Skip to content

Add flavor permission rules#581

Draft
seb-kro wants to merge 2 commits into
stable/2023.2-m3from
I759286/flavor_permission_rules
Draft

Add flavor permission rules#581
seb-kro wants to merge 2 commits into
stable/2023.2-m3from
I759286/flavor_permission_rules

Conversation

@seb-kro

@seb-kro seb-kro commented Nov 4, 2025

Copy link
Copy Markdown

Flavor access is currently controlled via private/public flavors and the flavor access list aka FlavorProjects. To restrict access to a flavor, it must be turned private and access must be granted individually to each project.

This adds flavor permission rules for a more flexible flavor permission management. These rules are independent of flavor privacy and the flavor access list. So a flavor is only available to a project if allowed by both the flavor permission rules and the flavor access list.

Each flavor permission rule has a project_id, a scope (domain or project), an optional flavor_id and a type (allow or deny).

The two scopes of flavor permission rules are derived from the project hierarchy:

  • domain scope rules have a domain project_id and apply to all projects within that domain
  • project scope rules have a project_id of a non-domain project, apply only to that project itself and are not inherited by sub-projects

A flavor is permitted for a project if it is permitted at both the domain scope and the project scope. Rules without a 'flavor_id' define the domain's or project's default behavior for flavors without a flavor-specific rule. If a domain or project does not have a default behavior rule, then all flavors are permitted at that scope by default.

There is at most one flavor permission rule for each combination of project_id, scope and flavor_id. Consequently, a flavor is only denied at a scope if for the corresponding project_id:

  • there is a deny rule matching the flavor_id
  • OR there is a deny rule without a flavor_id AND there is no allow rule matching the flavor_id

Issue: https://github.wdf.sap.corp/sap-cloud-infrastructure/nova-issues/issues/189

Change-Id: I5e1332d111c07ee714f2965c558f393c8568ffaf

@seb-kro seb-kro force-pushed the I759286/flavor_permission_rules branch from 1108c89 to 76b89e5 Compare November 5, 2025 01:30
@seb-kro seb-kro force-pushed the I759286/flavor_permission_rules branch 4 times, most recently from 90989d8 to fb0d424 Compare July 10, 2026 10:31
seb-kro added 2 commits July 10, 2026 15:44
Flavor access is currently controlled via private/public flavors and the
flavor access list aka `FlavorProjects`. To restrict access to a flavor,
it must be turned private and access must be granted individually to
each project.

To support external customers, we want to restrict access to
certain flavors for arbitrary domains while keeping these flavors
publicly accessible on other domain without additional configuration
needs. Additionally, we want to enable project owners to configure
project-specific flavor access.

This adds flavor permission rules as a new mechanism for controlling
flavor access. These rules are independent of flavor privacy and the
flavor access list. So a flavor is only available to a project if
allowed by both the flavor permission rules and the flavor access list.

Each flavor permission rule has a `project_id`, a scope (`domain` or
`project`), an optional `flavor_id` and a `type` (`allow` or `deny`).

The two scopes of flavor permission rules are derived from the project
hierarchy:
- `domain` scope rules have a domain `project_id` and apply to all
  projects within that domain
- `project` scope rules have a `project_id` of a non-domain project,
  apply only to that project itself and are not inherited by
  sub-projects

A flavor is permitted for a project if it is permitted at both the
domain scope and the project scope. Rules without a `flavor_id` define
the domain's or project's default behavior for flavors without a
flavor-specific rule. If a domain or project does not have a default
behavior rule, then all flavors are permitted at that scope by default.

There is at most one flavor permission rule for each combination of
`project_id` and `flavor_id`. Consequently, a flavor is only denied at a
scope if for the corresponding `project_id`:
- there is a `deny` rule matching the `flavor_id`
- OR there is a `deny` rule without a `flavor_id` AND there is no
  `allow` rule matching the `flavor_id`

Change-Id: I5e1332d111c07ee714f2965c558f393c8568ffaf
Enforce flavor permission rules for all flavor object get-functions by
extending the filtering of the default flavor query. All get-functions
are extended with an `include_project_denied` parameter that allows to
return flavors denied at project scope also for non-admin contexts.
Domain scope rules still apply.

A flavor is denied at a scope if for the corresponding `project_id`:
- there is a `deny` rule matching the `flavor_id`
- OR there is a `deny` rule without a `flavor_id` AND there is no
  `allow` rule matching the `flavor_id`

Just like the existing flavor privacy mechanisms (private flavors/flavor
access list), the flavor permissions rules do not take effect for admin
contexts and do not restrict the flavor object create, save and destroy
methods in any way.

The `Flavor` and `FlavorList` hashes in `test_objects` are updated to
reflect the new fingerprints that result from adding the
`include_project_denied` to the remotable class methods. Since the
parameter has a default, the method signature changes are
backward-compatible and we do not bump the object versions.

Change-Id: Ic17dcc21a07a383e26822a5fbf7cf5cfc5383ec6
@seb-kro seb-kro force-pushed the I759286/flavor_permission_rules branch from fb0d424 to 0ecf556 Compare July 10, 2026 13:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant