Add service validation to Patrole framework

Registered by Felipe Monteiro

Currently, the rbac_rule_validation.action decorator does not provide validation for the service kwarg. Example:

@rbac_rule_validation.action( service="nova", rule="os_compute_api:os-volumes-attachments:index")

A keystone API call should be done to service list to validate whether service="nova" is a valid argument. This validation can either be done in rbac_rule_validation (not as ideal, as it's just a decorator), or to rbac_auth, or even to rbac_policy_parser. Functionally where the validation goes shouldn't matter, but in terms of design, it is ideal to have a centralized place where validation is performed, so that the code is easier to read and maintain.

Note that the way rbac_utils is currently designed precludes it from being able to perform a keystone call -- so do not put it there.

Also note that when running "openstack service list" the service "heat-cfn" is returned (rather than "heat") so the service validation might need to use a regex.

Blueprint information

Status:
Complete
Approver:
Samantha Blanco
Priority:
Undefined
Drafter:
Felipe Monteiro
Direction:
Needs approval
Assignee:
Rick Bartra
Definition:
New
Series goal:
None
Implementation:
Implemented
Milestone target:
None
Started by
Rick Bartra
Completed by
Rick Bartra

Related branches

Sprints

Whiteboard

Gerrit topic: https://review.openstack.org/#q,topic:bp/add-service-validation,n,z

Addressed by: https://review.openstack.org/443350
    Add service validation to Patrole framework

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.

Subscribers

No subscribers.