From aec2de7ffd21fb553114c9f27a260062cafbc3b8 Mon Sep 17 00:00:00 2001 From: Lance Bragstad Date: Sat, 6 Mar 2021 04:32:21 +0000 Subject: [PATCH] Add a release note for secure RBAC personas Provide some literature on what we introduced for operators in wallaby, how they can configure it, and actions we recommend they take. Since this marks the point at which we consider the feature implemented, this also removes the legacy-rbac job and makes the secure-rbac job voting. Implements: blueprint secure-rbac Change-Id: I8f980cf7731d26b92b5392fdada21e5be0f541c4 --- .zuul.yaml | 6 +-- ...bac-project-personas-fb0d9792b9dc3783.yaml | 51 +++++++++++++++++++ 2 files changed, 53 insertions(+), 4 deletions(-) create mode 100644 releasenotes/notes/secure-rbac-project-personas-fb0d9792b9dc3783.yaml diff --git a/.zuul.yaml b/.zuul.yaml index 2a557a540c..28d9e8080d 100644 --- a/.zuul.yaml +++ b/.zuul.yaml @@ -322,9 +322,7 @@ irrelevant-files: *tempest-irrelevant-files - nova-ceph-multistore: irrelevant-files: *tempest-irrelevant-files - - glance-secure-rbac-protection-functional: - voting: false - - glance-legacy-rbac-protection-functional + - glance-secure-rbac-protection-functional gate: jobs: @@ -342,7 +340,7 @@ irrelevant-files: *tempest-irrelevant-files - nova-ceph-multistore: irrelevant-files: *tempest-irrelevant-files - - glance-legacy-rbac-protection-functional + - glance-secure-rbac-protection-functional experimental: jobs: - glance-tox-py38-glance_store-tips diff --git a/releasenotes/notes/secure-rbac-project-personas-fb0d9792b9dc3783.yaml b/releasenotes/notes/secure-rbac-project-personas-fb0d9792b9dc3783.yaml new file mode 100644 index 0000000000..11cb6b7a7c --- /dev/null +++ b/releasenotes/notes/secure-rbac-project-personas-fb0d9792b9dc3783.yaml @@ -0,0 +1,51 @@ +--- +features: + - | + Glance's default policies now use the `member` role on projects to protect + writeable and readable image actions. Support was also added for read-only + access to image resources when the `reader` role is granted to users on a + project. Administrative operations, like creating public images, is still + protected using the `admin` role on a project. Administrative actions will + be updated in the future to consume system-scope. + + We encourage you to compare any existing overrides in your deployment with + the new defaults. You can use `oslopolicy-sample-generator --namespace + glance` to generate the default policies and use them for comparison. + + The secure RBAC personas implemented in Wallaby are marked as experimental. + They will become stable in a future release. You can read more about the + various personas in keystone's `Administrator Guide + `_. + + To enable this functionality, you must specify `glance-api.conf + [DEFAULT] enable_secure_rbac=True` and `glance-api.conf [oslo_policy] + enforce_new_defaults=True`. Glance will refuse to start if misconfigured. +upgrade: + - | + Glance now provides more granular RBAC access to the images API via default + personas. This work is marked as experimental in Wallaby, and will be + supported in a future release. + + Existing authorization and policies will continue to work, but we encourage + operators to review the new policies and consolidate any redundant + overrides with the new defaults if possible. Please review the feature + section above for more details. +deprecations: + - | + The policies protecting the image API have been deprecated in favor of more + consistent defaults that use the `member` and `reader` default roles from + keystone. If your deployment relies on overriding the default policies, + please review the new defaults and how they may impact your deployment. + + The unused `modify_task` policy has been deprecated for + removal. It was never honored or checked as part of an API + operation. As a result, it has been deprecated for removal since + overriding it has no direct impact on the tasks API, which remains + a deprecated, admin-only API. +security: + - | + Glance now ships experimental policies that support read-only image + permissions. Users with the `reader` role on a project will be able to view + generic image data, without the ability to make writeable changes using the + images API. Please review the features section above for more information + on enabling this functionality.