add document for cyborg new policy

This patch added the document for new policy of cyborg inculding: * cyborg policy concepts * configuration guide * all policies in code Change-Id: I79472317c5c1b4aa2660e1c2d5cc61737299975a Story: 2007024 Task: 40934
2020-09-22 14:56:41 +08:00 · 2020-09-22 14:56:41 +08:00 · 68c1f067bf
parent 6d269819ae
commit 68c1f067bf
7 changed files with 359 additions and 5 deletions
--- a/doc/source/configuration/config-options.rst
+++ b/doc/source/configuration/config-options.rst
@ -1,9 +1,9 @@
-=========================================================
+==================================================
 Configuration options for the Acceleration service
-=========================================================
+==================================================

 The following options can be set in the ``/etc/cyborg/cyborg.conf`` config file
-A :doc:`sample configuration file <sample_config>` is also available.
+A :doc:`sample configuration file <sample-config>` is also available.

 .. show-options::
   :config-file: tools/config/cyborg-config-generator.conf
--- a/doc/source/configuration/index.rst
+++ b/doc/source/configuration/index.rst
@ -6,5 +6,6 @@ Configuration Guide
   :maxdepth: 2

   config-options
-   sample_config
-   sample_policy
+   sample-config
+   sample-policy
+   policy-guide
--- a/doc/source/configuration/policy-concepts.rst
+++ b/doc/source/configuration/policy-concepts.rst
@ -0,0 +1,287 @@
+=============================
+Understanding Cyborg Policies
+=============================
+
+.. warning::
+
+   JSON formatted policy file is deprecated since Cyborg (Victoria).
+   Use YAML formatted file. Use `oslopolicy-convert-json-to-yaml`__ tool
+   to convert the existing JSON to YAML formatted policy file in backward
+   compatible way.
+
+.. __: https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-convert-json-to-yaml.html
+
+Cyborg supports a rich policy system that has evolved significantly over its
+lifetime. Initially, cyborg policy defaults have been defined in the codebase,
+requiring the ``policy.json`` file only to override these defaults. Starting in
+the Victoria release, policy file has been changed from ``policy.json``
+to ``policy.yaml``.
+
+The old default policy in Cyborg is incomplete and not good enough. Since
+Cyborg V2 API is newly implemented in Train, RBAC check for V2 API still
+remains incomplete. So in the Ussuri release, the specification of policy
+refresh was approved. In the Victoria release, Cyborg landed the new default
+roles to improve some issues that had been identified:
+
+#. No ``allow``. Old policy ``allow`` means any access will be passed.
+   ``allow`` rule was used by cyborg:arq:create, which is too slack.
+
+#. No global vs project admin. The old role ``is_admin`` is used for the global
+   admin that is able to make almost any change to Cyborg, and see all details
+   of the Cyborg system. The rule passes for any user with an admin role, it
+   doesn’t matter which project is used.
+
+#. No ``admin_or_owner``. Old role ``admin_or_owner`` sounds like it checks if
+   the user is a member of a project. However, for most APIs we use the default
+   target which means this rule will pass for any authenticated user.
+
+#. Introduce ``scope_type`` and ``reader`` role. There still some cases which
+   are not well covered. For example, it is impossible to allow a user to
+   retrieve/update devices which are shared by multiple projects from a system
+   level without being given the global admin role. In addition, cyborg now
+   doesn’t have a ``reader`` role.
+
+Keystone comes with ``admin``, ``member`` and ``reader`` roles by default.
+Please refer to `keystone document <https://docs.openstack.org/keystone/latest//admin/service-api-protection.html>`__
+for more information about these new defaults. In addition, keystone supports
+a new "system scope" concept that makes it easier to protect deployment level
+resources from project or system level resources. Please refer to
+`token scopes <https://docs.openstack.org/keystone/latest//admin/tokens-overview.html#authorization-scopes>`__
+and `system scope specification <https://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html>`__
+to understand the scope concept.
+
+In the Cyborg (Victoria) release, Cyborg policies implemented
+the scope concept and default roles provided by keystone (admin, member,
+and reader). Using common roles from keystone reduces the likelihood of
+similar, but different, roles implemented across projects or deployments.
+With the help of the new defaults it is easier to understand who can do
+what across projects, reduces divergence, and increases interoperability.
+
+The below sections explain how these new defaults in the Cyborg can solve the
+issues mentioned above and extend more functionality to end users in a safe
+and secure way.
+
+More information is provided in the `cyborg specification <https://specs.openstack.org/openstack/cyborg-specs/specs/ussuri/approved/policy-defaults-refresh.html>`__
+
+Scope
+-----
+
+OpenStack Keystone supports different scopes in tokens.
+These are described `here <https://docs.openstack.org/keystone/latest//admin/tokens-overview.html#authorization-scopes>`__.
+Token scopes represent the layer of authorization. Policy ``scope_types``
+represent the layer of authorization required to access an API.
