Rest API Policy Enforcement¶
Policy enforcement in Deckhand leverages the oslo.policy
library like
all OpenStack projects. The implementation is located in deckhand.policy
.
Two types of policy authorization exist in Deckhand:
- Decorator-level authorization used for wrapping around
falcon
“on_{HTTP_VERB}” methods. In this case, if policy authorization fails a 403 Forbidden is always raised.- Conditional authorization, which means that the policy is only enforced if a certain set of conditions are true.
Deckhand, for example, will only conditionally enforce listing encrypted
documents if a document’s metadata.storagePolicy
is “encrypted”.
Policy Implementation¶
Deckhand uses authorize
from oslo.policy
as the latter supports both
enforce
and authorize
. authorize
is stricter because it’ll raise an
exception if the policy action is not registered under deckhand.policies
(which enumerates all the legal policy actions and their default rules). This
means that attempting to enforce anything not found in deckhand.policies
will error out with a ‘Policy not registered’ message.
See Deckhand’s policy module for more details.
Sample Policy File¶
The following is a sample Deckhand policy file for adaptation and use. It is auto-generated from Deckhand when this documentation is built, so if you are having issues with an option, please compare your version of Deckhand with the version of this documentation.
The sample configuration can also be viewed in file form.