This change updates the default policies implemented in Heat, to follow
the updated guideline[1] to implement SRBAC.
The main change is that system users are no longer allowed to perform
any operations about project-level resources like stacks, while project
admin(*1) is still allowed to perform operations about project-level
resources BEYOND project (like getting stacks for all projects by list
stacks API).
[1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#direction-change
This also adds the test cases to validate reader role which was almost
implemented in heat.
(*1)
If Keystone has an admin project defined, Heat checks an additional
requirement that request context is scoped by that admin project.
Change-Id: I943b3c1ce021cc05445b73fbc342b8386cf5bf6a
This patch adds a new resource to support ``minimum_packet_rate_rule``
QoS rule in Neutron.
Related-Bug: #1922237
Story: 2009686
Task: 43997
See-Also: https://review.opendev.org/785236
Change-Id: I29e205979b40e3e0d0746e1c22fa679736c853b7
Allow operators to set a different (presumably looser) policy on PATCH
updates that don't make any changes to the stack, but just retrigger a
new update traversal (that will result in e.g. replacing any unhealthy
resources).
Change-Id: Id29e7ec7f6cf127177ea7ab29127b0568afaa18b
Task: 37305
We received huge amount of warnings during service start.
Most about stop using `deprecated_reason` and `deprecated_since` by
`policy.DocumentedRuleDefault` directly. And should use them under
`policy.DeprecatedRule instead.
This patch apply for above suggestion.
Also bump oslo.policy lower-constraints and requirements to `3.7.0` to alias
policy behavior.
Story: 2008707
Task: 42041
Change-Id: Iefcfc30a051fe25ccc5121c7ddb817e8c271fcb6
This commit updates default policies to account for system scope
and default roles. This is part of a broader change to provide a
consistent and secure authorization experience across OpenStack
projects.
- Introduces basic/reusable check strings in base.py
- Implements secure RBAC for build info API
- Implements secure RBAC for the action API
- Implements secure RBAC for cloud formations
- Implements secure RBAC for events
- Implements secure RBAC for the resource API
- Implements secure RBAC for the service API
- Implements secure RBAC for software configs
- Implements secure RBAC for software deployments
- Implements secure RBAC for stacks
- Adds unit tests for legacy and new secure-rbac policies.
Change-Id: Iff1e39481ea3b1f00bd89dba4a00aed30334ecec
The 'minimum_bandwidth_rule' QoS rule type of Neutron (supported in both
egress and ingress directions since the Stein release) did not have a
Heat resource yet. This change adds it.
Change-Id: I693fe2f7801f78f827ef1c74e5874018cd9cf51b
Update the policy for admin only resource type and added in
``OS::Neutron::QoSDscpMarkingRule`` as other OS::Neutron::QoS* are.
Change-Id: I0f0fa5f92816886b10f07e6d093e7bdeb58bc3f6
Allow operators to specify different policies for each action, since
each action is quite different in character.
The previous "actions:action" rule remains and is the default for each
of the new rules, so there is no effect on existing policies and no
action required by the operator unless they want to take advantage of
the additional flexibility.
Change-Id: Ic4985e8637bc4f34ea2514075b30d2ec32f3441c
Task: 37296
Add a OS::Blazar::Host resource plugin to support Blazar which is a
resource reservation services in OpenStack.
Co-author: Asmita Singh <Asmita.Singh@nttdata.com>
Change-Id: Ie5b9373681943222268eb9144740f5733ffef750
Task: 22881
Story: 2002085
This patch removes the API, the next set of patches in the
series would remove stack watch service and related
WatchRule implementation.
Change-Id: I8b0472be862907298c8da51f435b5d8b19610ec3
Partial-Bug: #1743707
Add cloudformation and cloudwatch policy in code rules.
Remove policy.json. We don't keep any default policy rules in
policy.json from now. Still they can create policy.json file and
add any rules they try to override.
Partially-Implements: bp policy-in-code
Change-Id: I610115dc1974b2182ce673bb086a1da15b022de3
Allow use policy in code to resource type's rule.
Also add test for override the in-code resource type rule in json
file.
Partially-Implements: bp policy-in-code
Change-Id: Id6c21732e66de6c421427ded98de52f5da0a4db2
Allow use policy in code to stacks's rule.
Also convert check_is_admin to use new mechanism.
Partially-Implements: bp policy-in-code
Change-Id: I398ed162790294d0d4453f7f12c77b38e95a5580
This adds the basic framework for registering and using default policy
rules. Rules should be defined and returned from a module in
heat/policies/, and then added to the list in heat/policies/__init__.py.
new policy wrapers `registered_identified_stack` and
`registered_policy_enforce` has been added for policy enforcement of
registered rules with same parameter as `identified_stack` and
`policy_enforce` besides set `is_registered_policy` flag to true.
This flag will decide to use new policy framework or not.
Now we can use `tox -e genpolicy` to check and generate policy file.
Change-Id: I7a232b3ea7ce0f69a5b7ffa278ceace7a76b666f
Partially-Implements: bp policy-in-code
Takashi Kajinami