This slide is prepared for OpenStack Mitaka Swift Design Summit

1. Hisashi Osanai
IRC: ho
osanai.hisashi@jp.fujitsu.com
Enable Role-based access
control using oslo.policy in
Swift
Copyright 2015 FUJITSU LIMITED0

2. Copyright 2015 FUJITSU LIMITED
 Patch
https://review.openstack.org/#/c/149930/15
 What is required to move this patch forward?
 What are the other dependencies that this
brings in?
And how does this impact other parts of
swift?
discussion about…
1

3. Copyright 2015 FUJITSU LIMITED
 Background
 Current approach & status
 Open discussion for implementation
 Dependencies
 Misc.
This slide explains
2

4. Copyright 2015 FUJITSU LIMITED
 Policy-based RBAC in OpenStack
 Oslo.policy was graduated from incubated prj.
from Kilo
Background
Status Policy File
Keystone Supported /etc/keystone/policy.json
Nova Supported /etc/nova/policy.json
Cinder Supported /etc/cinder/policy.json
Neutron Supported /etc/neutron/policy.json
Glance Supported /etc/glance/policy.json
Heat Supported /etc/heat/policy.json
Swift Not Supported -
3

5. Copyright 2015 FUJITSU LIMITED
 Commits function tests on master first
 Background
Make function test with matrix in order to guarantee the RBAC
patch [Vancouver Summit agreement]
 Patches (16 patches, 803 items)
Status: Already submitted (but now need rebase them)
http://paste.openstack.org/show/477395/
 Open discussion about devstack correspondence
https://review.openstack.org/#/c/202411/14
Current approach & status
4

6. Copyright 2015 FUJITSU LIMITED
 Continue the RBAC patch
 Patch
https://review.openstack.org/#/c/149930/15
 Status
Abandoned.
I will re-opened this patch with some fixes for Clay’s comments.
http://paste.openstack.org/show/477318/
 Open discussion about user I/F specially for ACL
Current approach & status cont.
5

7. Copyright 2015 FUJITSU LIMITED
 This patch introduces only oslo.policy
 Compares the following two patterns
• Swift + KeystoneAuth (keystonemiddleware)
• Swift + this patch (keystonemiddleware + oslo.policy)
Dependencies
dnspython>=1.9.4
eventlet>=0.16.1,!=0.17.0
greenlet>=0.3.1
netifaces>=0.5,!=0.10.0,!=0.10.1
pastedeploy>=1.3.3
simplejson>=2.0.9
six>=1.9.0
xattr>=0.4
PyECLib==1.0.7
Swift
requirements.txt
Babel>=1.3
oslo.config>=2.3.0 # Apache-2.0
oslo.context>=0.2.0 # Apache-2.0
oslo.i18n>=1.5.0 # Apache-2.0
oslo.serialization>=1.4.0 # Apache-2.0
oslo.utils!=2.6.0,>=2.4.0 # Apache-2.0
pbr>=1.6
pycadf>=1.1.0
python-keystoneclient!=1.8.0,>=1.6.0
requests!=2.8.0,>=2.5.2
six>=1.9.0
WebOb>=1.2.3
Keystonemiddleware
requirements.txt
requests!=2.8.0,>=2.5.2
oslo.config>=2.3.0 # Apache-2.0
oslo.i18n>=1.5.0 # Apache-2.0
oslo.serialization>=1.4.0 # Apache-2.0
oslo.utils!=2.6.0,>=2.4.0 # Apache-2.0
six>=1.9.0
Oslo.policy
requirements.txt
All requirements
are covered
6

8. Copyright 2015 FUJITSU LIMITED
 Improve Keystone v3 token support
 Background
HTTP_X_TENANT_NAME/ID are deprecated and might be
removed in Mitaka so I would like to update current token
support logic.
 Patch
https://review.openstack.org/#/c/201461/
Misc.
7

9. Copyright 2015 FUJITSU LIMITED
 Remove _keystone_identity method
 Background
_keystone_identity method has been kept because of backward
compatibility. But there is no place to use an identity from the
method in our repo. Alistair already mentioned it as a comment
in the code (one year ago) so I think it’s time remove it.
 Patch
https://review.openstack.org/#/c/204050/
Misc. cont.
8

10. Copyright 2015 FUJITSU LIMITED
 Improve Keystone v3 token support
 Background
HTTP_X_TENANT_NAME/ID are deprecated and might be
removed in Mitaka so I would like to update current token
support logic.
 Patch
https://review.openstack.org/#/c/201461/
Misc. cont.
9