)]}'
{"specs/backlog/dynamic-policy.rst":[{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"179c15c6e65a654810d344ac6fca22843ede5425","unresolved":false,"context_lines":[{"line_number":1,"context_line":".."},{"line_number":2,"context_line":" This work is licensed under a Creative Commons Attribution 3.0 Unported"},{"line_number":3,"context_line":" License."},{"line_number":4,"context_line":""},{"line_number":5,"context_line":" http://creativecommons.org/licenses/by/3.0/legalcode"},{"line_number":6,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"9abb7d3a_dc57f523","line":3,"updated":"2016-06-01 18:29:29.000000000","message":"This should be proposed against the Keystone backlog: \n\nhttps://github.com/openstack/keystone-specs/tree/master/specs/keystone/backlog","commit_id":"319dedb841efe1d3dbf10c392f3e1dca6567acae"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"179c15c6e65a654810d344ac6fca22843ede5425","unresolved":false,"context_lines":[{"line_number":16,"context_line":"roles he has assigned on them."},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"Resources include VMs, volumes, networks, etc and are organized into projects,"},{"line_number":19,"context_line":"which are owned by domains. Users have roles assigned on domains or projects."},{"line_number":20,"context_line":""},{"line_number":21,"context_line":"Users get scoped token on domains or projects, which contains the roles the"},{"line_number":22,"context_line":"user has assigned on them, and pass this token along to services in requests to"}],"source_content_type":"text/x-rst","patch_set":1,"id":"9abb7d3a_9c28cd9b","line":19,"updated":"2016-06-01 18:29:29.000000000","message":"nit: Users can have roles assigned on domains or projects.","commit_id":"319dedb841efe1d3dbf10c392f3e1dca6567acae"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"179c15c6e65a654810d344ac6fca22843ede5425","unresolved":false,"context_lines":[{"line_number":20,"context_line":""},{"line_number":21,"context_line":"Users get scoped token on domains or projects, which contains the roles the"},{"line_number":22,"context_line":"user has assigned on them, and pass this token along to services in requests to"},{"line_number":23,"context_line":"perform actions on resources."},{"line_number":24,"context_line":""},{"line_number":25,"context_line":"The service check the roles in the token against the rules defined for the"},{"line_number":26,"context_line":"requested action on the policy.json file to define if the user has enough"}],"source_content_type":"text/x-rst","patch_set":1,"id":"9abb7d3a_2750ae0a","line":23,"updated":"2016-06-01 18:29:29.000000000","message":"nit: Users can request tokens scoped to projects or domains they have access to via roles assignments. These scoped tokens are used to perform operations on various resources across services.","commit_id":"319dedb841efe1d3dbf10c392f3e1dca6567acae"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"179c15c6e65a654810d344ac6fca22843ede5425","unresolved":false,"context_lines":[{"line_number":24,"context_line":""},{"line_number":25,"context_line":"The service check the roles in the token against the rules defined for the"},{"line_number":26,"context_line":"requested action on the policy.json file to define if the user has enough"},{"line_number":27,"context_line":"privilegies."},{"line_number":28,"context_line":""},{"line_number":29,"context_line":"This specification gives an overview of the new concept being introduced to"},{"line_number":30,"context_line":"solve those known limitations: Dynamic Policy. A set of specs will be"}],"source_content_type":"text/x-rst","patch_set":1,"id":"9abb7d3a_07a12af8","line":27,"updated":"2016-06-01 18:29:29.000000000","message":"privileges*","commit_id":"319dedb841efe1d3dbf10c392f3e1dca6567acae"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"179c15c6e65a654810d344ac6fca22843ede5425","unresolved":false,"context_lines":[{"line_number":39,"context_line":"and their respective authorization constraints. They are maintained on project"},{"line_number":40,"context_line":"specific source code repositories."