstanceId}
|
||||
"os_nfv_orchestration_api_v2:vnf_instances:show": "rule:vnflcm_attrs_cmp and rule:owner"
|
||||
|
||||
# Delete an Individual VNF instance.
|
||||
# DELETE /vnflcm/v2/vnf_instances/{vnfInstanceId}
|
||||
"os_nfv_orchestration_api_v2:vnf_instances:delete": "rule:vnflcm_attrs_cmp and rule:manager_and_owner"
|
||||
|
||||
# Modify VNF instance information.
|
||||
# PATCH /vnflcm/v2/vnf_instances/{vnfInstanceId}
|
||||
"os_nfv_orchestration_api_v2:vnf_instances:update": "rule:vnflcm_attrs_cmp and rule:manager_and_owner"
|
||||
|
||||
# Instantiate VNF instance.
|
||||
# POST /vnflcm/v2/vnf_instances/{vnfInstanceId}/instantiate
|
||||
"os_nfv_orchestration_api_v2:vnf_instances:instantiate": "rule:vnflcm_inst_attrs_cmp and rule:manager_and_owner"
|
||||
|
||||
# Terminate VNF instance.
|
||||
# POST /vnflcm/v2/vnf_instances/{vnfInstanceId}/terminate
|
||||
"os_nfv_orchestration_api_v2:vnf_instances:terminate": "rule:vnflcm_attrs_cmp and rule:manager_and_owner"
|
||||
|
||||
# Scale VNF instance.
|
||||
# POST /vnflcm/v2/vnf_instances/{vnfInstanceId}/scale
|
||||
"os_nfv_orchestration_api_v2:vnf_instances:scale": "rule:vnflcm_attrs_cmp and rule:manager_and_owner"
|
||||
|
||||
# Heal VNF instance.
|
||||
# POST /vnflcm/v2/vnf_instances/{vnfInstanceId}/heal
|
||||
"os_nfv_orchestration_api_v2:vnf_instances:heal": "rule:vnflcm_attrs_cmp and rule:manager_and_owner"
|
||||
|
||||
# Change external VNF connectivity.
|
||||
# POST /vnflcm/v2/vnf_instances/{vnfInstanceId}/change_ext_conn
|
||||
"os_nfv_orchestration_api_v2:vnf_instances:change_ext_conn": "rule:vnflcm_attrs_cmp and rule:manager_and_owner"
|
||||
|
||||
# Change VNF package.
|
||||
# POST /vnflcm/v2/vnf_instances/{vnfInstanceId}/change_vnfpkg
|
||||
"os_nfv_orchestration_api_v2:vnf_instances:change_vnfpkg": "rule:vnflcm_attrs_cmp and rule:manager_and_owner"
|
||||
|
||||
# Create subscription.
|
||||
# POST /vnflcm/v2/subscriptions
|
||||
"os_nfv_orchestration_api_v2:vnf_instances:subscription_create": "@"
|
||||
|
||||
# List subscription.
|
||||
# GET /vnflcm/v2/subscriptions
|
||||
"os_nfv_orchestration_api_v2:vnf_instances:subscription_list": "@"
|
||||
|
||||
# Show subscription.
|
||||
# GET /vnflcm/v2/vnf_instances/{subscriptionId}
|
||||
"os_nfv_orchestration_api_v2:vnf_instances:subscription_show": "@"
|
||||
|
||||
# Delete subscription.
|
||||
# DELETE /vnflcm/v2/vnf_instances/{subscriptionId}
|
||||
"os_nfv_orchestration_api_v2:vnf_instances:subscription_delete": "@"
|
||||
|
||||
# List VnfLcmOpOcc.
|
||||
# GET /vnflcm/v2/vnf_lcm_op_occs
|
||||
"os_nfv_orchestration_api_v2:vnf_instances:lcm_op_occ_list": "@"
|
||||
|
||||
# Show VnfLcmOpOcc.
|
||||
# GET /vnflcm/v2/vnf_lcm_op_occs/{vnfLcmOpOccId}
|
||||
"os_nfv_orchestration_api_v2:vnf_instances:lcm_op_occ_show": "@"
|
||||
|
||||
# Retry VnfLcmOpOcc.
|
||||
# POST /vnflcm/v2/vnf_lcm_op_occs/{vnfLcmOpOccId}/retry
|
||||
"os_nfv_orchestration_api_v2:vnf_instances:lcm_op_occ_retry": "@"
|
||||
|
||||
# Rollback VnfLcmOpOcc.
|
||||
# POST /vnflcm/v2/vnf_lcm_op_occs/{vnfLcmOpOccId}/rollback
|
||||
"os_nfv_orchestration_api_v2:vnf_instances:lcm_op_occ_rollback": "@"
|
||||
|
||||
# Fail VnfLcmOpOcc.
|
||||
# POST /vnflcm/v2/vnf_lcm_op_occs/{vnfLcmOpOccId}/fail
|
||||
"os_nfv_orchestration_api_v2:vnf_instances:lcm_op_occ_fail": "@"
|
||||
|
||||
# Delete VnfLcmOpOcc.
|
||||
# DELETE /vnflcm/v2/vnf_lcm_op_occs/{vnfLcmOpOccId}
|
||||
"os_nfv_orchestration_api_v2:vnf_instances:lcm_op_occ_delete": "@"
|
||||
|
||||
Roles Examples
|
||||
~~~~~~~~~~~~~~
|
||||
Create the following roles:
|
||||
|
||||
* admin
|
||||
* member
|
||||
* reader
|
||||
* manager
|
||||
* AREA_area_A@region_A
|
||||
* AREA_area_B@region_A
|
||||
* AREA_area_A@region_B
|
||||
* AREA_area_B@region_B
|
||||
* AREA_all@region_A
|
||||
* AREA_all@region_B
|
||||
* AREA_all@all
|
||||
* VENDOR_vendor_A
|
||||
* VENDOR_vendor_B
|
||||
* VENDOR_all
|
||||
* NAMESPACE_default
|
||||
* NAMESPACE_namespace_A
|
||||
* NAMESPACE_all
|
||||
|
||||
The root user needs to be assigned the following roles:
|
||||
|
||||
* admin
|
||||
* manager
|
||||
* AREA_all@all
|
||||
* VENDOR_all
|
||||
* NAMESPACE_all
|
||||
|
||||
The region manager needs to be assigned the following roles:
|
||||
|
||||
* manager
|
||||
* AREA_all@region_A (or AREA_all@region_B)
|
||||
* VENDOR_all
|
||||
* NAMESPACE_all
|
||||
|
||||
The area manager and the tenant (area) manager
|
||||
need to be assigned the following roles:
|
||||
|
||||
* manager
|
||||
* AREA_area_A@region_A (or AREA_area_B@region_A or
|
||||
AREA_area_A@region_B or AREA_area_B@region_B)
|
||||
* VENDOR_all
|
||||
* NAMESPACE_all
|
||||
|
||||
.. note::
|
||||
The difference between "area manager" and
|
||||
"tenant (area) manager" is the owned project.
|
||||
"tenant (area) manager" generally has one project;
|
||||
while "area manager" can have multiple projects.
|
||||
|
||||
The tenant manager needs to be assigned the following roles:
|
||||
|
||||
* manager
|
||||
* AREA_all@all
|
||||
* VENDOR_all
|
||||
* NAMESPACE_all
|
||||
|
||||
The tenant user needs to be assigned the following roles:
|
||||
|
||||
* member or reader
|
||||
* AREA_all@all
|
||||
* VENDOR_all
|
||||
* NAMESPACE_all
|
||||
|
||||
The tenant (area) user needs to be assigned the following roles:
|
||||
|
||||
* member or reader
|
||||
* AREA_area_A@region_A (or AREA_area_B@region_A or
|
||||
AREA_area_A@region_B or AREA_area_B@region_B)
|
||||
* VENDOR_all
|
||||
* NAMESPACE_all
|
||||
|
||||
The vendor manager needs to be assigned the following roles:
|
||||
* manager
|
||||
* AREA_all@all
|
||||
* VENDOR_vendor_A (or VENDOR_vendor_B)
|
||||
* NAMESPACE_all
|
||||
|
||||
Alternatives
|
||||
------------
|
||||
|
||||
None
|
||||
|
||||
Data model impact
|
||||
-----------------
|
||||
|
||||
None
|
||||
|
||||
REST API impact
|
||||
---------------
|
||||
|
||||
None
|
||||
|
||||
Security impact
|
||||
---------------
|
||||
|
||||
None
|
||||
|
||||
Notifications impact
|
||||
--------------------
|
||||
|
||||
None
|
||||
|
||||
Other end user impact
|
||||
---------------------
|
||||
|
||||
As the resources created in the previous version of Tacker may not have enhanced
|
||||
policy attributes, if the enhanced policy attributes are used as comparison
|
||||
attributes in the policy rule, this rule will prevent users from accessing those
|
||||
resources without these attributes as the comparison result is always false.
|
||||
|
||||
Performance Impact
|
||||
------------------
|
||||
|
||||
None
|
||||
|
||||
Other deployer impact
|
||||
---------------------
|
||||
|
||||
None
|
||||
|
||||
Developer impact
|
||||
----------------
|
||||
|
||||
None
|
||||
|
||||
|
||||
Implementation
|
||||
==============
|
||||
|
||||
Assignee(s)
|
||||
-----------
|
||||
|
||||
Primary assignee:
|
||||
Yuta Kazato <yuta.kazato.nw@hco.ntt.co.jp>
|
||||
|
||||
Hiromu Asahina <hiromu.asahina.az@hco.ntt.co.jp>
|
||||
|
||||
Other contributors:
|
||||
Koji Shimizu <shimizu.koji@fujitsu.com>
|
||||
|
||||
Yoshiyuki Katada <katada.yoshiyuk@fujitsu.com>
|
||||
|
||||
Ayumu Ueha <ueha.ayumu@fujitsu.com>
|
||||
|
||||
Yusuke Niimi <niimi.yusuke@fujitsu.com>
|
||||
|
||||
Work Items
|
||||
----------
|
||||
|
||||
+ Implement Tacker to support:
|
||||
|
||||
+ Add Additional Attributes to Resources When Be Created
|
||||
+ Change the API Process to Support Tacker Policy Checker
|
||||
+ Add the Tacker Policy Filter to the List API Processes
|
||||
+ Convert Special Roles to API Attributes in Context
|
||||
+ Add a Configuration Option
|
||||
+ Policy and Roles Samples
|
||||
|
||||
+ Add new unit and functional tests.
|
||||
+ Write Tacker documentation to explain how to use the function described in
|
||||
this specification.
|
||||
|
||||
Dependencies
|
||||
============
|
||||
|
||||
None
|
||||
|
||||
Testing
|
||||
=======
|
||||
|
||||
Unit and functional tests will be added to cover cases required
|
||||
in this specification.
|
||||
|
||||
Documentation Impact
|
||||
====================
|
||||
|
||||
Description about enhanced Tacker API policy function will be added to the
|
||||
Tacker user guide.
|
||||
|
||||
References
|
||||
==========
|
||||
|
||||
.. [#oslo.policy] https://docs.openstack.org/oslo.policy/latest/
|
||||
.. [#tacker_policy] https://docs.openstack.org/tacker/latest/configuration/index.html#policy
|
Loading…
Reference in New Issue