We add a new specific policy when a host value is provided for cold-migrate,
but by default it will only be an admin-only rule in order to not change
the behaviour.
Change-Id: I128242d5f689fdd08d74b1dcba861177174753ff
Implements: blueprint cold-migrate-to-host-policy
As discussed in PTG, we need to test the new RBAC in the
integrated gate and accordingly enable the new defaults
and scope check by default. A new integrated testing job
has been added and results show that the new defaults and
scope checks are working fine. During testing, we found a
few bugs in neutron policies but all are fixed now.
enforce_scope and enforce_new_defaults are oslo policy config
options but they are per service level and the default value
can be overridden. Oslo policy 3.11.0 version allows to override
the default value for these config options[1] so upgrading the
oslo policy version in requirements.txt
Depends-On: https://review.opendev.org/c/openstack/devstack/+/869781
Depends-On: https://review.opendev.org/c/openstack/placement/+/869525
[1] https://github.com/openstack/oslo.policy/blob/3.11.0/oslo_policy/opts.py#L125
Change-Id: I977b2daedf880229c8d364ca011f2ea965b86e3a
While discussing the new RBAC (scope_type and project admin vs
system admin things) with operators in berlin ops meetup and
via emails, and policy popup meetings, we got the feedback that
we need to keep the legacy admin behaviour same as it is otherwise
it is going to be a big breaking change for many of the operators.
Same feedback for scope_type.
- https://etherpad.opendev.org/p/BER-2022-OPS-SRBAC
- https://etherpad.opendev.org/p/rbac-operator-feedback
By considering the feedback, we decided to postpone the
system scope implementation, release project reader
role and not to change the legacy admin behaviour.
To keep the legacy admin behaviour unchanged, we need to
modify our policy new default so that legacy admin continue
to have the access to the APIs they are able to access in
old RBAC. Basically the below changes:
- PROJECT_ADMIN -> ADMIN (legacy admin who can do things in all projects)
- PROJECT_MEMBER -> PROJECT_MEMBER_OR_ADMIN (give access to legacy admin too)
- PROJECT_READER -> PROJECT_READER_OR_ADMIN (give access to legacy admin too)
Complete direction on RBAC is updated in community wide goal
- https://review.opendev.org/c/openstack/governance/+/847418/13
Change-Id: I37e706f75a36fb27da1bdd5fba671cb1bcadc745
Now that we no longer support py27, we can use the standard library
unittest.mock module instead of the third party mock lib. Most of this
is autogenerated, as described below, but there is one manual change
necessary:
nova/tests/functional/regressions/test_bug_1781286.py
We need to avoid using 'fixtures.MockPatch' since fixtures is using
'mock' (the library) under the hood and a call to 'mock.patch.stop'
found in that test will now "stop" mocks from the wrong library. We
have discussed making this configurable but the option proposed isn't
that pretty [1] so this is better.
The remainder was auto-generated with the following (hacky) script, with
one or two manual tweaks after the fact:
import glob
for path in glob.glob('nova/tests/**/*.py', recursive=True):
with open(path) as fh:
lines = fh.readlines()
if 'import mock\n' not in lines:
continue
import_group_found = False
create_first_party_group = False
for num, line in enumerate(lines):
line = line.strip()
if line.startswith('import ') or line.startswith('from '):
tokens = line.split()
for lib in (
'ddt', 'six', 'webob', 'fixtures', 'testtools'
'neutron', 'cinder', 'ironic', 'keystone', 'oslo',
):
if lib in tokens[1]:
create_first_party_group = True
break
if create_first_party_group:
break
import_group_found = True
if not import_group_found:
continue
if line.startswith('import ') or line.startswith('from '):
tokens = line.split()
if tokens[1] > 'unittest':
break
elif tokens[1] == 'unittest' and (
len(tokens) == 2 or tokens[4] > 'mock'
):
break
elif not line:
break
if create_first_party_group:
lines.insert(num, 'from unittest import mock\n\n')
else:
lines.insert(num, 'from unittest import mock\n')
del lines[lines.index('import mock\n')]
with open(path, 'w+') as fh:
fh.writelines(lines)
Note that we cannot remove mock from our requirements files yet due to
importing pypowervm unit test code in nova unit tests. This library
still uses the mock lib, and since we are importing test code and that
lib (correctly) only declares mock in its test-requirements.txt, mock
would not otherwise be installed and would cause errors while loading
nova unit test code.
[1] https://github.com/testing-cabal/fixtures/pull/49
Change-Id: Id5b04cf2f6ca24af8e366d23f15cf0e5cac8e1cc
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
This adds support to the REST API, in a new microversion, for specifying
a destination host to unshelve server action when the server
is shelved offloaded.
This patch also supports the ability to unpin the availability_zone of an
instance that is bound to it.
Note that the functional test changes are due to those tests using the
"latest" microversion 2.91.
Implements: blueprint unshelve-to-host
Change-Id: I9e95428c208582741e6cd99bd3260d6742fcc6b7
After moving the nova APIs policy as per the new guidlines
where system scoped token will be only allowed to access
system level APIs and will not be allowed any operation
on project level APIs. With that we do not need below
base rules (who have hardcoded 'system_scope:all' check_str):
- system_admin_api
- system_reader_api
- system_admin_or_owner
- system_or_project_reader
At this stage (phase-1 target), we allow below roles as targeted
in phase-1 [1]
1. ADMIN(this is System Administrator with scope_type 'system'
when scope enabled otherwise legacy admin)
2. PROJECT_ADMIN
3. PROJECT_MEMBER
4. PROJECT_READER
& below one specific to nova
5. PROJECT_READER_OR_ADMIN (to allow system admin and project reader
to list flavor extra specs)
This complete the phase-1 of RBAC community-wide goal[2] for nova.
Add release notes too.
[1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#how-operator
[2] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#yoga-timeline-7th-mar-2022
Partial implement blueprint policy-defaults-refresh-2
Change-Id: I075005d13ff6bfe048bbb21d80d71bf1602e4c02
Flavor extra specs index policy is used to show flavor
extra specs in flavor as well as server APIs response.
As per RBAC new guidelines, we are restricting project level
respurces APIs to project scoped only. To do that, we are
separating the flavor extra specs index policy for server
APIs and make them only for project scoped.
Partial implement blueprint policy-defaults-refresh-2
Change-Id: I9cfb61dabe6f98cb057aad9702f9d355c415fda6
This attempts to move us back to just allowing project-scoped tokens
for project resources when scope checking is enabled. It does it for
servers and flavor_extra_specs, since the latter depends on the policy
of the former.
There is a lot more churn in here than just that conversion, as I
added a helper method and moved from using two lists for everything to
one. Had I known I was going to do that initially, I would have done
it in a refactor first, but alas getting things to work ended up being
easier if I used that approach, and thus did them together. That could
be pulled out (with some effort) if people feel strongly about it,
but hopefully this can just set the base for going forward.
This also adds a new test scenario to both servers and extra_specs,
which validates that we can enable the new rules without scope
checking enabled.
Change-Id: I395d97558c36200a6f6ba7c804ab2a9ac5e51d04
Move these to the central place. There's a large amount of test damage
but it's pretty trivial.
Change-Id: If581eb7aa463c9dde13714f34f0f1b41549a7130
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
This one is tied into an admin action in the server actions API, which
means we must remove that API action also. Otherwise, this isn't too
crazy.
Change-Id: I58343b94b67915062d044fa0f53aeab01b77738f
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
This was only useful with XenAPI and can therefore be removed.
Change-Id: I9512f605dd2b3b0e88c951ed086250d57056303d
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
Default value of 'CONF.oslo_policy.policy_file' config option
has been changed from 'policy.json' to 'policy.yaml'. If new default
file 'policy.yaml' does not exist but old default 'policy.json' exist
then fallback to use old default file.
An upgrade checks is added to check the policy_file format and
fail upgrade checks if it is JSON formatted.
Added a warning in policy doc about JSON formatted file is deprecated,
also removed all the reference to policy.json file in doc as well as
in tests.
Related Blueprint: policy-json-to-yaml
Closes-Bug: #1875418
Change-Id: Ic4d3b998bb9701cb1e3ef12d9bb6f4d91cc19c18
This adds new defaults roles in FIP API policies.
These policies are made granular and default to
PROJECT_READER_OR_SYSTEM_READER and PROJECT_MEMBER_OR_SYSTEM_ADMIN.
Partial implement blueprint policy-defaults-refresh-deprecated-apis
Change-Id: I6dcc8db9178aef59017968a3172ab463cd74754d
This adds new defaults roles in networks API policies.
These policies are made granular and default to
PROJECT_READER_OR_SYSTEM_READER.
Partial implement blueprint policy-defaults-refresh-deprecated-apis
Change-Id: Idcccdf6b3a1638cf140b5c4f887abbed85c5d7dc
This adds scope_type and new defaults roles in extensions
API policies. These policies are for extensions API which are
kept only for backward compatibility of v2.0 but nova does not
have extensions concept now and return only hard-coded info. So
these policies are not made granular.
Partial implement blueprint policy-defaults-refresh-deprecated-apis
Change-Id: I062e556feb5cc85d179fed9b675e4ab33ca3365a
This adds new defaults roles in baremetal nodes API policies.
These policies are default to SYSTEM_READER and made more
granular to adopt the new defaults.
Partial implement blueprint policy-defaults-refresh-deprecated-apis
Change-Id: Ieaad388d31fdabf0854bf7e2ed9fddf11f86bf8c
This adds new defaults roles in volumes API policies.
These policies are made granular and default to
PROJECT_READER_OR_SYSTEM_READER and PROJECT_MEMBER_OR_SYSTEM_ADMIN.
Partial implement blueprint policy-defaults-refresh-deprecated-apis
Change-Id: I37fa825b0e915e83da7023564a29811dcdfa058d
This adds new defaults roles in hosts API policies.
These policies are made granular and default to
SYSTEM_READER and SYSTEM_ADMIN.
Also pass the actual targets which is empty dict in
hosts policy.
Partial implement blueprint policy-defaults-refresh-deprecated-apis
Change-Id: I159aaa37e1c238b484619a9951da7e63774024cb
This adds new defaults roles in security_groups API policies.
These policies are made granular and default to
PROJECT_READER_OR_SYSTEM_READER and PROJECT_MEMBER_OR_SYSTEM_ADMIN.
Partial implement blueprint policy-defaults-refresh-deprecated-apis
Change-Id: Ie1ea066e9683fc44d486bcde1eb0f01fca7645c7
This adds new defaults roles in tenant networks API policies.
These policies are made granular and default to
PROJECT_READER_OR_SYSTEM_READER.
Partial implement blueprint policy-defaults-refresh-deprecated-apis
Change-Id: I9b7154680b19f76cb97a6c861657ca2f5cad0004
This adds new defaults roles in multinic API policies.
These policies are made granular and default to
PROJECT_MEMBER_OR_SYSTEM_ADMIN.
Partial implement blueprint policy-defaults-refresh-deprecated-apis
Change-Id: I1b2c741e86431963fb4f0696509bed01351afac2
FIP pools are not associated with any projects and API
controller also does not take any project_id in request
so anyone requesting that API can get the FIP pools list.
current check_str 'admin_or_owner' is not correct for this
polic, it should be RULE_ANY.
Currently if target is not passed in context.can(),
it use defauls target which is context.user_id, context.project_id.
These defaults target are not useful as it pass the
context's user_id and project_id only which means we tell
oslo policy to verify the context data with context data.
