Authentication and Authorization

The cinder.quota Module

Quotas for volumes.

class AbsoluteResource(name, flag=None, parent_project_id=None)

Bases: cinder.quota.BaseResource

Describe a non-reservable resource.

class BaseResource(name, flag=None, parent_project_id=None)

Bases: object

Describe a single resource for quota checking.

default

Return the default value of the quota.

quota(driver, context, **kwargs)

Given a driver and context, obtain the quota for this resource.

Parameters:
  • driver – A quota driver.
  • context – The request context.
  • project_id – The project to obtain the quota value for. If not provided, it is taken from the context. If it is given as None, no project-specific quota will be searched for.
  • quota_class – The quota class corresponding to the project, or for which the quota is to be looked up. If not provided, it is taken from the context. If it is given as None, no quota class-specific quota will be searched for. Note that the quota class defaults to the value in the context, which may not correspond to the project if project_id is not the same as the one in the context.
class CGQuotaEngine(quota_driver_class=None)

Bases: cinder.quota.QuotaEngine

Represent the consistencygroup quotas.

register_resource(resource)
register_resources(resources)
resources

Fetches all possible quota resources.

class CountableResource(name, count, flag=None)

Bases: cinder.quota.AbsoluteResource

Describe a resource where counts aren’t based only on the project ID.

class DbQuotaDriver

Bases: object

Driver to perform check to enforcement of quotas.

Also allows to obtain quota information. The default driver utilizes the local database.

commit(context, reservations, project_id=None)

Commit reservations.

Parameters:
  • context – The request context, for access checks.
  • reservations – A list of the reservation UUIDs, as returned by the reserve() method.
  • project_id – Specify the project_id if current context is admin and admin wants to impact on common user’s tenant.
destroy_by_project(context, project_id)

Destroy all limit quotas associated with a project.

Leave usage and reservation quotas intact.

Parameters:
  • context – The request context, for access checks.
  • project_id – The ID of the project being deleted.
expire(context)

Expire reservations.

Explores all currently existing reservations and rolls back any that have expired.

Parameters:context – The request context, for access checks.
get_by_class(context, quota_class, resource_name)

Get a specific quota by quota class.

get_by_project(context, project_id, resource_name)

Get a specific quota by project.

get_class_quotas(context, resources, quota_class, defaults=True)

Given list of resources, retrieve the quotas for given quota class.

Parameters:
  • context – The request context, for access checks.
  • resources – A dictionary of the registered resources.
  • quota_class – The name of the quota class to return quotas for.
  • defaults – If True, the default value will be reported if there is no specific value for the resource.
get_default(context, resource, project_id)

Get a specific default quota for a resource.

get_defaults(context, resources, project_id=None)

Given a list of resources, retrieve the default quotas.

Use the class quotas named _DEFAULT_QUOTA_NAME as default quotas, if it exists.

Parameters:
  • context – The request context, for access checks.
  • resources – A dictionary of the registered resources.
  • project_id – The id of the current project
get_project_quotas(context, resources, project_id, quota_class=None, defaults=True, usages=True)

Retrieve quotas for a project.

Given a list of resources, retrieve the quotas for the given project.

Parameters:
  • context – The request context, for access checks.
  • resources – A dictionary of the registered resources.
  • project_id – The ID of the project to return quotas for.
  • quota_class – If project_id != context.project_id, the quota class cannot be determined. This parameter allows it to be specified. It will be ignored if project_id == context.project_id.
  • defaults – If True, the quota class value (or the default value, if there is no value from the quota class) will be reported if there is no specific value for the resource.
  • usages – If True, the current in_use, reserved and allocated counts will also be returned.
limit_check(context, resources, values, project_id=None)

Check simple quota limits.

For limits–those quotas for which there is no usage synchronization function–this method checks that a set of proposed values are permitted by the limit restriction.

This method will raise a QuotaResourceUnknown exception if a given resource is unknown or if it is not a simple limit resource.

If any of the proposed values is over the defined quota, an OverQuota exception will be raised with the sorted list of the resources which are too high. Otherwise, the method returns nothing.

Parameters:
  • context – The request context, for access checks.
  • resources – A dictionary of the registered resources.
  • values – A dictionary of the values to check against the quota.
  • project_id – Specify the project_id if current context is admin and admin wants to impact on common user’s tenant.
reserve(context, resources, deltas, expire=None, project_id=None)

Check quotas and reserve resources.

For counting quotas–those quotas for which there is a usage synchronization function–this method checks quotas against current usage and the desired deltas.

