blob: ac44af0e59425a6a22b2c25078b09b4c34f128b4 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
|
#External Policy Checker
OpenStack component (like Nova, Glance, Cinder, ...) must populate 3 attributes to allow computing an authorization.
Those 3 attributes are:
- target
- credentials
- rule
In all those attributes, we must find the following information:
- In the 'credentials' attribute:
- the user ID: this is given in general by Keystone
- the project ID: this is given in general by Keystone
- as a proposal, the domain ID: this is given in general by Keystone
- In the 'target' attribute:
- the resource ID (ie nova virtual machine ID, Glance image ID, ...): this must come from the component source of the request (Nova, Glance, …)
- In the 'rule' attribute:
- the action name: this must come from the component source of the request (Nova, Glance, )
This server must be used to verify that all information given from OpenStack components can be retrieved in those attributes.
## Usage:
### server
To start the server locally:
cd external_policy_checker
python3 server.py
To start the server as a docker container:
docker run -ti -p 8080:8080 moon_platform/external_policy_checker:latest
### API
Here are the API, you can request:
POST /policy_checker
POST /authz/grant
POST /authz/deny
The `/policy_checker` allows to check if all information can be retrieve.
The `/authz/grant` will always send a "True" response.
The `/authz/deny` will always send a "False" response.
|
