Authentication and Authorization
Quotas for volumes.
-
class AbsoluteResource(name, flag=None, parent_project_id=None)
Bases: cinder.quota.BaseResource
Describe a non-reservable resource.
-
class BaseResource(name, flag=None, parent_project_id=None)
Bases: object
Describe a single resource for quota checking.
-
default
Return the default value of the quota.
-
quota(driver, context, **kwargs)
Given a driver and context, obtain the quota for this resource.
Parameters: |
- driver – A quota driver.
- context – The request context.
- project_id – The project to obtain the quota value for.
If not provided, it is taken from the
context. If it is given as None, no
project-specific quota will be searched
for.
- quota_class – The quota class corresponding to the
project, or for which the quota is to be
looked up. If not provided, it is taken
from the context. If it is given as None,
no quota class-specific quota will be
searched for. Note that the quota class
defaults to the value in the context,
which may not correspond to the project if
project_id is not the same as the one in
the context.
|
-
class CGQuotaEngine(quota_driver_class=None)
Bases: cinder.quota.QuotaEngine
Represent the consistencygroup quotas.
-
register_resource(resource)
-
register_resources(resources)
-
resources
Fetches all possible quota resources.
-
class CountableResource(name, count, flag=None)
Bases: cinder.quota.AbsoluteResource
Describe a resource where counts aren’t based only on the project ID.
-
class DbQuotaDriver
Bases: object
Driver to perform check to enforcement of quotas.
Also allows to obtain quota information.
The default driver utilizes the local database.
-
commit(context, reservations, project_id=None)
Commit reservations.
Parameters: |
- context – The request context, for access checks.
- reservations – A list of the reservation UUIDs, as
returned by the reserve() method.
- project_id – Specify the project_id if current context
is admin and admin wants to impact on
common user’s tenant.
|
-
destroy_by_project(context, project_id)
Destroy all limit quotas associated with a project.
Leave usage and reservation quotas intact.
Parameters: |
- context – The request context, for access checks.
- project_id – The ID of the project being deleted.
|
-
expire(context)
Expire reservations.
Explores all currently existing reservations and rolls back
any that have expired.
Parameters: | context – The request context, for access checks. |
-
get_by_class(context, quota_class, resource_name)
Get a specific quota by quota class.
-
get_by_project(context, project_id, resource_name)
Get a specific quota by project.
-
get_class_quotas(context, resources, quota_class, defaults=True)
Given list of resources, retrieve the quotas for given quota class.
Parameters: |
- context – The request context, for access checks.
- resources – A dictionary of the registered resources.
- quota_class – The name of the quota class to return
quotas for.
- defaults – If True, the default value will be reported
if there is no specific value for the
resource.
|
-
get_default(context, resource, project_id)
Get a specific default quota for a resource.
-
get_defaults(context, resources, project_id=None)
Given a list of resources, retrieve the default quotas.
Use the class quotas named _DEFAULT_QUOTA_NAME as default quotas,
if it exists.
Parameters: |
- context – The request context, for access checks.
- resources – A dictionary of the registered resources.
- project_id – The id of the current project
|
-
get_project_quotas(context, resources, project_id, quota_class=None, defaults=True, usages=True)
Retrieve quotas for a project.
Given a list of resources, retrieve the quotas for the given
project.
Parameters: |
- context – The request context, for access checks.
- resources – A dictionary of the registered resources.
- project_id – The ID of the project to return quotas for.
- quota_class – If project_id != context.project_id, the
quota class cannot be determined. This
parameter allows it to be specified. It
will be ignored if project_id ==
context.project_id.
- defaults – If True, the quota class value (or the
default value, if there is no value from the
quota class) will be reported if there is no
specific value for the resource.
- usages – If True, the current in_use, reserved and allocated
counts will also be returned.
|
-
limit_check(context, resources, values, project_id=None)
Check simple quota limits.
For limits–those quotas for which there is no usage
synchronization function–this method checks that a set of
proposed values are permitted by the limit restriction.
This method will raise a QuotaResourceUnknown exception if a
given resource is unknown or if it is not a simple limit
resource.
If any of the proposed values is over the defined quota, an
OverQuota exception will be raised with the sorted list of the
resources which are too high. Otherwise, the method returns
nothing.
Parameters: |
- context – The request context, for access checks.
- resources – A dictionary of the registered resources.
- values – A dictionary of the values to check against the
quota.
- project_id – Specify the project_id if current context
is admin and admin wants to impact on
common user’s tenant.
|
-
reserve(context, resources, deltas, expire=None, project_id=None)
Check quotas and reserve resources.
For counting quotas–those quotas for which there is a usage
synchronization function–this method checks quotas against
current usage and the desired deltas.
This method will raise a QuotaResourceUnknown exception if a
given resource is unknown or if it does not have a usage
synchronization function.
If any of the proposed values is over the defined quota, an
OverQuota exception will be raised with the sorted list of the
resources which are too high. Otherwise, the method returns a
list of reservation UUIDs which were created.
Parameters: |
- context – The request context, for access checks.
- resources – A dictionary of the registered resources.
- deltas – A dictionary of the proposed delta changes.
- expire – An optional parameter specifying an expiration
time for the reservations. If it is a simple
number, it is interpreted as a number of
seconds and added to the current time; if it is
a datetime.timedelta object, it will also be
added to the current time. A datetime.datetime
object will be interpreted as the absolute
expiration time. If None is specified, the
default expiration time set by
–default-reservation-expire will be used (this
value will be treated as a number of seconds).
- project_id – Specify the project_id if current context
is admin and admin wants to impact on
common user’s tenant.
|
-
rollback(context, reservations, project_id=None)
Roll back reservations.
Parameters: |
- context – The request context, for access checks.
- reservations – A list of the reservation UUIDs, as
returned by the reserve() method.
- project_id – Specify the project_id if current context
is admin and admin wants to impact on
common user’s tenant.
|
-
class NestedDbQuotaDriver
Bases: cinder.quota.DbQuotaDriver
-
get_default(context, resource, project_id)
Get a specific default quota for a resource.
-
get_defaults(context, resources, project_id=None)
-
validate_nested_setup(ctxt, resources, project_tree, fix_allocated_quotas=False)
Ensures project_tree has quotas that make sense as nested quotas.
- Validates the following:
- No parent project has child_projects who have more combined quota
than the parent’s quota limit
- No child quota has a larger in-use value than it’s current limit
(could happen before because child default values weren’t enforced)
- All parent projects’ “allocated” quotas match the sum of the limits
of its children projects
- TODO(mc_nair): need a better way to “flip the switch” to use nested
- quotas to make this less race-ee
-
class QuotaEngine(quota_driver_class=None)
Bases: object
Represent the set of recognized quotas.
-
add_volume_type_opts(context, opts, volume_type_id)
Add volume type resource options.
Adds elements to the opts hash for volume type quotas.
If a resource is being reserved (‘gigabytes’, etc) and the volume
type is set up for its own quotas, these reservations are copied
into keys for ‘gigabytes_<volume type name>’, etc.
Parameters: |
- context – The request context, for access checks.
- opts – The reservations options hash.
- volume_type_id – The volume type id for this reservation.
|
-
commit(context, reservations, project_id=None)
Commit reservations.
Parameters: |
- context – The request context, for access checks.
- reservations – A list of the reservation UUIDs, as
returned by the reserve() method.
- project_id – Specify the project_id if current context
is admin and admin wants to impact on
common user’s tenant.
|
-
count(context, resource, *args, **kwargs)
Count a resource.
For countable resources, invokes the count() function and
returns its result. Arguments following the context and
resource are passed directly to the count function declared by
the resource.
Parameters: |
- context – The request context, for access checks.
- resource – The name of the resource, as a string.
|
-
destroy_by_project(context, project_id)
Destroy all quota limits associated with a project.
Parameters: |
- context – The request context, for access checks.
- project_id – The ID of the project being deleted.
|
-
expire(context)
Expire reservations.
Explores all currently existing reservations and rolls back
any that have expired.
Parameters: | context – The request context, for access checks. |
-
get_by_class(context, quota_class, resource_name)
Get a specific quota by quota class.
-
get_by_project(context, project_id, resource_name)
Get a specific quota by project.
-
get_by_project_or_default(context, project_id, resource_name)
Get specific quota by project or default quota if doesn’t exists.
-
get_class_quotas(context, quota_class, defaults=True)
Retrieve the quotas for the given quota class.
Parameters: |
- context – The request context, for access checks.
- quota_class – The name of the quota class to return
quotas for.
- defaults – If True, the default value will be reported
if there is no specific value for the
resource.
|
-
get_default(context, resource, parent_project_id=None)
Get a specific default quota for a resource.
Parameters: | parent_project_id – The id of the current project’s parent,
if any. |
-
get_defaults(context, project_id=None)
Retrieve the default quotas.
Parameters: |
- context – The request context, for access checks.
