Re: [openstack-dev] [openstack][oslo.policy] A new Keystone-Oslo hook for external PDP
Ruan, The hook is the easy part, having the data you need for making the decision is harder. -- Dims On Thu, Aug 10, 2017 at 10:51 AM, wrote: > Dims, > There is a similar prototype https://review.openstack.org/#/c/237521/. > Our idea is to provide a more generic one instead of Fortress. > Ruan > > > -Original Message- > From: Davanum Srinivas [mailto:dava...@gmail.com] > Sent: jeudi 10 août 2017 16:32 > To: OpenStack Development Mailing List (not for usage questions) > Cc: DUVAL Thomas OBS/OAB > Subject: Re: [openstack-dev] [openstack][oslo.policy] A new Keystone-Oslo > hook for external PDP > > Ruan, > > Have you prototyped to see if you have all the information you need is > available in the context (or can be gathered from Nova)? > ( quickly check what the existing HttpCheck mechanism sends over the wire ) > > Thanks, > Dims > > On Thu, Aug 10, 2017 at 10:17 AM, wrote: >> Hello, >> >> We would like to have an external and centralized security policy >> engine >> (PDP) that can pilot both OpenStack and SDN controllers. For this >> reason, we have developed and upstreamed a hook for the new >> OpenDaylight release Carbon >> (https://git.opendaylight.org/gerrit/#/c/46146/), and we’d like to develop a >> similar hook for the OpenStack/Oslo-policy. >> >> >> >> A blueprint was submitted to >> https://blueprints.launchpad.net/pbr/+spec/external-pdp-for-oslo-polic >> y, and the spec is submitted to https://review.openstack.org/#/c/492543/. >> >> We hope that this topic can be discussed in the next oslo meeting. >> >> Thank you, >> >> Ruan HE >> >> >> >> __ >> ___ >> >> Ce message et ses pieces jointes peuvent contenir des informations >> confidentielles ou privilegiees et ne doivent donc pas etre diffuses, >> exploites ou copies sans autorisation. Si vous avez recu ce message >> par erreur, veuillez le signaler a l'expediteur et le detruire ainsi >> que les pieces jointes. Les messages electroniques etant susceptibles >> d'alteration, Orange decline toute responsabilite si ce message a ete >> altere, deforme ou falsifie. Merci. >> >> This message and its attachments may contain confidential or >> privileged information that may be protected by law; they should not >> be distributed, used or copied without authorisation. >> If you have received this email in error, please notify the sender and >> delete this message and its attachments. >> As emails may be altered, Orange is not liable for messages that have >> been modified, changed or falsified. >> Thank you. >> >> >> __ >> OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: >> openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> > > > > -- > Davanum Srinivas :: https://twitter.com/dims > > __ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > _ > > Ce message et ses pieces jointes peuvent contenir des informations > confidentielles ou privilegiees et ne doivent donc > pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu > ce message par erreur, veuillez le signaler > a l'expediteur et le detruire ainsi que les pieces jointes. Les messages > electroniques etant susceptibles d'alteration, > Orange decline toute responsabilite si ce message a ete altere, deforme ou > falsifie. Merci. > > This message and its attachments may contain confidential or privileged > information that may be protected by law; > they should not be distributed, used or copied without authorisation. > If you have received this email in error, please notify the sender and delete > this message and its attachments. > As emails may be altered, Orange is not liable for messages that have been > modified, changed or falsified. > Thank you. > > __ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- Davanum Srinivas :: https://twitter.com/dims __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [openstack][oslo.policy] A new Keystone-Oslo hook for external PDP
Dims, There is a similar prototype https://review.openstack.org/#/c/237521/. Our idea is to provide a more generic one instead of Fortress. Ruan -Original Message- From: Davanum Srinivas [mailto:dava...@gmail.com] Sent: jeudi 10 août 2017 16:32 To: OpenStack Development Mailing List (not for usage questions) Cc: DUVAL Thomas OBS/OAB Subject: Re: [openstack-dev] [openstack][oslo.policy] A new Keystone-Oslo hook for external PDP Ruan, Have you prototyped to see if you have all the information you need is available in the context (or can be gathered from Nova)? ( quickly check what the existing HttpCheck mechanism sends over the wire ) Thanks, Dims On Thu, Aug 10, 2017 at 10:17 AM, wrote: > Hello, > > We would like to have an external and centralized security policy > engine > (PDP) that can pilot both OpenStack and SDN controllers. For this > reason, we have developed and upstreamed a hook for the new > OpenDaylight release Carbon > (https://git.opendaylight.org/gerrit/#/c/46146/), and we’d like to develop a > similar hook for the OpenStack/Oslo-policy. > > > > A blueprint was submitted to > https://blueprints.launchpad.net/pbr/+spec/external-pdp-for-oslo-polic > y, and the spec is submitted to https://review.openstack.org/#/c/492543/. > > We hope that this topic can be discussed in the next oslo meeting. > > Thank you, > > Ruan HE > > > > __ > ___ > > Ce message et ses pieces jointes peuvent contenir des informations > confidentielles ou privilegiees et ne doivent donc pas etre diffuses, > exploites ou copies sans autorisation. Si vous avez recu ce message > par erreur, veuillez le signaler a l'expediteur et le detruire ainsi > que les pieces jointes. Les messages electroniques etant susceptibles > d'alteration, Orange decline toute responsabilite si ce message a ete > altere, deforme ou falsifie. Merci. > > This message and its attachments may contain confidential or > privileged information that may be protected by law; they should not > be distributed, used or copied without authorisation. > If you have received this email in error, please notify the sender and > delete this message and its attachments. > As emails may be altered, Orange is not liable for messages that have > been modified, changed or falsified. > Thank you. > > > __ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: > openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > -- Davanum Srinivas :: https://twitter.com/dims __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev _ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you. __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [openstack][oslo.policy] A new Keystone-Oslo hook for external PDP
Ruan, Have you prototyped to see if you have all the information you need is available in the context (or can be gathered from Nova)? ( quickly check what the existing HttpCheck mechanism sends over the wire ) Thanks, Dims On Thu, Aug 10, 2017 at 10:17 AM, wrote: > Hello, > > We would like to have an external and centralized security policy engine > (PDP) that can pilot both OpenStack and SDN controllers. For this reason, we > have developed and upstreamed a hook for the new OpenDaylight release Carbon > (https://git.opendaylight.org/gerrit/#/c/46146/), and we’d like to develop a > similar hook for the OpenStack/Oslo-policy. > > > > A blueprint was submitted to > https://blueprints.launchpad.net/pbr/+spec/external-pdp-for-oslo-policy, and > the spec is submitted to https://review.openstack.org/#/c/492543/. > > We hope that this topic can be discussed in the next oslo meeting. > > Thank you, > > Ruan HE > > > > _ > > Ce message et ses pieces jointes peuvent contenir des informations > confidentielles ou privilegiees et ne doivent donc > pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu > ce message par erreur, veuillez le signaler > a l'expediteur et le detruire ainsi que les pieces jointes. Les messages > electroniques etant susceptibles d'alteration, > Orange decline toute responsabilite si ce message a ete altere, deforme ou > falsifie. Merci. > > This message and its attachments may contain confidential or privileged > information that may be protected by law; > they should not be distributed, used or copied without authorisation. > If you have received this email in error, please notify the sender and > delete this message and its attachments. > As emails may be altered, Orange is not liable for messages that have been > modified, changed or falsified. > Thank you. > > > __ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > -- Davanum Srinivas :: https://twitter.com/dims __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [openstack][oslo.policy] A new Keystone-Oslo hook for external PDP
Hello, We would like to have an external and centralized security policy engine (PDP) that can pilot both OpenStack and SDN controllers. For this reason, we have developed and upstreamed a hook for the new OpenDaylight release Carbon (https://git.opendaylight.org/gerrit/#/c/46146/), and we'd like to develop a similar hook for the OpenStack/Oslo-policy. A blueprint was submitted to https://blueprints.launchpad.net/pbr/+spec/external-pdp-for-oslo-policy, and the spec is submitted to https://review.openstack.org/#/c/492543/. We hope that this topic can be discussed in the next oslo meeting. Thank you, Ruan HE _ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you. __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev