From 0b15b736da207c6381928ae0ab4f70dbfa44c89e Mon Sep 17 00:00:00 2001 From: Yuta Kazato Date: Sun, 25 Jun 2023 23:35:44 +0900 Subject: [PATCH] Update Spec of "Enhance Tacker API Access Control" The spec of "Enhancement of Tacker API Resource Access Control" will be updated for the following items. * The attribute of "namespace" and the special roles of "NAMESPACE" are changed to "tenant" and "TENANT" in Antelope * Add tenant control for VNF will be supported in Bobcat (Remove the expression of "CNF only".) This patch fixes these changes in the current spec. Implements: blueprint enhance-api-policy Change-Id: I71571607804b5ac1d2cd7a77cf34e89b1ec4af03 --- specs/2023.1/enhance-tacker-policy.rst | 55 +++++++++++++------------- 1 file changed, 27 insertions(+), 28 deletions(-) diff --git a/specs/2023.1/enhance-tacker-policy.rst b/specs/2023.1/enhance-tacker-policy.rst index 5c769f9f..88ed82b3 100644 --- a/specs/2023.1/enhance-tacker-policy.rst +++ b/specs/2023.1/enhance-tacker-policy.rst @@ -261,11 +261,11 @@ The change of VNF instance API processes include v1 and v2 versions. - vnf_instances,VnfInstanceV2 - vim_connection_info/extra,vimConnectionInfo/extra - {"area": "tokyo@japan"} - * - namespace(CNF) + * - tenant - vnfInstanceId - vnf_instances,VnfInstanceV2 - - vnf_metadata,metadata - - {"namespace": "default"} + - vnf_metadata,instantiatedVnfInfo/metadata + - {"tenant": "default"} Add the Tacker Policy Filter to the List API Processes ------------------------------------------------------ @@ -369,11 +369,10 @@ The List API Processes to be changed - vnf_instances,VnfInstanceV2 - vim_connection_info/extra,vimConnectionInfo/extra - {"area": "tokyo@japan"} - * - namespace(CNF) + * - tenant - vnf_instances,VnfInstanceV2 - - vnf_metadata,metadata - - {"namespace": "default"} - + - vnf_metadata,instantiatedVnfInfo/metadata + - {"tenant": "default"} Convert Special Roles to API Attributes in Context -------------------------------------------------- @@ -403,10 +402,10 @@ following rules. - vendor value - all - VENDOR_vendor_A, VENDOR_all - * - NAMESPACE - - namespace value + * - TENANT + - tenant value - all - - NAMESPACE_default, NAMESPACE_all + - TENANT_default, TENANT_all .. note:: @@ -438,9 +437,9 @@ following rules: * - VENDOR - vendor - VENDOR_vendor_A -> {"vendor": ["vendor_A"]} - * - NAMESPACE - - namespace value - - NAMESPACE_default -> {"namespace": ["default"]} + * - TENANT + - tenant value + - TENANT_default -> {"tenant": ["default"]} #. For special value in policy checker, the corresponding attribute value of resource will be assigned to user. @@ -476,10 +475,10 @@ following rules: - vendor - all - {"vendor": "vendor_A"} -> {"vendor": ["vendor_A"]} - * - NAMESPACE - - namespace value + * - TENANT + - tenant value - all - - {"namespace": "default"} -> {"namespace": ["default"]} + - {"tenant": "default"} -> {"tenant": ["default"]} #. For special value "all" in policy filter, the attribute will not be used as a filtering attribute. Note that the "area" attribute needs to be divided @@ -511,7 +510,7 @@ effect. When enhanced_tacker_policy is False, special roles will not be converted to user attributes, then users will not have the enhanced policy attributes such - as area, vendor and namespace(CNF). At this time, if the enhanced policy + as area, vendor and tenant. At this time, if the enhanced policy attributes are used as comparison attributes in the policy rule, this rule will prevent users from accessing any resource as the comparison result is always false. @@ -620,7 +619,7 @@ Policy Examples "vnflcm_inst_attrs_cmp": "vendor:%(vendor)s and rule:manager_and_owner" # vnflcm resource attributes compare rule. - "vnflcm_attrs_cmp": "area:%(area)s and vendor:%(vendor)s and namespace:%(namespace)s" + "vnflcm_attrs_cmp": "area:%(area)s and vendor:%(vendor)s and tenant:%(tenant)s" # Get API Versions. # GET /vnflcm/v1/api_versions @@ -796,9 +795,9 @@ Create the following roles: * VENDOR_vendor_A * VENDOR_vendor_B * VENDOR_all -* NAMESPACE_default -* NAMESPACE_namespace_A -* NAMESPACE_all +* TENANT_default +* TENANT_tenant_A +* TENANT_all The root user needs to be assigned the following roles: @@ -806,14 +805,14 @@ The root user needs to be assigned the following roles: * manager * AREA_all@all * VENDOR_all -* NAMESPACE_all +* TENANT_all The region manager needs to be assigned the following roles: * manager * AREA_all@region_A (or AREA_all@region_B) * VENDOR_all -* NAMESPACE_all +* TENANT_all The area manager and the tenant (area) manager need to be assigned the following roles: @@ -822,7 +821,7 @@ need to be assigned the following roles: * AREA_area_A@region_A (or AREA_area_B@region_A or AREA_area_A@region_B or AREA_area_B@region_B) * VENDOR_all -* NAMESPACE_all +* TENANT_all .. note:: The difference between "area manager" and @@ -835,14 +834,14 @@ The tenant manager needs to be assigned the following roles: * manager * AREA_all@all * VENDOR_all -* NAMESPACE_all +* TENANT_all The tenant user needs to be assigned the following roles: * member or reader * AREA_all@all * VENDOR_all -* NAMESPACE_all +* TENANT_all The tenant (area) user needs to be assigned the following roles: @@ -850,13 +849,13 @@ The tenant (area) user needs to be assigned the following roles: * AREA_area_A@region_A (or AREA_area_B@region_A or AREA_area_A@region_B or AREA_area_B@region_B) * VENDOR_all -* NAMESPACE_all +* TENANT_all The vendor manager needs to be assigned the following roles: * manager * AREA_all@all * VENDOR_vendor_A (or VENDOR_vendor_B) -* NAMESPACE_all +* TENANT_all Alternatives ------------