},{"line_number":41,"context_line":""},{"line_number":42,"context_line":"This requires the use of an out-of-band mechanism to customize and place the"},{"line_number":43,"context_line":"policy file in the service respective server. In addition, this leads to cross-"},{"line_number":44,"context_line":"project inconsistency across global roles like admin and owner."},{"line_number":45,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"9abb7d3a_e7bd0603","line":42,"updated":"2016-06-01 18:29:29.000000000","message":"nit: out-of-band mechanism, such as configuration management tools,","commit_id":"319dedb841efe1d3dbf10c392f3e1dca6567acae"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"179c15c6e65a654810d344ac6fca22843ede5425","unresolved":false,"context_lines":[{"line_number":50,"context_line":""},{"line_number":51,"context_line":"The policy mechanism as it exists right now performs two functions. The primary"},{"line_number":52,"context_line":"function is the scope check:  does the project id from the token match the"},{"line_number":53,"context_line":"project id for the requested resource.  THe second function is confirming that"},{"line_number":54,"context_line":"the user has the appropriate role for the operation.  However, to date, only"},{"line_number":55,"context_line":"one role is ever checked, and that is the admin role."},{"line_number":56,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"9abb7d3a_e76b4683","line":53,"updated":"2016-06-01 18:29:29.000000000","message":"The*","commit_id":"319dedb841efe1d3dbf10c392f3e1dca6567acae"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"179c15c6e65a654810d344ac6fca22843ede5425","unresolved":false,"context_lines":[{"line_number":54,"context_line":"the user has the appropriate role for the operation.  However, to date, only"},{"line_number":55,"context_line":"one role is ever checked, and that is the admin role."},{"line_number":56,"context_line":""},{"line_number":57,"context_line":"The existing policy is based on the nam,e of an api, such as"},{"line_number":58,"context_line":"`identity::create_user` which does not match the URL used to perform the"},{"line_number":59,"context_line":"action. Thus, there is no way for an external tool to match URL to required"},{"line_number":60,"context_line":"role."}],"source_content_type":"text/x-rst","patch_set":1,"id":"9abb7d3a_670e36e6","line":57,"updated":"2016-06-01 18:29:29.000000000","message":"name* API*","commit_id":"319dedb841efe1d3dbf10c392f3e1dca6567acae"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"179c15c6e65a654810d344ac6fca22843ede5425","unresolved":false,"context_lines":[{"line_number":68,"context_line":"rules."},{"line_number":69,"context_line":""},{"line_number":70,"context_line":"-  The Endpoint section of the URL is parsed out, and used to fetch a policy"},{"line_number":71,"context_line":"   file from Keystone. THis policy file will be cached."},{"line_number":72,"context_line":"- The Policy file will be Keyed based on the URIs as defined by the"},{"line_number":73,"context_line":"  identity API in the form VERB URI. For example, DELETE"},{"line_number":74,"context_line":"  /users/{user_id}."}],"source_content_type":"text/x-rst","patch_set":1,"id":"9abb7d3a_27d6ee27","line":71,"updated":"2016-06-01 18:29:29.000000000","message":"This*\n\nDo we need to worry about any revocation cases here? I understand that policy is static, but is that something we need to address here?","commit_id":"319dedb841efe1d3dbf10c392f3e1dca6567acae"},{"author":{"_account_id":5707,"name":"Henry Nash","email":"henryn@linux.vnet.ibm.com","username":"henry-nash"},"change_message_id":"bdb82f946b3bcf37ba2e75cf34248aea363679cc","unresolved":false,"context_lines":[{"line_number":69,"context_line":""},{"line_number":70,"context_line":"-  The Endpoint section of the URL is parsed out, and used to fetch a policy"},{"line_number":71,"context_line":"   file from Keystone. THis policy file will be cached."