Add RBAC investment opportunity for 2019
Rework the 2018 entry for RBAC into the new "Upstream Investment Opportunity" format and add it to the 2019 list. Change-Id: I2d5b15031299bf9f64afa99775cc9b7d363c4c09
This commit is contained in:
parent
42c614ef38
commit
995bbae70a
90
reference/upstream-investment-opportunities/2019/rbac.rst
Normal file
90
reference/upstream-investment-opportunities/2019/rbac.rst
Normal file
@ -0,0 +1,90 @@
|
||||
=====================================
|
||||
Consistent and Secure Policy Defaults
|
||||
=====================================
|
||||
|
||||
Summary
|
||||
-------
|
||||
|
||||
The OpenStack community is seeking contributors to the Secure Policy Defaults
|
||||
initiative. This ongoing initiative aims to provide set of common roles that
|
||||
will enable secure enforcement of authorization policies across OpenStack
|
||||
projects and deployments.
|
||||
|
||||
Business Case
|
||||
-------------
|
||||
|
||||
Supporting consistent and secure default RBAC configuration in OpenStack
|
||||
provides the best means to secure your organization's OpenStack deployment and
|
||||
to make security maintenance less error-prone. This is especially incumbent upon
|
||||
organizations that are subject to security audits and strict regulations for
|
||||
whom OpenStack's lack of consistent RBAC prohibits production use.
|
||||
|
||||
Sponsorship of contributors to this RBAC initiative positions them to
|
||||
influence direction and drive implementation choices on critical
|
||||
infrastructure used by every OpenStack project and every OpenStack
|
||||
deployment -- ensuring that an organization's downstream requirements
|
||||
are fully understood and taken into account.
|
||||
|
||||
Because of its use in every OpenStack project, work on this RBAC
|
||||
initiative is a good way to build reputation and influence upstream,
|
||||
and at the same time gain vital in-house expertise for an
|
||||
organization's downstream deployments or software distributions.
|
||||
|
||||
Technical Details
|
||||
-----------------
|
||||
|
||||
Currently, most OpenStack services have a very binary approach to Role Based
|
||||
Access Control (RBAC) enforcement. This approach usually handicaps new
|
||||
functionality from being exposed to users because users typically do not fall
|
||||
in one of two camps. Contributors either need to lock down the feature to only
|
||||
system administrators, or open it up to nearly every user in the deployment.
|
||||
This is especially true for APIs that expose details about multiple tenants.
|
||||
|
||||
Implementing better API protection allows contributors to expose more
|
||||
functionality to end users and operators by default. Lowering the bar for users
|
||||
to access a feature means more opportunities for feedback loops, more end users
|
||||
getting access to the functionality they need, and makes OpenStack more usable
|
||||
overall.
|
||||
|
||||
Enhanced Security
|
||||
~~~~~~~~~~~~~~~~~
|
||||
|
||||
OpenStack has a wide variety of users. Auditing APIs and adjusting default
|
||||
access control increases security across the entire OpenStack platform. This
|
||||
exercise gives contributors the ability to provide secure defaults for new
|
||||
deployments. Reasonable default values that are inherently secure makes it
|
||||
easier for organizations with strict security requirement to deploy OpenStack.
|
||||
|
||||
Reduced Operational Complexity
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Today's RBAC enforcement implementation lacks secure defaults, but it is
|
||||
somewhat configurable. Deployments that must have a more secure enforcement
|
||||
implementation are forced to maintain arduously complex configuration files.
|
||||
Furthermore, many organizations re-implement similar use cases.
|
||||
|
||||
Interoperability
|
||||
~~~~~~~~~~~~~~~~
|
||||
|
||||
Because policy configuration gives deployments the flexibility to maintain
|
||||
complicated policies at their own expense, it is common to see many
|
||||
organizations solve the same problem. Unfortunately, it's unlikely
|
||||
organizations are sharing the same solution. This pattern impedes
|
||||
interoperability between deployments, making it frustrating for users
|
||||
interacting with different OpenStack clouds.
|
||||
|
||||
Offering a reasonable set of roles and implementing basic RBAC improves
|
||||
interoperability by not requiring each organization to solve the same problem
|
||||
individually.
|
||||
|
||||
-----------------
|
||||
|
||||
Contact
|
||||
-------
|
||||
|
||||
To contribute to this initiative, join the `Secure Default Policies Popup
|
||||
Team`_. Read the `popup team wiki page`_ for references on how to contribute and
|
||||
how to communicate with the team.
|
||||
|
||||
.. _Secure Default Policies Popup Team: https://governance.openstack.org/tc/reference/popup-teams.html#secure-default-policies
|
||||
.. _popup team wiki page: https://wiki.openstack.org/wiki/Consistent_and_Secure_Default_Policies_Popup_Team
|
Loading…
Reference in New Issue
Block a user