This method will raise a QuotaResourceUnknown exception if a given resource is unknown or if it does not have a usage synchronization function.

If any of the proposed values is over the defined quota, an OverQuota exception will be raised with the sorted list of the resources which are too high. Otherwise, the method returns a list of reservation UUIDs which were created.

Parameters:
  • context – The request context, for access checks.
  • resources – A dictionary of the registered resources.
  • deltas – A dictionary of the proposed delta changes.
  • expire – An optional parameter specifying an expiration time for the reservations. If it is a simple number, it is interpreted as a number of seconds and added to the current time; if it is a datetime.timedelta object, it will also be added to the current time. A datetime.datetime object will be interpreted as the absolute expiration time. If None is specified, the default expiration time set by –default-reservation-expire will be used (this value will be treated as a number of seconds).
  • project_id – Specify the project_id if current context is admin and admin wants to impact on common user’s tenant.
rollback(context, reservations, project_id=None)

Roll back reservations.

Parameters:
  • context – The request context, for access checks.
  • reservations – A list of the reservation UUIDs, as returned by the reserve() method.
  • project_id – Specify the project_id if current context is admin and admin wants to impact on common user’s tenant.
class NestedDbQuotaDriver

Bases: cinder.quota.DbQuotaDriver

get_default(context, resource, project_id)

Get a specific default quota for a resource.

get_defaults(context, resources, project_id=None)
validate_nested_setup(ctxt, resources, project_tree, fix_allocated_quotas=False)

Ensures project_tree has quotas that make sense as nested quotas.

Validates the following:
  • No parent project has child_projects who have more combined quota than the parent’s quota limit
  • No child quota has a larger in-use value than it’s current limit (could happen before because child default values weren’t enforced)
  • All parent projects’ “allocated” quotas match the sum of the limits of its children projects
TODO(mc_nair): need a better way to “flip the switch” to use nested
quotas to make this less race-ee
class QuotaEngine(quota_driver_class=None)

Bases: object

Represent the set of recognized quotas.

add_volume_type_opts(context, opts, volume_type_id)

Add volume type resource options.

Adds elements to the opts hash for volume type quotas. If a resource is being reserved (‘gigabytes’, etc) and the volume type is set up for its own quotas, these reservations are copied into keys for ‘gigabytes_<volume type name>’, etc.

Parameters:
  • context – The request context, for access checks.
  • opts – The reservations options hash.
  • volume_type_id – The volume type id for this reservation.
commit(context, reservations, project_id=None)

Commit reservations.

Parameters:
  • context – The request context, for access checks.
  • reservations – A list of the reservation UUIDs, as returned by the reserve() method.
  • project_id – Specify the project_id if current context is admin and admin wants to impact on common user’s tenant.
count(context, resource, *args, **kwargs)

Count a resource.

For countable resources, invokes the count() function and returns its result. Arguments following the context and resource are passed directly to the count function declared by the resource.

Parameters:
  • context – The request context, for access checks.
  • resource – The name of the resource, as a string.
destroy_by_project(context, project_id)

Destroy all quota limits associated with a project.

Parameters:
  • context – The request context, for access checks.
  • project_id – The ID of the project being deleted.
expire(context)

Expire reservations.

Explores all currently existing reservations and rolls back any that have expired.

Parameters:context – The request context, for access checks.
get_by_class(context, quota_class, resource_name)

Get a specific quota by quota class.

get_by_project(context, project_id, resource_name)

Get a specific quota by project.

get_by_project_or_default(context, project_id, resource_name)

Get specific quota by project or default quota if doesn’t exists.

get_class_quotas(context, quota_class, defaults=True)

Retrieve the quotas for the given quota class.

Parameters:
  • context – The request context, for access checks.
  • quota_class – The name of the quota class to return quotas for.
  • defaults – If True, the default value will be reported if there is no specific value for the resource.
get_default(context, resource, parent_project_id=None)

Get a specific default quota for a resource.

Parameters:parent_project_id – The id of the current project’s parent, if any.
get_defaults(context, project_id=None)

Retrieve the default quotas.

Parameters:
  • context – The request context, for access checks.
  • project_id – The id of the current project
get_project_quotas(context, project_id, quota_class=None, defaults=True, usages=True)

Retrieve the quotas for the given project.

