Merge "Move system scoped secure-RBAC to separate file"

2022-07-19 20:18:47 +00:00 · 2022-07-19 20:18:47 +00:00 · 3f4a44db94
parent 9a5273d3ea 5ab6e3d30f
commit 3f4a44db94
4 changed files with 60 additions and 3 deletions
--- a/doc/source/configuration/policy.rst
+++ b/doc/source/configuration/policy.rst
@ -92,11 +92,19 @@ requirement. Please see the README.rst in that directory for more information.
 This policy will honor the following `Keystone Default Roles`_ in the Octavia
 API:

+* Admin
+* Project scoped - Reader
+* Project scoped - Member
+
+In addition, there is an alternate policy file that enables system scoped
+tokens checking called keystone_default_roles_scoped-policy.yaml.
+
 * System scoped - Admin
 * System scoped - Reader
 * Project scoped - Reader
 * Project scoped - Member

+
 Managing Octavia User Roles
 ---------------------------

--- a/etc/policy/README.rst
+++ b/etc/policy/README.rst
@ -22,6 +22,18 @@ have one of the load-balancer:* roles.

 This policy will honor the following Keystone default roles in the Octavia API:

+* Admin
+* Project scoped - Reader
+* Project scoped - Member
+
+keystone_default_roles_scoped-policy.yaml
+----------------------------------
+This policy file disables the requirement for load-balancer service users to
+have one of the load-balancer:* roles.
+
+This policy will honor the following Keystone default roles and scopes in the
+Octavia API:
+
 * System scoped - Admin
 * System scoped - Reader
 * Project scoped - Reader
--- a/etc/policy/keystone_default_roles-policy.yaml
+++ b/etc/policy/keystone_default_roles-policy.yaml
@ -8,12 +8,12 @@
 # Keystone token scoping and "default roles"/personas will still be enforced.

 # Role Rules
-"system_admin": "role:admin and system_scope:all"
-"system_reader": "role:reader and system_scope:all"
+"system_admin": "role:admin"
+"system_reader": "role:reader"
 "project_reader": "role:reader and project_id:%(project_id)s"
 "project_member": "role:member and project_id:%(project_id)s"

-"context_is_admin": "role:admin and system_scope:all"
+"context_is_admin": "role:admin"

 # API Rules
 "load-balancer:admin": "is_admin:True or
--- a/etc/policy/keystone_default_roles_scoped-policy.yaml
+++ b/etc/policy/keystone_default_roles_scoped-policy.yaml
@ -0,0 +1,37 @@
+# This policy YAML file will revert the Octavia API to follow the keystone
+# "default role" RBAC policies.
+#
+# The [oslo_policy] enforce_scope and enforce_new_defaults must be True.
+#
+# Users will not be required to be a member of the load-balancer_* roles
+# to take action on Octavia resources.
+# Keystone token scoping and "default roles"/personas will still be enforced.
+
+# Role Rules
+"system_admin": "role:admin and system_scope:all"
+"system_reader": "role:reader and system_scope:all"
+"project_reader": "role:reader and project_id:%(project_id)s"
+"project_member": "role:member and project_id:%(project_id)s"
+
+"context_is_admin": "role:admin and system_scope:all"
+
+# API Rules
+"load-balancer:admin": "is_admin:True or
+                        rule:system_admin or
+                        role:load-balancer_admin"
+
+"load-balancer:read": "is_admin:True or
+                       rule:system_reader or
+                       rule:project_reader"
+
+"load-balancer:read-global": "is_admin:True or rule:system_reader"
+
+"load-balancer:write": "is_admin:True or rule:project_member"
+
+"load-balancer:read-quota": "is_admin:True or
+                             rule:system_reader or
+                             rule:project_reader"
+
+"load-balancer:read-quota-global": "is_admin:True or rule:system_reader"
+
+"load-balancer:write-quota": "is_admin:True"