- project_id – The id of the current project
|
-
get_project_quotas(context, project_id, quota_class=None, defaults=True, usages=True)
Retrieve the quotas for the given project.
Parameters: |
- context – The request context, for access checks.
- project_id – The ID of the project to return quotas for.
- quota_class – If project_id != context.project_id, the
quota class cannot be determined. This
parameter allows it to be specified.
- defaults – If True, the quota class value (or the
default value, if there is no value from the
quota class) will be reported if there is no
specific value for the resource.
- usages – If True, the current in_use, reserved and
allocated counts will also be returned.
|
-
limit_check(context, project_id=None, **values)
Check simple quota limits.
For limits–those quotas for which there is no usage
synchronization function–this method checks that a set of
proposed values are permitted by the limit restriction. The
values to check are given as keyword arguments, where the key
identifies the specific quota limit to check, and the value is
the proposed value.
This method will raise a QuotaResourceUnknown exception if a
given resource is unknown or if it is not a simple limit
resource.
If any of the proposed values is over the defined quota, an
OverQuota exception will be raised with the sorted list of the
resources which are too high. Otherwise, the method returns
nothing.
Parameters: |
- context – The request context, for access checks.
- project_id – Specify the project_id if current context
is admin and admin wants to impact on
common user’s tenant.
|
-
register_resource(resource)
Register a resource.
-
register_resources(resources)
Register a list of resources.
-
reserve(context, expire=None, project_id=None, **deltas)
Check quotas and reserve resources.
For counting quotas–those quotas for which there is a usage
synchronization function–this method checks quotas against
current usage and the desired deltas. The deltas are given as
keyword arguments, and current usage and other reservations
are factored into the quota check.
This method will raise a QuotaResourceUnknown exception if a
given resource is unknown or if it does not have a usage
synchronization function.
If any of the proposed values is over the defined quota, an
OverQuota exception will be raised with the sorted list of the
resources which are too high. Otherwise, the method returns a
list of reservation UUIDs which were created.
Parameters: |
- context – The request context, for access checks.
- expire – An optional parameter specifying an expiration
time for the reservations. If it is a simple
number, it is interpreted as a number of
seconds and added to the current time; if it is
a datetime.timedelta object, it will also be
added to the current time. A datetime.datetime
object will be interpreted as the absolute
expiration time. If None is specified, the
default expiration time set by
–default-reservation-expire will be used (this
value will be treated as a number of seconds).
- project_id – Specify the project_id if current context
is admin and admin wants to impact on
common user’s tenant.
|
-
resource_names
-
resources
-
rollback(context, reservations, project_id=None)
Roll back reservations.
Parameters: |
- context – The request context, for access checks.
- reservations – A list of the reservation UUIDs, as
returned by the reserve() method.
- project_id – Specify the project_id if current context
is admin and admin wants to impact on
common user’s tenant.
|
-
using_nested_quotas()
Returns true if nested quotas are being used
-
class ReservableResource(name, sync, flag=None)
Bases: cinder.quota.BaseResource
Describe a reservable resource.
-
class VolumeTypeQuotaEngine(quota_driver_class=None)
Bases: cinder.quota.QuotaEngine
Represent the set of all quotas.
-
register_resource(resource)
-
register_resources(resources)
-
resources
Fetches all possible quota resources.
-
update_quota_resource(context, old_type_name, new_type_name)
Update resource in quota.
This is to update resource in quotas, quota_classes, and
quota_usages once the name of a volume type is changed.
Parameters: |
- context – The request context, for access checks.
- old_type_name – old name of volume type.
- new_type_name – new name of volume type.
|
-
class VolumeTypeResource(part_name, volume_type)
Bases: cinder.quota.ReservableResource
ReservableResource for a specific volume type.
The cinder.auth.signer Module
Auth Manager
The cinder.auth.manager Module
Tests
The auth_unittest Module
The access_unittest Module
The quota_unittest Module
Legacy Docs
Cinder provides RBAC (Role-based access control) of the AWS-type APIs. We define the following roles:
Roles-Based Access Control of AWS-style APIs using SAML Assertions
“Achieving FIPS 199 Moderate certification of a hybrid cloud environment using CloudAudit and declarative C.I.A. classifications”
Introduction
We will investigate one method for integrating an AWS-style API with US eAuthentication-compatible federated authentication systems, to achieve access controls and limits based on traditional operational roles.
Additionally, we will look at how combining this approach, with an implementation of the CloudAudit APIs, will allow us to achieve a certification under FIPS 199 Moderate classification for a hybrid cloud environment.
