Our recent work on federation suggests we need an improvement to the way
the policy engine works. My understanding is that most functions are
protected by the policy engine, but some are not. The latter functions
are publicly accessible. But there is no way in the policy engine to
specify public access to a function and there ought to be. This will
allow an administrator to configure the policy for a function to range
from very lax (publicly accessible) to very strict (admin only). A
policy of "" means that any authenticated user can access the function.
But there is no way in the policy to specify that an unauthenticated
user (i.e. public) has access to a function.

We have already identified one function (get trusted IdPs
"identity:list_identity_providers") that needs to be publicly accessible
in order for users to choose which IdP to use for federated login.
However some organisations may not wish to make this API call publicly
accessible, whilst others may wish to restrict it to Horizon only etc.
This indicates that that the policy needs to be set by the
administrator, and not by changes to the code (i.e. to either call the
policy engine or not, or to have two different API calls).

If we can invent some policy syntax that indicates public access, e.g.
reserved keyword of public, then Keystone can always call the policy
file for every function and there would be no need to differentiate
between protected APIs and non-protected APIs as all would be protected
to a greater or lesser extent according to the administrator's policy.

Comments please



OpenStack-dev mailing list

Reply via email to