RBAC for openstack via http verbs proxy

Question

I'm currently working on a project based on openstack. In the project I would like to extend the openstack REST API with some RBAC (Role Based Access Control) mechanism.

But what is the best way? I don't want to touch all the openstack code and by this loose maybe compatibility with the major openstack release. Due to that I had the idea to write an "RBAC-Proxy" that enables RBAC for the http verbs.

Every access to the openstack API would be routed over the proxy. It would be great if you can give me any advise into that direction.

Thanks and kind regards,

Jan

Answer 1

HEAT might be a good place to put that functionality.

First I'd read the gerrit workflow page on the openstack wiki. This is good reading for new developers:

https://wiki.openstack.org/wiki/Gerrit_Workflow

Second I would reach out to the openstack-dev mailing list:

http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Ultimately,

What you should probably do is work up a blueprint, and submit that before the next summit. See what developers have to say about it. It strikes me that folks might want that functionality or at the very least have some ideas about how that can be solved well.