This commit corrects the check_str and pass the actual target for
FIP pools policies which is empty dict.
Partial implement blueprint policy-defaults-refresh-deprecated-apis
Change-Id: I06dde5960fdae5ee4e3ce902482361909ac397d6
There are few place left in unit tests where policy warnings
are still logged.
- test_policy which is policy file tests and does policy
initialization without suppressing the warnings.
- test_serversV21. PolicyFixture takes care of policy setup with
no warning things[1] which is used by test base class[2] but
test_serversV21 dulicate the policy initialization which leads
to log warnings for unit tests. We do not need to initialization
policy again and can reply on PolicyFixture setup.
From the git history, it was added 7 years ago when no
Fixture was available so there is no specific reason of re-initializating
the policy in this test.
- https://review.opendev.org/#/c/16160/3
[1] 4b62c90063/nova/tests/unit/policy_fixture.py (L46)
[2] 4b62c90063/nova/test.py (L269)
Change-Id: Ieb3f5510437d38bf2a4c8994d76c7f4001a6c9d8
This adds new defaults roles in remaining servers
as PROJECT_ADMIN with TODO to move the to SYSTEM_ADMIN.
Also add tests to simulates the future where we drop the deprecation
fall back in the policy by overriding the rules with a version where
there are no deprecated rule options. Operators can do the same by
adding overrides in their policy files that match the default but
stop the rule deprecation fallback from happening.
Partial implement blueprint policy-defaults-refresh
Change-Id: I72b48eb78fde29083bc23ddb25459f6c41590c37
Currently if target is not passed in context.can(),
it use defauls target which is context.user_id, context.project_id.
These defaults target are not useful as it pass the
context's user_id and project_id only which means we tell
oslo policy to verify the context data with context data.
This commit pass the actual target for server group policies
which is server group project_id for show, delete policy and context
project_id for other policy.
Partial implement blueprint policy-defaults-refresh
Change-Id: Ifdc0828e5989ccdca3bc9139960605c298b0053c
This adds new defaults roles in tenant tenant usage API policies.
This policy is default to:
- PROJECT_MEMBER_OR_SYSTEM_ADMIN for tenant usage statistics for
a specific tenant
- SYSTEM_ADMIN for list tenant usage statistics.
Also add tests to simulates the future where we drop the deprecation
fall back in the policy by overriding the rules with a version where
there are no deprecated rule options. Operators can do the same by
adding overrides in their policy files that match the default but
stop the rule deprecation fallback from happening.
Partial implement blueprint policy-defaults-refresh
Change-Id: I6756859fd68e71f829dfcf5bf7bcb8b7c2cdb75a
This adds new defaults roles in server password API policies.
- Policies are made granular and default to System or project reader
for get and system admin or owner for clear policy.
Also add tests to simulates the future where we drop the deprecation
fall back in the policy by overriding the rules with a version where
there are no deprecated rule options. Operators can do the same by
adding overrides in their policy files that match the default but
stop the rule deprecation fallback from happening.
Partial implement blueprint policy-defaults-refresh
Change-Id: I3571b73a3094f5f523ff7b655ca05355c65f90ff
This patch changes the volume update policy to be
'rule:system_admin_or_owner' to allow instance owners to update
attachment details like delete_on_termination. It creates a new
volume swap policy element with the old admin-only behavior, and
makes the volume update code check the appropriate policy based
on what action is being performed.
Co-Authored-By: Dan Smith <dansmith@redhat.com>
Partial implement blueprint destroy-instance-with-datavolume
Change-Id: I2cbe37b65ceac2efb3b252460dc01d17474e6343
This adds new defaults roles in server metadata API policies
- to system admin or project member for update and delete.
- to system and project reader for get
Also add tests to simulates the future where we drop the deprecation
fall back in the policy by overriding the rules with a version where
there are no deprecated rule options. Operators can do the same by
adding overrides in their policy files that match the default but
stop the rule deprecation fallback from happening.
Partial implement blueprint policy-defaults-refresh
Change-Id: Id81e617f089f7f7d654e6df6a106ea9d5100b9f6
This adds new defaults roles in server migration API policies.
This policy is default to SYSTEM_ADMIN for POST and SYSTEM_READER
for GET policy.
Also add tests to simulates the future where we drop the deprecation
fall back in the policy by overriding the rules with a version where
there are no deprecated rule options. Operators can do the same by
adding overrides in their policy files that match the default but
stop the rule deprecation fallback from happening.
Partial implement blueprint policy-defaults-refresh
Change-Id: I325ee0f197b5834718e86d9462b84882dd487f6a
This adds new defaults roles in security group API policies.
- GET rules are made granular and default to System or project reader
- add/remove sec grps policies are default to system admin or project member.
Added new context of other_project_reader for system and project reader
policy so that we can verify the other projct with its id not by role.
Also add tests to simulates the future where we drop the deprecation
fall back in the policy by overriding the rules with a version where
there are no deprecated rule options. Operators can do the same by
adding overrides in their policy files that match the default but
stop the rule deprecation fallback from happening.
Partial implement blueprint policy-defaults-refresh
Change-Id: I83783aa3384d3b667729bbdd4a13fb014176ec75
This adds new defaults roles in limits API policies.
This policy is default to SYSTEM_READER role.
Renaming policy to get other project limits to appropriate
one. Current name os-used-limits is confusing.
Also add tests to simulates the future where we drop the deprecation
fall back in the policy by overriding the rules with a version where
there are no deprecated rule options. Operators can do the same by
adding overrides in their policy files that match the default but
stop the rule deprecation fallback from happening.
Partial implement blueprint policy-defaults-refresh
Change-Id: I603220b5f011e781cd6d382f4215936fe2223382
This adds new defaults roles in rescue server API policies
to system admin or project member.
Also add tests to simulates the future where we drop the deprecation
fall back in the policy by overriding the rules with a version where
there are no deprecated rule options. Operators can do the same by
adding overrides in their policy files that match the default but
stop the rule deprecation fallback from happening.
Partial implement blueprint policy-defaults-refresh
Change-Id: I5816abd33002b2036068cc686c3d0d44d66ee976
This adds new defaults roles in list migration API policies.
This policy is default to SYSTEM_READER role.
Also add tests to simulates the future where we drop the deprecation
fall back in the policy by overriding the rules with a version where
there are no deprecated rule options. Operators can do the same by
adding overrides in their policy files that match the default but
stop the rule deprecation fallback from happening.
Partial implement blueprint policy-defaults-refresh
Change-Id: I45acb44c6eac5e9cae2b13c89ceb86afc348fcbe
limits API policy is default to admin_or_owner[1]
but API is allowed (which is expected) for everyone.
This is because API does not pass the project_id in policy
target so that oslo policy can decide the ownership[2]. If no
target is passed then, policy.py add the default targets which
is nothing but context.project_id (allow for everyone try to access)
- c16315165c/nova/policy.py (L191)
There is no owner things in limits and every projects can get
its own limits. We need to make default to RULE_ANY which means
allowed to everyone.
[1] 403fc671a6/nova/policies/limits.py (L27)
Closes-bug: #1869543
Change-Id: I80617e57a6e062e6038e1b3447e116a5f9e23d24
This adds new defaults roles in os-hypervisors API policies.
This policy is default to SYSTEM_READER role.
Policy rules are made more granular to adopt the new defaults.
Also add tests to simulates the future where we drop the deprecation
fall back in the policy by overriding the rules with a version where
there are no deprecated rule options. Operators can do the same by
adding overrides in their policy files that match the default but
stop the rule deprecation fallback from happening.
Partial implement blueprint policy-defaults-refresh
Change-Id: I548e49bd3e51eb51de922e97f3340363b8b94e50
Sylvain Bauza