Parameters:
  • context – The request context, for access checks.
  • project_id – The ID of the project to return quotas for.
  • quota_class – If project_id != context.project_id, the quota class cannot be determined. This parameter allows it to be specified.
  • defaults – If True, the quota class value (or the default value, if there is no value from the quota class) will be reported if there is no specific value for the resource.
  • usages – If True, the current in_use, reserved and allocated counts will also be returned.
limit_check(context, project_id=None, **values)

Check simple quota limits.

For limits–those quotas for which there is no usage synchronization function–this method checks that a set of proposed values are permitted by the limit restriction. The values to check are given as keyword arguments, where the key identifies the specific quota limit to check, and the value is the proposed value.

This method will raise a QuotaResourceUnknown exception if a given resource is unknown or if it is not a simple limit resource.

If any of the proposed values is over the defined quota, an OverQuota exception will be raised with the sorted list of the resources which are too high. Otherwise, the method returns nothing.

Parameters:
  • context – The request context, for access checks.
  • project_id – Specify the project_id if current context is admin and admin wants to impact on common user’s tenant.
register_resource(resource)

Register a resource.

register_resources(resources)

Register a list of resources.

reserve(context, expire=None, project_id=None, **deltas)

Check quotas and reserve resources.

For counting quotas–those quotas for which there is a usage synchronization function–this method checks quotas against current usage and the desired deltas. The deltas are given as keyword arguments, and current usage and other reservations are factored into the quota check.

This method will raise a QuotaResourceUnknown exception if a given resource is unknown or if it does not have a usage synchronization function.

If any of the proposed values is over the defined quota, an OverQuota exception will be raised with the sorted list of the resources which are too high. Otherwise, the method returns a list of reservation UUIDs which were created.

Parameters:
  • context – The request context, for access checks.
  • expire – An optional parameter specifying an expiration time for the reservations. If it is a simple number, it is interpreted as a number of seconds and added to the current time; if it is a datetime.timedelta object, it will also be added to the current time. A datetime.datetime object will be interpreted as the absolute expiration time. If None is specified, the default expiration time set by –default-reservation-expire will be used (this value will be treated as a number of seconds).
  • project_id – Specify the project_id if current context is admin and admin wants to impact on common user’s tenant.
resource_names
resources
rollback(context, reservations, project_id=None)

Roll back reservations.

Parameters:
  • context – The request context, for access checks.
  • reservations – A list of the reservation UUIDs, as returned by the reserve() method.
  • project_id – Specify the project_id if current context is admin and admin wants to impact on common user’s tenant.
using_nested_quotas()

Returns true if nested quotas are being used

class ReservableResource(name, sync, flag=None)

Bases: cinder.quota.BaseResource

Describe a reservable resource.

class VolumeTypeQuotaEngine(quota_driver_class=None)

Bases: cinder.quota.QuotaEngine

Represent the set of all quotas.

register_resource(resource)
register_resources(resources)
resources

Fetches all possible quota resources.

update_quota_resource(context, old_type_name, new_type_name)

Update resource in quota.

This is to update resource in quotas, quota_classes, and quota_usages once the name of a volume type is changed.

Parameters:
  • context – The request context, for access checks.
  • old_type_name – old name of volume type.
  • new_type_name – new name of volume type.
class VolumeTypeResource(part_name, volume_type)

Bases: cinder.quota.ReservableResource

ReservableResource for a specific volume type.

The cinder.auth.signer Module

Auth Manager

The cinder.auth.manager Module

Tests

The auth_unittest Module

The access_unittest Module

The quota_unittest Module

Legacy Docs

Cinder provides RBAC (Role-based access control) of the AWS-type APIs. We define the following roles:

Roles-Based Access Control of AWS-style APIs using SAML Assertions “Achieving FIPS 199 Moderate certification of a hybrid cloud environment using CloudAudit and declarative C.I.A. classifications”

Introduction

We will investigate one method for integrating an AWS-style API with US eAuthentication-compatible federated authentication systems, to achieve access controls and limits based on traditional operational roles. Additionally, we will look at how combining this approach, with an implementation of the CloudAudit APIs, will allow us to achieve a certification under FIPS 199 Moderate classification for a hybrid cloud environment.

Relationship of US eAuth to RBAC

Typical implementations of US eAuth authentication systems are structured as follows:

[ MS Active Directory or other federated LDAP user store ]
      --> backends to…
[ SUN Identity Manager or other SAML Policy Controller ]
      --> maps URLs to groups…
[ Apache Policy Agent in front of eAuth-secured Web Application ]

In more ideal implementations, the remainder of the application-specific account information is stored either in extended schema on the LDAP server itself, via the use of a translucent LDAP proxy, or in an independent datastore keyed off of the UID provided via SAML assertion.

