In line with the recent RBAC working group discussion and operator
feedback, this converts all our APIs back to project-only. It leaves
the actual scope_types in place, with them all set to project. This
allows an operator to turn on scope checking to *ensure* that only
project-scoped tokens are used, in case system scope is in use
elsewhere in the deployment (i.e. for keystone or ironic). Without
this, system scoped tokens will fail some operations in strange
(read: 500 and "database error") ways.
Change-Id: I951a11affa1d1e42863967cdc713618ff0a74814
As per the RBAC new direction, we will allow
project resources operation to be performed by
the project scoped token only and system user will
be allowed to perform system level operation only
not project resources specific.
Details about new direction can be found in community-wide
goal
- https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html
This commit modify remaining APIs as per the new guidelines.
Also, allow all project admin to list the other project limits. This is
what we allowed in legacy policy and until we have domain admin or other
way to list other project resources/info, we will keep that behaviour.
Also modifying and adding tests for four cases:
1. enforce_scope=False + legacy rule (current default policies)
2. enforce_scope=False + No legacy rule
3. enforce_scope=True + legacy rule
4. enforce_scope=True + no legacy rule (end goal of new RBAC)
Partial implement blueprint policy-defaults-refresh-2
Change-Id: I006d47aa2f4678a06c78057bcf407302abbe4907
Since 3.7.0, oslo policy started the DeprecationWarning[1] if
deprecated_reason and deprecated_since param are not passed
in DeprecatedRule or they are passed in RuleDefault object.
[1] https://github.com/openstack/oslo.policy/blob/3.7.0/oslo_policy/policy.py#L1538
Change-Id: Idbbc203c6ae65aee29f9463a4911bae2bb541f41
This adds new defaults roles in os-flavor-access API policies.
This policy is default to SYSTEM_ADMIN role for add/remove
tenant access and SYSTEM_READER for list the access information.
Also add tests to simulates the future where we drop the deprecation
fall back in the policy by overriding the rules with a version where
there are no deprecated rule options. Operators can do the same by
adding overrides in their policy files that match the default but
stop the rule deprecation fallback from happening.
Partial implement blueprint policy-defaults-refresh
Closes-Bug: #1867840
Change-Id: Ieeaafe923b78f03ddcbec18d8759aa1d76bcfcb1
API extensions policies have been deprecated in 17.0.0
release[1]. This commit removes them.
[1] Ie05f4e84519f8a00ffb66ea5ee920d5c7722a66b
Change-Id: Ib3faf85c78bc2cdee13175560dc1458ddb6cb7a8
Nova API extension concept is removed in Pike. These extensions
have their own policies enforcement which are not needed any more.
All the below policies which were added mainly for extensions are
deprecated for removal-
- 'os_compute_api:os-config-drive'
- 'os_compute_api:os-extended-availability-zone'
- 'os_compute_api:os-extended-status'
- 'os_compute_api:os-extended-volumes'
- 'os_compute_api:os-keypairs'
- 'os_compute_api:os-server-usage'
- 'os_compute_api:os-security-groups' (only from /servers APIs)
- 'os_compute_api:os-flavor-rxtx'
- 'os_compute_api:os-flavor-access' (only from /flavors APIs)
- 'os_compute_api:image-size'
Implement blueprint api-extensions-policy-removal
Depends-On: I6aed4909b0e7efe9c95d1f7398db613eca05e5ce
Change-Id: Ie05f4e84519f8a00ffb66ea5ee920d5c7722a66b
This adds the new microversion to allow providing
a description when creating a flavor, returning a
flavor description when showing flavor details, and
updating the description on an existing flavor.
Implements blueprint flavor-description
Change-Id: Ib16b0de82f9f9492f5cacf646dc3165a0849d75e
All of the documentation for these is going into user-facing docs, so
clean them up accordingly.
Change-Id: I5f9c284525bac773a897b7acc3773ac5851b9632
Implements: blueprint policy-docs
This is a simple wrapper for an oslo.policy function, so remove it.
Also fixes the alignment in the agents policy module to be like
all the others.
Change-Id: I8a45cff3b1abea98bf04f111bdd6a9ace91a9980
Implements: blueprint policy-docs
This updates flavor_manage.py, flavor_access.py and flavor_rxtx.py
We also add a note about flavor.py not being used in the code.
blueprint policy-docs
Change-Id: I422667cd205678377f5e6aa1c6c6073d5445cee1
We have signaled many times the use of API extensions to change the API
has been deprecated, including:
04f8612aa9
This patch ensures we no longer check any of the discoverable rules when
compiling the list of extensions to list in the API. This stops users
from being able to use policy to hide certain API extensions. This was
never that useful, but now you can't turn any extensions off and we
report the API version number, it is basically useless.
Note the change in the policy cmd unit test is to ensure now there are
no rules that use the ANY rule, we correctly check we return an empty
list of rules that match.
blueprint remove-discoverable-policy-rules
Change-Id: I61d8063708731133177534888ba7f5f05a6bd901