+
+.. note::
+
+     The ``scope_type`` of each policy is hardcoded and is not
+     overridable via the policy file.
+
+Cyborg policies have implemented the scope concept by defining the
+``scope_type`` in policies. To know each policy's ``scope_type``, please
+refer to the :doc:`Policy Reference <policy>` and look for
+``Scope Types`` or ``Intended scope(s)`` in
+:doc:`Policy Sample File <sample-policy>` as shown in below
+examples.
+
+.. rubric:: ``system`` scope
+
+Policies with a ``scope_type`` of ``system`` means a user with a
+``system-scoped`` token has permission to access the resource. This can be
+seen as a global role. All the system-level operation's policies
+have defaulted to ``scope_type`` of ``['system']``.
+
+For example, consider the ``POST  /v2/device_profiles`` API.
+
+.. code::
+
+    # Create a device_profile
+    # POST  /v2/device_profiles
+    # Intended scope(s): system
+    #"cyborg:device_profile:create": "rule:system_admin_api"
+
+.. rubric:: ``project`` scope
+
+Policies with a ``scope_type`` of ``project`` means a user with a
+``project-scoped`` token has permission to access the resource. This can be
+seen as a project role. All the project-level operation's policies should be
+set to ``scope_type`` of ``['project']`` by default.
+
+.. rubric:: ``system and project`` scope
+
+Policies with a ``scope_type`` of ``system and project`` means a user with a
+``system-scoped`` or ``project-scoped`` token has permission to access the
+resource. All the system and project level operation's policies have defaulted
+to ``scope_type`` of ``['system', 'project']``.
+
+For example, consider the ``GET  /v2/device_profiles/{device_profiles_uuid}``
+API.
+
+.. code::
+
+    # Retrieve a specific device_profile
+    # GET  /v2/device_profiles/{device_profiles_uuid}
+    # Intended scope(s): system, project
+    #"cyborg:device_profile:get_one": "rule:system_or_project_reader"
+
+These scope types provide a way to differentiate between system-level and
+project-level access roles. You can control the information with scope of the
+users.
+
+Policy scope is disabled by default to allow operators to migrate from
+the old policy enforcement system in a graceful way. This can be
+enabled by configuring the :oslo.config:option:`oslo_policy.enforce_scope`
+option to ``True``.
+
+.. note::
+
+  [oslo_policy]
+  enforce_scope=True
+
+
+Roles
+-----
+
+You can refer to `this <https://docs.openstack.org/keystone/latest//admin/service-api-protection.html>`__
+document to know about all available defaults from Keystone.
+
+Along with the ``scope_type`` feature, Cyborg policy defines new
+defaults for each policy.
+
+.. rubric:: ``reader``
+
+This provides read-only access to the resources within the ``system`` or
+``project``. Cyborg policies are defaulted to below rules:
+
+.. code::
+
+   system_reader_api
+      Default
+         role:reader and system_scope:all
+
+   project_reader_api
+      Default
+         role:reader and project_id:%(project_id)s
+
+   system_or_project_reader
+      Default
+         rule:system_reader_api or rule:project_reader_api
+
+.. rubric:: ``member``
+
+This role is to perform the project level write operation with combination
+to the system admin. Cyborg policies are defaulted to below rules:
+
+.. code::
+
+   project_member_api
+      Default
+         role:member and project_id:%(project_id)s
+
+   system_admin_or_owner
+      Default
+         rule:system_admin_api or rule:project_member_api
+
+.. rubric:: ``admin``
+
+This role is to perform the admin level write operation at system as well
+as at project-level operations. Cyborg policies are defaulted to below rules:
+
+.. code::
+
+   system_admin_api
+      Default
+         role:admin and system_scope:all
+
+   project_admin_api
+      Default
+         role:admin and project_id:%(project_id)s
+
+   system_admin_or_owner
+      Default
+         rule:system_admin_api or rule:project_member_api
+
+With these new defaults, you can solve the problem of:
+
+#. Providing the read-only access to the user. Polices are made more granular
+   and defaulted to reader rules. For exmaple: If you need to let someone audit
+   your deployment for security purposes.
+
+#. Customize the policy in better way. For example, you will be able
+   to provide access to project level member to perform arq patch/post for
+   instance boot with the project's token.
+
+Backward Compatibility
+----------------------
+
+During the development period (Victoria and Wallaby releases), the new and old
+policy will both work for backward compatibility by supporting the old
+defaults and disabling the ``scope_type`` feature by default. This means the
+old defaults and deployments that use them will keep working as-is. However,
+we encourage every deployment to switch to new policy. ``scope_type`` will be
+enabled by default and the old defaults will be removed starting in the
+X release.
+
+To implement the new default reader roles, some policies needed to become
+granular. They have been renamed, with the old names still supported for
+backwards compatibility.
+
+Migration Plan
+--------------
+
+To have a graceful migration, Cyborg provides two flags to switch to the new
+policy completely. You do not need to overwrite the policy file to adopt the
+new policy defaults.
