REBAC PDP service for Openstack
This service will act as a Policy Decision Point (PDP) for any OpenStack service.
A OpenStack service's Policy Enforcement engine will make a REST call to REBAC PDP service for a Policy Decision.
The REBAC PDP service will always respond with a 'True' of 'False' as a result of the Policy Query.
In addition to the standard OpenStack HTTP headers, the follwing two HTTP headers are required by REBAC PDP api:
- 'X-Action'
- 'X-Target'
First you will need to download the rebac project:
a.) cd /opt/stack
b.) git clone https://github.com/UTSA-ICS/rebac.git
c.) sudo mkdir /etc/rebac/
To be able to use this service do the following:
1.) Copy rebac/etc to /etc/rebac
sudo cp /opt/stack/rebac/etc/* /etc/rebac/.
2.) Create a directory called /var/cache/rebac and give it 777 permission
sudo mkdir /var/cache/rebac
sudo chmod 777 /var/cache/rebac
3.) Create a user [rebac] with password [admin] in the service tenant with 'admin' role
keystone user-create --name rebac --pass admin --enabled true
keystone user-role-add --user rebac --role admin --tenant service
4.) Create a service called 'rebac' in Keystone
keystone service-create --type rebac --name rebac --description "Relationship based access control"
5.) To start the REBAC service run the following commands:
cd /opt/stack; sudo pip install -e rebac
cd /opt/stack/rebac; /opt/stack/rebac/bin/rebac-api --config-file=/etc/rebac/rebac-api.conf || touch "/opt/stack/status/stack/rebac-api.failure"
6.) Verify rebac service running in screen