In line with the recent RBAC working group discussion and operator
feedback, this converts all our APIs back to project-only. It leaves
the actual scope_types in place, with them all set to project. This
allows an operator to turn on scope checking to *ensure* that only
project-scoped tokens are used, in case system scope is in use
elsewhere in the deployment (i.e. for keystone or ironic). Without
this, system scoped tokens will fail some operations in strange
(read: 500 and "database error") ways.
Change-Id: I951a11affa1d1e42863967cdc713618ff0a74814
As per the RBAC new direction, we will allow
project resources operation to be performed by
the project scoped token only and system user will
be allowed to perform system level operation only
not project resources specific.
Details about new direction can be found in community-wide
goal
- https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html
This commit modify remaining APIs as per the new guidelines.
Also, allow all project admin to list the other project limits. This is
what we allowed in legacy policy and until we have domain admin or other
way to list other project resources/info, we will keep that behaviour.
Also modifying and adding tests for four cases:
1. enforce_scope=False + legacy rule (current default policies)
2. enforce_scope=False + No legacy rule
3. enforce_scope=True + legacy rule
4. enforce_scope=True + no legacy rule (end goal of new RBAC)
Partial implement blueprint policy-defaults-refresh-2
Change-Id: I006d47aa2f4678a06c78057bcf407302abbe4907
This adds new defaults roles in keypairs API policies.
- SYSTEM_ADMIN, for create, delete keypairs
- SYSTEM_READER for GET keypairs
Also add tests to simulates the future where we drop the deprecation
fall back in the policy by overriding the rules with a version where
there are no deprecated rule options. Operators can do the same by
adding overrides in their policy files that match the default but
stop the rule deprecation fallback from happening.
Partial implement blueprint policy-defaults-refresh
Change-Id: I90cbd4de22bbce1a7cbd0c5d3bb5ee0a27429dbc
API extensions policies have been deprecated in 17.0.0
release[1]. This commit removes them.
[1] Ie05f4e84519f8a00ffb66ea5ee920d5c7722a66b
Change-Id: Ib3faf85c78bc2cdee13175560dc1458ddb6cb7a8
Nova API extension concept is removed in Pike. These extensions
have their own policies enforcement which are not needed any more.
All the below policies which were added mainly for extensions are
deprecated for removal-
- 'os_compute_api:os-config-drive'
- 'os_compute_api:os-extended-availability-zone'
- 'os_compute_api:os-extended-status'
- 'os_compute_api:os-extended-volumes'
- 'os_compute_api:os-keypairs'
- 'os_compute_api:os-server-usage'
- 'os_compute_api:os-security-groups' (only from /servers APIs)
- 'os_compute_api:os-flavor-rxtx'
- 'os_compute_api:os-flavor-access' (only from /flavors APIs)
- 'os_compute_api:image-size'
Implement blueprint api-extensions-policy-removal
Depends-On: I6aed4909b0e7efe9c95d1f7398db613eca05e5ce
Change-Id: Ie05f4e84519f8a00ffb66ea5ee920d5c7722a66b
This is a simple wrapper for an oslo.policy function, so remove it.
Also fixes the alignment in the agents policy module to be like
all the others.
Change-Id: I8a45cff3b1abea98bf04f111bdd6a9ace91a9980
Implements: blueprint policy-docs
This updates the policy doc for server extend controller in keypairs.py
Partial implement blueprint blueprint policy-docs
Change-Id: I32d2dae19fc2cfa99470edbb39dafd56de279b73
We have signaled many times the use of API extensions to change the API
has been deprecated, including:
04f8612aa9
This patch ensures we no longer check any of the discoverable rules when
compiling the list of extensions to list in the API. This stops users
from being able to use policy to hide certain API extensions. This was
never that useful, but now you can't turn any extensions off and we
report the API version number, it is basically useless.
Note the change in the policy cmd unit test is to ensure now there are
no rules that use the ANY rule, we correctly check we return an empty
list of rules that match.
blueprint remove-discoverable-policy-rules
Change-Id: I61d8063708731133177534888ba7f5f05a6bd901