+
+Here is step wise guide for migration:
+
+#. Create scoped token:
+
+   You need to create the new token with scope knowledge via below CLI:
+
+   - `Create System Scoped Token <https://docs.openstack.org/keystone/latest//admin/tokens-overview.html#operation_create_system_token>`__.
+   - `Create Project Scoped Token <https://docs.openstack.org/keystone/latest//admin/tokens-overview.html#operation_create_project_scoped_token>`__.
+
+#. Create new default roles in keystone if not done:
+
+   If you do not have new defaults in Keystone then you can create and re-run
+   the `Keystone Bootstrap <https://docs.openstack.org/keystone/latest//admin/bootstrap.html>`__.
+   Keystone added this support in 14.0.0 (Rocky) release.
+
+#. Enable Scope Checks
+
+   The :oslo.config:option:`oslo_policy.enforce_scope` flag is to enable the
+   ``scope_type`` features. The scope of the token used in the request is
+   always compared to the ``scope_type`` of the policy. If the scopes do not
+   match, one of two things can happen.
+   If :oslo.config:option:`oslo_policy.enforce_scope` is True, the request
+   will be rejected. If :oslo.config:option:`oslo_policy.enforce_scope` is
+   False, an warning will be logged, but the request will be accepted
+   (assuming the rest of the policy passes). The default value of this flag
+   is False.
+
+   .. note:: Before you enable this flag, you need to audit your users and make
+             sure everyone who needs system-level access has a system role
+             assignment in keystone.
+
+#. Enable new defaults
+
+   The `oslo_policy.enforce_new_defaults` flag switches
+   the policy to new defaults-only. This flag controls whether or not to use
+   old deprecated defaults when evaluating policies. If True, the old
+   deprecated defaults are not evaluated. This means if any existing
+   token is allowed for old defaults but is disallowed for new defaults,
+   it will be rejected. The default value of this flag is False.
+
+   .. note:: Before you enable this flag, you need to educate users about the
+             different roles they need to use to continue using Cyborg APIs.
+
+
+#. Check for deprecated policies
+
+   A few policies were made more granular to implement the reader roles. New
+   policy names are available to use. If old policy names which are renamed
+   are overwritten in policy file, then warning will be logged. Please migrate
+   those policies to new policy names.
+
+We expect all deployments to migrate to new policy by X release so that
+we can remove the support of old policies.
--- a/doc/source/configuration/policy-guide.rst
+++ b/doc/source/configuration/policy-guide.rst
@ -0,0 +1,45 @@
+=================================
+Cyborg Policy Configuration Guide
+=================================
+
+Cyborg, like most OpenStack projects, uses a policy language to restrict
+permissions on REST API actions.
+
+* :doc:`Policy Concepts <policy-concepts>`: In the Victoria
+  release, Cyborg API policy defines new default roles with system scope
+  capabilities. These new changes improve the security level and
+  manageability of Cyborg API as they are richer in terms of handling
+  access at system and project level token with 'Read' and 'Write' roles.
+
+.. toctree::
+   :hidden:
+
+   policy-concepts
+
+* :doc:`Policy Reference <policy>`: A complete reference of all
+  policy points in cyborg and what they impact.
+
+.. only:: html
+
+   * :doc:`Sample Policy File <sample-policy>`: A sample cyborg
+     policy file with inline documentation.
+
+.. # NOTE(mriedem): This is the section where we hide things that we don't
+   # actually want in the table of contents but sphinx build would fail if
+   # they aren't in the toctree somewhere.
+.. # NOTE(amotoki): toctree needs to be placed at the end of the secion to
+   # keep the document structure in the PDF doc.
+.. toctree::
+   :hidden:
+
+   policy
+
+.. # NOTE(amotoki): Sample files are only available in HTML document.
+   # Inline sample files with literalinclude hit LaTeX processing error
+   # like TeX capacity exceeded and direct links are discouraged in PDF doc.
+.. only:: html
+
+   .. toctree::
+      :hidden:
+
+      sample-policy
--- a/doc/source/configuration/policy.rst
+++ b/doc/source/configuration/policy.rst
@ -0,0 +1,21 @@
+===============
+Cyborg Policies
+===============
+
+The following is an overview of all available policies in Cyborg.
+
+.. warning::
+
+   JSON formatted policy file is deprecated since Cyborg (Victoria).
+   Use YAML formatted file. Use `oslopolicy-convert-json-to-yaml`__ tool
+   to convert the existing JSON to YAML formatted policy file in backward
+   compatible way.
+
+.. __: https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-convert-json-to-yaml.html
+
+.. only:: html
+
+   For a sample configuration file, refer to :doc:`sample-policy`.
+
+.. show-policy::
+   :config-file: tools/config/cyborg-policy-generator.conf
--- a/doc/source/configuration/sample-config.rst
+++ b/doc/source/configuration/sample-config.rst
--- a/doc/source/configuration/sample-policy.rst
+++ b/doc/source/configuration/sample-policy.rst