External PDP Integration for oslo-policy
Oslo-policy (together with Keystone/roles) provides a native authorization policy engine for OpenStack. Existing discussions [1] show several defaults about such solution. As OpenStack may be deployed by different users with different requirements, a generic yet flexible approach is needed through which users may define, apply and manage their own authorization policy.
External PDP (Policy Decision Point) disables the native Oslo_policy and delegates authorization to an external authorization policy engine. Existing works [2, 3] show the feasibility of this approach with the Fortress and Moon policy engines. This blueprint proposes a generic hook which will re-direct authorization requests to an external PDP instead of using the native one. Each policy engine stores and manages related information of their policy, grants or denies requests based on these information and rules.
[1] https:/
[2] https:/
[3] https:/