Let's take a look how we can replace policy.json by Apache Fortress - access management system based on ANSI Role-Based Access Control (INCITS 359) standard. Apache Fortress stores rules in OpenLDAP or ActiveDirectory and has a nice Web interface:
The meaning is very simple:
- There is an object "identity"
- The object "identity" has operations: "get_user", "list_users", ...
- For each pair of object and operation there is rule
- Rules are described in the top of file
- What if we already have rules and permissions and want to map them? In this case we have to manually create policy.json file and this task could be a real problem.
- We have to restart service after each change in policy.json file.
- json file is just not easy to manage for human. Humans likes to have some interface for management.
Apache FortressApache Fortress has the following components:
- Core - Java Access Management SDK
- Realm - Java EE security for Apache Tomcat
- Rest - HTTP protocol wrappers for the APIs
- Web - HTML pages for the APIs
Actually it is very similar to what we have in policy.json file:
- There is an object "identity" (ftObjNm=identity)
- The object identity has operations: "list_roles", "list_users"
- For each pair of object and operation there is permission (we call it 'rule' in policy.json file)
- Permissions can be granted to some role
Apache Fortress implements ANSI specification of RBAC. This specification can be illustrated by following picture:
Apache Fortress also has Web and REST interfaces. Let's take a look at it Web interface.
Here is users-management page:
Let's take a look at roles-management page:
And finally there is permissions-management page where all entities comes together:
Users with role "user" allowed to "list_roles" for object "identity".
How to use Apache Fortress in OpenStack?
- Store users in OpenLDAP or ActiveDirectory
- Install Apache Fortress: http://xuctarine.blogspot.ru/2015/10/how-to-install-apache-fortress-with.html
- Create entities you need: objects, operations, permissions.
- Extend oslo.policy. There is 2 possible ways to communicate with Apache Fortress:
- by REST API (https://review.openstack.org/#/c/237521/)
- by LDAP protocol (https://review.openstack.org/#/c/244059/)
- Use new oslo.policy class in application. For Keystone it means that you have to replace "Enforcer" with "FortressEnforcer" in one place of code.