},{"line_number":72,"context_line":"- The Policy file will be Keyed based on the URIs as defined by the"},{"line_number":73,"context_line":"  identity API in the form VERB URI. For example, DELETE"},{"line_number":74,"context_line":"  /users/{user_id}."},{"line_number":75,"context_line":"- The form of the rules will be role:role_name.  The norm will be a"},{"line_number":76,"context_line":"  single role,    but multple can be specified combined by the `or`"},{"line_number":77,"context_line":"  rule."}],"source_content_type":"text/x-rst","patch_set":1,"id":"dae33548_f83d39bc","line":74,"range":{"start_line":72,"start_character":2,"end_line":74,"end_character":19},"updated":"2016-02-16 14:50:57.000000000","message":"so this is a new format for a policy file? is this instead of or in addition to the current policy file? What happens if there is more than one policy endpoints for a given url (e.g. due to ?query params, or some aspect of the target entity, e.g. global vs domain roles)?","commit_id":"319dedb841efe1d3dbf10c392f3e1dca6567acae"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"c7bf6547ffcb6b5ede320b38371806694262e0c5","unresolved":false,"context_lines":[{"line_number":69,"context_line":""},{"line_number":70,"context_line":"-  The Endpoint section of the URL is parsed out, and used to fetch a policy"},{"line_number":71,"context_line":"   file from Keystone. THis policy file will be cached."},{"line_number":72,"context_line":"- The Policy file will be Keyed based on the URIs as defined by the"},{"line_number":73,"context_line":"  identity API in the form VERB URI. For example, DELETE"},{"line_number":74,"context_line":"  /users/{user_id}."},{"line_number":75,"context_line":"- The form of the rules will be role:role_name.  The norm will be a"},{"line_number":76,"context_line":"  single role,    but multple can be specified combined by the `or`"},{"line_number":77,"context_line":"  rule."}],"source_content_type":"text/x-rst","patch_set":1,"id":"dae33548_aef12297","line":74,"range":{"start_line":72,"start_character":2,"end_line":74,"end_character":19},"in_reply_to":"dae33548_f83d39bc","updated":"2016-02-18 15:03:39.000000000","message":"I don\u0027t think so.  I think we can use either the JSON or  YAML versions to implement this.  SO long as we have a way to generate the Keys from the request.  We might need to expand the matching rules in oslo-policy to do a best match:  the longest line that actually matches wins.","commit_id":"319dedb841efe1d3dbf10c392f3e1dca6567acae"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"179c15c6e65a654810d344ac6fca22843ede5425","unresolved":false,"context_lines":[{"line_number":73,"context_line":"  identity API in the form VERB URI. For example, DELETE"},{"line_number":74,"context_line":"  /users/{user_id}."},{"line_number":75,"context_line":"- The form of the rules will be role:role_name.  The norm will be a"},{"line_number":76,"context_line":"  single role,    but multple can be specified combined by the `or`"},{"line_number":77,"context_line":"  rule."},{"line_number":78,"context_line":"- An explicit override will allow any rule to be executed if the token"},{"line_number":79,"context_line":"  contains  both the role:admin and the indicator is_admin_project."}],"source_content_type":"text/x-rst","patch_set":1,"id":"9abb7d3a_c7eba2da","line":76,"updated":"2016-06-01 18:29:29.000000000","message":"multiple*\n\nnit: multiple roles can be combined using the `or` rule.","commit_id":"319dedb841efe1d3dbf10c392f3e1dca6567acae"},{"author":{"_account_id":5707,"name":"Henry Nash","email":"henryn@linux.vnet.ibm.com","username":"henry-nash"},"change_message_id":"bdb82f946b3bcf37ba2e75cf34248aea363679cc","unresolved":false,"context_lines":[{"line_number":72,"context_line":"- The Policy file will be Keyed based on the URIs as defined by the"},{"line_number":73,"context_line":"  identity API in the form VERB URI. For example, DELETE"},{"line_number":74,"context_line":"  /users/{user_id}."},{"line_number":75,"context_line":"- The form of the rules will be role:role_name.  