Roles

AWS API calls are traditionally secured via Access and Secret Keys, which are used to sign API calls, along with traditional timestamps to prevent replay attacks. The APIs can be logically grouped into sets that align with five typical roles:

  • Base User
  • System Administrator/Developer (currently have the same permissions)
  • Network Administrator
  • Project Manager
  • Cloud Administrator/IT-Security (currently have the same permissions)

There is an additional, conceptual end-user that may or may not have API access:

  • (EXTERNAL) End-user / Third-party User

Basic operations are available to any :

  • Describe Instances
  • Describe Images
  • Describe Volumes
  • Describe Keypairs
  • Create Keypair
  • Delete Keypair
  • Create, Upload, Delete: Buckets and Keys (Object Store)

System Administrators/Developers/Project Manager:

  • Create, Attach, Delete Volume (Block Store)
  • Launch, Reboot, Terminate Instance
  • Register/Unregister Machine Image (project-wide)
  • Request / Review CloudAudit Scans

Project Manager:

  • Add and remove other users (currently no api)
  • Set roles (currently no api)

Network Administrator:

  • Change Machine Image properties (public / private)
  • Change Firewall Rules, define Security Groups
  • Allocate, Associate, Deassociate Public IP addresses

Cloud Administrator/IT-Security:

  • All permissions

Enhancements

  • SAML Token passing
  • REST interfaces
  • SOAP interfaces

Wrapping the SAML token into the API calls. Then store the UID (fetched via backchannel) into the instance metadata, providing end-to-end auditability of ownership and responsibility, without PII.

CloudAudit APIs

  • Request formats
  • Response formats
  • Stateless asynchronous queries

CloudAudit queries may spawn long-running processes (similar to launching instances, etc.) They need to return a ReservationId in the same fashion, which can be returned in further queries for updates. RBAC of CloudAudit API calls is critical, since detailed system information is a system vulnerability.

Type declarations

  • Data declarations – Volumes and Objects
  • System declarations – Instances

Existing API calls to launch instances specific a single, combined “type” flag. We propose to extend this with three additional type declarations, mapping to the “Confidentiality, Integrity, Availability” classifications of FIPS 199. An example API call would look like:

RunInstances type=m1.large number=1 secgroup=default key=mykey confidentiality=low integrity=low availability=low

These additional parameters would also apply to creation of block storage volumes (along with the existing parameter of ‘size’), and creation of object storage ‘buckets’. (C.I.A. classifications on a bucket would be inherited by the keys within this bucket.)

Request Brokering

  • Cloud Interop
  • IMF Registration / PubSub
  • Digital C&A

Establishing declarative semantics for individual API calls will allow the cloud environment to seamlessly proxy these API calls to external, third-party vendors – when the requested CIA levels match.

See related work within the Infrastructure 2.0 working group for more information on how the IMF Metadata specification could be utilized to manage registration of these vendors and their C&A credentials.

Dirty Cloud - Hybrid Data Centers

  • CloudAudit bridge interfaces
  • Anything in the ARP table

A hybrid cloud environment provides dedicated, potentially co-located physical hardware with a network interconnect to the project or users’ cloud virtual network.

This interconnect is typically a bridged VPN connection. Any machines that can be bridged into a hybrid environment in this fashion (at Layer 2) must implement a minimum version of the CloudAudit spec, such that they can be queried to provide a complete picture of the IT-sec runtime environment.

Network discovery protocols (ARP, CDP) can be applied in this case, and existing protocols (SNMP location data, DNS LOC records) overloaded to provide CloudAudit information.

The Details

  • Preliminary Roles Definitions
  • Categorization of available API calls
  • SAML assertion vocabulary

System limits

The following limits need to be defined and enforced:

  • Total number of instances allowed (user / project)
  • Total number of instances, per instance type (user / project)
  • Total number of volumes (user / project)
  • Maximum size of volume
  • Cumulative size of all volumes
  • Total use of object storage (GB)
  • Total number of Public IPs

Further Challenges

  • Prioritization of users / jobs in shared computing environments
  • Incident response planning
  • Limit launch of instances to specific security groups based on AMI
  • Store AMIs in LDAP for added property control

Table Of Contents

Previous topic

Storage Volumes, Disks

Next topic

API Endpoint

Project Source

This Page

Navigation

© Copyright 2010-present, OpenStack Foundation. Last updated on 'Fri Feb 3 06:33:49 2017, commit 13ea6dd'. Created using Sphinx 1.2.3.