Policy Decision Point Framework (PDP)

Hierarchical Admin roles

In a large operator with multi-location, multi-tenant environment, there are requirements for multiple operator/support teams looking after their local user/customers, and high level administrators who are supervising multiple of those teams.

Example use case

"regional support team A" is looking after customers #1 to #1000 in their location and have access to customer's resources.

"regional support team B" is looking after customers #1001 to #2000 in their location and have access to customer's resources.

"Supervisor A" is a manager responsible for regional support team A and B and has "admin" access to resources of customers #1 to #2000

"Supervisor B" is a manager responsible for other support teams(C and D) and has "admin" access to resources of customers #2001 to #4000

Regional support team A can not access to resources of customers #1001 to #2000 and vice versa.

Service provider provides "Service VMs" to customers.

”Service VMs” adds functions/ capabilities to customer's tenant network, i.e. FW, Storage, LB

Service VMs are managed by service providers and customers do no have direct access to VMs including control over Nova APIs and console. 

Example customer network

• VM1: customer's server

• VM2: customer's server

• VM3: ServiceVM1(FW)  managed by provider1

• VM4: Service VM2(IDS) managed by provider2

VM3 and 4 are created by service providers based on service order from the customer.

Customer have control over VM1 and 2 but can not control(e.g. delete/update/detach/console access) VM3 and 4.

VM3 and VM4 have web-based control GUI for customers to config.

A cloud operator exposes OpenStack APIs to end customers.

The operator wants to restrict users to access immature functions. (e.g. New/experimental functions not well tested by the community/operator)

The operator wants to make APIs invisible to the end users, or restrict users to access to the APIs (granularity of request parameters is necessary for APIs like /servers/{id}/action)

*Note: This can be achieved by editing policy.json but not sure if every projects have implemented policy enforcement to every API/features so this might end up checking all APIs in every projects...