Relationship of US eAuth to RBAC
Typical implementations of US eAuth authentication systems are structured as follows:
[ MS Active Directory or other federated LDAP user store ]
--> backends to…
[ SUN Identity Manager or other SAML Policy Controller ]
--> maps URLs to groups…
[ Apache Policy Agent in front of eAuth-secured Web Application ]
In more ideal implementations, the remainder of the application-specific account information is stored either in extended schema on the LDAP server itself, via the use of a translucent LDAP proxy, or in an independent datastore keyed off of the UID provided via SAML assertion.
Roles
AWS API calls are traditionally secured via Access and Secret Keys, which are used to sign API calls, along with traditional timestamps to prevent replay attacks. The APIs can be logically grouped into sets that align with five typical roles:
- Base User
- System Administrator/Developer (currently have the same permissions)
- Network Administrator
- Project Manager
- Cloud Administrator/IT-Security (currently have the same permissions)
There is an additional, conceptual end-user that may or may not have API access:
- (EXTERNAL) End-user / Third-party User
Basic operations are available to any :
- Describe Instances
- Describe Images
- Describe Volumes
- Describe Keypairs
- Create Keypair
- Delete Keypair
- Create, Upload, Delete: Buckets and Keys (Object Store)
System Administrators/Developers/Project Manager:
- Create, Attach, Delete Volume (Block Store)
- Launch, Reboot, Terminate Instance
- Register/Unregister Machine Image (project-wide)
- Request / Review CloudAudit Scans
Project Manager:
- Add and remove other users (currently no api)
- Set roles (currently no api)
Network Administrator:
- Change Machine Image properties (public / private)
- Change Firewall Rules, define Security Groups
- Allocate, Associate, Deassociate Public IP addresses
Cloud Administrator/IT-Security:
Enhancements
- SAML Token passing
- REST interfaces
- SOAP interfaces
Wrapping the SAML token into the API calls.
Then store the UID (fetched via backchannel) into the instance metadata, providing end-to-end auditability of ownership and responsibility, without PII.
CloudAudit APIs
- Request formats
- Response formats
- Stateless asynchronous queries
CloudAudit queries may spawn long-running processes (similar to launching instances, etc.) They need to return a ReservationId in the same fashion, which can be returned in further queries for updates.
RBAC of CloudAudit API calls is critical, since detailed system information is a system vulnerability.
Type declarations
- Data declarations – Volumes and Objects
- System declarations – Instances
Existing API calls to launch instances specific a single, combined “type” flag. We propose to extend this with three additional type declarations, mapping to the “Confidentiality, Integrity, Availability” classifications of FIPS 199. An example API call would look like:
RunInstances type=m1.large number=1 secgroup=default key=mykey confidentiality=low integrity=low availability=low
These additional parameters would also apply to creation of block storage volumes (along with the existing parameter of ‘size’), and creation of object storage ‘buckets’. (C.I.A. classifications on a bucket would be inherited by the keys within this bucket.)
Request Brokering
- Cloud Interop
- IMF Registration / PubSub
- Digital C&A
Establishing declarative semantics for individual API calls will allow the cloud environment to seamlessly proxy these API calls to external, third-party vendors – when the requested CIA levels match.
See related work within the Infrastructure 2.0 working group for more information on how the IMF Metadata specification could be utilized to manage registration of these vendors and their C&A credentials.
Dirty Cloud - Hybrid Data Centers
- CloudAudit bridge interfaces
- Anything in the ARP table
A hybrid cloud environment provides dedicated, potentially co-located physical hardware with a network interconnect to the project or users’ cloud virtual network.
This interconnect is typically a bridged VPN connection. Any machines that can be bridged into a hybrid environment in this fashion (at Layer 2) must implement a minimum version of the CloudAudit spec, such that they can be queried to provide a complete picture of the IT-sec runtime environment.
Network discovery protocols (ARP, CDP) can be applied in this case, and existing protocols (SNMP location data, DNS LOC records) overloaded to provide CloudAudit information.
The Details
- Preliminary Roles Definitions
- Categorization of available API calls
- SAML assertion vocabulary
System limits
The following limits need to be defined and enforced:
- Total number of instances allowed (user / project)
- Total number of instances, per instance type (user / project)
- Total number of volumes (user / project)
- Maximum size of volume
- Cumulative size of all volumes
- Total use of object storage (GB)
- Total number of Public IPs
Further Challenges
- Prioritization of users / jobs in shared computing environments
- Incident response planning
- Limit launch of instances to specific security groups based on AMI
- Store AMIs in LDAP for added property control