The norm will be a"},{"line_number":76,"context_line":"  single role,    but multple can be specified combined by the `or`"},{"line_number":77,"context_line":"  rule."},{"line_number":78,"context_line":"- An explicit override will allow any rule to be executed if the token"},{"line_number":79,"context_line":"  contains  both the role:admin and the indicator is_admin_project."},{"line_number":80,"context_line":"- If the policy check succeeds, an additional header is added to the"}],"source_content_type":"text/x-rst","patch_set":1,"id":"dae33548_78d76923","line":77,"range":{"start_line":75,"start_character":2,"end_line":77,"end_character":7},"updated":"2016-02-16 14:50:57.000000000","message":"so can i do additional some checks here?","commit_id":"319dedb841efe1d3dbf10c392f3e1dca6567acae"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"c7bf6547ffcb6b5ede320b38371806694262e0c5","unresolved":false,"context_lines":[{"line_number":72,"context_line":"- The Policy file will be Keyed based on the URIs as defined by the"},{"line_number":73,"context_line":"  identity API in the form VERB URI. For example, DELETE"},{"line_number":74,"context_line":"  /users/{user_id}."},{"line_number":75,"context_line":"- The form of the rules will be role:role_name.  The norm will be a"},{"line_number":76,"context_line":"  single role,    but multple can be specified combined by the `or`"},{"line_number":77,"context_line":"  rule."},{"line_number":78,"context_line":"- An explicit override will allow any rule to be executed if the token"},{"line_number":79,"context_line":"  contains  both the role:admin and the indicator is_admin_project."},{"line_number":80,"context_line":"- If the policy check succeeds, an additional header is added to the"}],"source_content_type":"text/x-rst","patch_set":1,"id":"dae33548_eea32ab0","line":77,"range":{"start_line":75,"start_character":2,"end_line":77,"end_character":7},"in_reply_to":"dae33548_78d76923","updated":"2016-02-18 15:03:39.000000000","message":"Absolutely.  The goal is to keep things readable, but all of the tools for policy will still be available. The only thing that will not be available is the resource from the Database, as this will be executed during middleware, prior to the fetch.","commit_id":"319dedb841efe1d3dbf10c392f3e1dca6567acae"},{"author":{"_account_id":5707,"name":"Henry Nash","email":"henryn@linux.vnet.ibm.com","username":"henry-nash"},"change_message_id":"bdb82f946b3bcf37ba2e75cf34248aea363679cc","unresolved":false,"context_lines":[{"line_number":75,"context_line":"- The form of the rules will be role:role_name.  The norm will be a"},{"line_number":76,"context_line":"  single role,    but multple can be specified combined by the `or`"},{"line_number":77,"context_line":"  rule."},{"line_number":78,"context_line":"- An explicit override will allow any rule to be executed if the token"},{"line_number":79,"context_line":"  contains  both the role:admin and the indicator is_admin_project."},{"line_number":80,"context_line":"- If the policy check succeeds, an additional header is added to the"},{"line_number":81,"context_line":"  request. -XRBAC_CHECK_SUCCEEDED"},{"line_number":82,"context_line":"- If No rule matches, and no default rule has been set, the RBAC check"}],"source_content_type":"text/x-rst","patch_set":1,"id":"dae33548_d8279562","line":79,"range":{"start_line":78,"start_character":2,"end_line":79,"end_character":67},"updated":"2016-02-16 14:50:57.000000000","message":"so is this \"hard coded\"? if so, do we really want to hard code \"admin\"?","commit_id":"319dedb841efe1d3dbf10c392f3e1dca6567acae"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"c7bf6547ffcb6b5ede320b38371806694262e0c5","unresolved":false,"context_lines":[{"line_number":75,"context_line":"- The form of the rules will be role:role_name.  The norm will be a"},{"line_number":76,"context_line":"  single role,    but multple can be specified combined by the `or`"},{"line_number":77,"context_line":"  rule."