While discussing the new RBAC (scope_type and project admin vs
system admin things) with operators in berlin ops meetup and
via emails, and policy popup meetings, we got the feedback that
we need to keep the legacy admin behaviour same as it is otherwise
it is going to be a big breaking change for many of the operators.
Same feedback for scope_type.
- https://etherpad.opendev.org/p/BER-2022-OPS-SRBAC
- https://etherpad.opendev.org/p/rbac-operator-feedback
By considering the feedback, we decided to postpone the
system scope implementation, release project reader
role and not to change the legacy admin behaviour.
To keep the legacy admin behaviour unchanged, we need to
modify our policy new default so that legacy admin continue
to have the access to the APIs they are able to access in
old RBAC. Basically the below changes:
- PROJECT_ADMIN -> ADMIN (legacy admin who can do things in all projects)
- PROJECT_MEMBER -> PROJECT_MEMBER_OR_ADMIN (give access to legacy admin too)
- PROJECT_READER -> PROJECT_READER_OR_ADMIN (give access to legacy admin too)
Complete direction on RBAC is updated in community wide goal
- https://review.opendev.org/c/openstack/governance/+/847418/13
Change-Id: I37e706f75a36fb27da1bdd5fba671cb1bcadc745
As per the RBAC new direction, we will allow
project resources operation to be performed by
the project scoped token only and system user will
be allowed to perform system level operation only
not project resources specific.
Details about new direction can be found in community-wide
goal
- https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html
This commit modify more projects level APIs to be scoped
to project only.
Also modifying and adding tests for four cases:
1. enforce_scope=False + legacy rule (current default policies)
2. enforce_scope=False + No legacy rule
3. enforce_scope=True + legacy rule
4. enforce_scope=True + no legacy rule (end goal of new RBAC)
Partial implement blueprint policy-defaults-refresh-2
Change-Id: I6731aa6edd0c6bed5edb9eaaaa98b5e43aaeeb74
Since 3.7.0, oslo policy started the DeprecationWarning[1] if
deprecated_reason and deprecated_since param are not passed
in DeprecatedRule or they are passed in RuleDefault object.
[1] https://github.com/openstack/oslo.policy/blob/3.7.0/oslo_policy/policy.py#L1538
Change-Id: Idbbc203c6ae65aee29f9463a4911bae2bb541f41
This adds new defaults roles in security_groups API policies.
These policies are made granular and default to
PROJECT_READER_OR_SYSTEM_READER and PROJECT_MEMBER_OR_SYSTEM_ADMIN.
Partial implement blueprint policy-defaults-refresh-deprecated-apis
Change-Id: Ie1ea066e9683fc44d486bcde1eb0f01fca7645c7
This adds new defaults roles in security group API policies.
- GET rules are made granular and default to System or project reader
- add/remove sec grps policies are default to system admin or project member.
Added new context of other_project_reader for system and project reader
policy so that we can verify the other projct with its id not by role.
Also add tests to simulates the future where we drop the deprecation
fall back in the policy by overriding the rules with a version where
there are no deprecated rule options. Operators can do the same by
adding overrides in their policy files that match the default but
stop the rule deprecation fallback from happening.
Partial implement blueprint policy-defaults-refresh
Change-Id: I83783aa3384d3b667729bbdd4a13fb014176ec75
API extensions policies have been deprecated in 17.0.0
release[1]. This commit removes them.
[1] Ie05f4e84519f8a00ffb66ea5ee920d5c7722a66b
Change-Id: Ib3faf85c78bc2cdee13175560dc1458ddb6cb7a8
Nova API extension concept is removed in Pike. These extensions
have their own policies enforcement which are not needed any more.
All the below policies which were added mainly for extensions are
deprecated for removal-
- 'os_compute_api:os-config-drive'
- 'os_compute_api:os-extended-availability-zone'
- 'os_compute_api:os-extended-status'
- 'os_compute_api:os-extended-volumes'
- 'os_compute_api:os-keypairs'
- 'os_compute_api:os-server-usage'
- 'os_compute_api:os-security-groups' (only from /servers APIs)
- 'os_compute_api:os-flavor-rxtx'
- 'os_compute_api:os-flavor-access' (only from /flavors APIs)
- 'os_compute_api:image-size'
Implement blueprint api-extensions-policy-removal
Depends-On: I6aed4909b0e7efe9c95d1f7398db613eca05e5ce
Change-Id: Ie05f4e84519f8a00ffb66ea5ee920d5c7722a66b
All of the documentation for these is going into user-facing docs, so
clean them up accordingly.
Change-Id: I5f9c284525bac773a897b7acc3773ac5851b9632
Implements: blueprint policy-docs
This is a simple wrapper for an oslo.policy function, so remove it.
Also fixes the alignment in the agents policy module to be like
all the others.
Change-Id: I8a45cff3b1abea98bf04f111bdd6a9ace91a9980
Implements: blueprint policy-docs
We have signaled many times the use of API extensions to change the API
has been deprecated, including:
04f8612aa9
This patch ensures we no longer check any of the discoverable rules when
compiling the list of extensions to list in the API. This stops users
from being able to use policy to hide certain API extensions. This was
never that useful, but now you can't turn any extensions off and we
report the API version number, it is basically useless.
Note the change in the policy cmd unit test is to ensure now there are
no rules that use the ANY rule, we correctly check we return an empty
list of rules that match.
blueprint remove-discoverable-policy-rules
Change-Id: I61d8063708731133177534888ba7f5f05a6bd901
The 'discoverable' policy is not documented as it will be removed in a
future change.
blueprint policy-docs
Change-Id: I1c7e539b195cc6bb81f0e4814560d6c3c9953694