CORD security policies are implemented by XOS. These policies answer the question: Who can do what? The who in this case generally refers to a user (represented by a User model), but it can also refer to an API context. The what refers to two things: (1) the piece of information being accessed (a model, an object, or a field within that object), and (2) the access type (whether it is a read, a write, or a privilege update).
The mechanism for expressing these policies is provided by xproto’s policy extensions. The policies are enforced at the API boundary. When an API call is made, the appropriate policy is executed to determine whether or not access should be granted, and an audit trail is left behind. (Note: auditing is a TODO). The policy enforcers are auto-generated by the generative toolchain as part of the model generation process.
Policies are generic logic expressions and can operate on any model or on the environment, but they frequently use the Privilege model. Specifically, when a policy cannot be expressed as a general principle (e.g., “a user can do whatever they want to a slice if he or she is its creator”) and instead depends on dynamic conditions, then it is encoded with the help of Privilege objects. For example, a Privilege object may be created to indicate that a user who is not a slice’s creator has admin privileges on it.
Details on how policies are encoded can be found elsewhere. This document is about the “what” rather than the “how.”
The set of security policies is being bootstrapped into the following state:
Privilege objects are automatically created for Slices. Most access control (e.g., to Networks and Instances) is via Slice, so this privilege covers the bulk of the access control.
Privileges for other models need to be created manually via the API (e.g., Sites, Services).
Any principal that has access to object X is also granted access to object ControllerX.
There are three types of access permissions: Read, Write, and Grant. Grant arbitrates access to Privilege objects (e.g., a slice admin could grant slice admin privileges to a user).
The current policies are defined as follows:
*To be included...