},{"line_number":78,"context_line":"- An explicit override will allow any rule to be executed if the token"},{"line_number":79,"context_line":"  contains  both the role:admin and the indicator is_admin_project."},{"line_number":80,"context_line":"- If the policy check succeeds, an additional header is added to the"},{"line_number":81,"context_line":"  request. -XRBAC_CHECK_SUCCEEDED"},{"line_number":82,"context_line":"- If No rule matches, and no default rule has been set, the RBAC check"}],"source_content_type":"text/x-rst","patch_set":1,"id":"dae33548_8ebedeab","line":79,"range":{"start_line":78,"start_character":2,"end_line":79,"end_character":67},"in_reply_to":"dae33548_d8279562","updated":"2016-02-18 15:03:39.000000000","message":"I don;t think the role \u0027admin\u0027 would be hard coded, rather we would have an explicit \u0027admin override\u0027 rule that could be specified in the policy.  If that passes, any of the other rules are ignored.  The body of the rule would still be mutable.","commit_id":"319dedb841efe1d3dbf10c392f3e1dca6567acae"},{"author":{"_account_id":5707,"name":"Henry Nash","email":"henryn@linux.vnet.ibm.com","username":"henry-nash"},"change_message_id":"bdb82f946b3bcf37ba2e75cf34248aea363679cc","unresolved":false,"context_lines":[{"line_number":82,"context_line":"- If No rule matches, and no default rule has been set, the RBAC check"},{"line_number":83,"context_line":"  will return True but will ensure the header"},{"line_number":84,"context_line":"  -XRBAC_CHECK_SUCCEEDED is removed from  the request."},{"line_number":85,"context_line":"- If the check fails, the Middleare will return the HTTP response `403"},{"line_number":86,"context_line":"  Forbidden`"},{"line_number":87,"context_line":""},{"line_number":88,"context_line":""},{"line_number":89,"context_line":"Security Impact"}],"source_content_type":"text/x-rst","patch_set":1,"id":"dae33548_18df3d6a","line":86,"range":{"start_line":85,"start_character":2,"end_line":86,"end_character":11},"updated":"2016-02-16 14:50:57.000000000","message":"so for APIs that need, say, just an unscoped token, how does this work?","commit_id":"319dedb841efe1d3dbf10c392f3e1dca6567acae"},{"author":{"_account_id":2218,"name":"Adam Young","email":"adam@younglogic.com","username":"ayoung"},"change_message_id":"c7bf6547ffcb6b5ede320b38371806694262e0c5","unresolved":false,"context_lines":[{"line_number":82,"context_line":"- If No rule matches, and no default rule has been set, the RBAC check"},{"line_number":83,"context_line":"  will return True but will ensure the header"},{"line_number":84,"context_line":"  -XRBAC_CHECK_SUCCEEDED is removed from  the request."},{"line_number":85,"context_line":"- If the check fails, the Middleare will return the HTTP response `403"},{"line_number":86,"context_line":"  Forbidden`"},{"line_number":87,"context_line":""},{"line_number":88,"context_line":""},{"line_number":89,"context_line":"Security Impact"}],"source_content_type":"text/x-rst","patch_set":1,"id":"dae33548_2efd126e","line":86,"range":{"start_line":85,"start_character":2,"end_line":86,"end_character":11},"in_reply_to":"dae33548_18df3d6a","updated":"2016-02-18 15:03:39.000000000","message":"It would be enforced by the scope policy check, and this check would always pass.","commit_id":"319dedb841efe1d3dbf10c392f3e1dca6567acae"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"179c15c6e65a654810d344ac6fca22843ede5425","unresolved":false,"context_lines":[{"line_number":175,"context_line":"References"},{"line_number":176,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":177,"context_line":""},{"line_number":178,"context_line":"https://etherpad.openstack.org/p/kilo-keystone-authorization"},{"line_number":179,"context_line":"https://etherpad.openstack.org/p/kilo-keystone-policy-model-token-capabilities"}],"source_content_type":"text/x-rst","patch_set":1,"id":"9abb7d3a_27b9cecc","line":178,"updated":"2016-06-01 18:29:29.000000000","message":"These could be converted into links.","commit_id":"319dedb841efe1d3dbf10c392f3e1dca6567acae"}]}