From fff80086d6b48b06944f0d0fa0e2dd243174e40d Mon Sep 17 00:00:00 2001 From: Julia Kreger Date: Tue, 9 Jan 2024 06:19:39 -0800 Subject: [PATCH] Change policy to enforce only new policy Change's inspector's default policy to align with the 2023.2 release goal. Depends-On: https://review.opendev.org/c/openstack/ironic/+/902009 Change-Id: Iaa271bd13e3a62c4a3b35b6e6b556984f7b1d09c --- devstack/plugin.sh | 4 +-- ironic_inspector/policy.py | 4 ++- ...rbac-policy-disabled-6fc45ad1237f4d57.yaml | 35 +++++++++++++++++++ zuul.d/ironic-inspector-jobs.yaml | 2 ++ 4 files changed, 42 insertions(+), 3 deletions(-) create mode 100644 releasenotes/notes/legacy-rbac-policy-disabled-6fc45ad1237f4d57.yaml diff --git a/devstack/plugin.sh b/devstack/plugin.sh index eed1e61e8..de4a73951 100644 --- a/devstack/plugin.sh +++ b/devstack/plugin.sh @@ -26,10 +26,10 @@ IRONIC_INSPECTOR_UWSGI_CONF=$IRONIC_INSPECTOR_CONF_DIR/ironic-inspector-uwsgi.in # explicitly unless otherwise set. IRONIC_INSPECTOR_ENFORCE_SCOPE=${IRONIC_INSPECTOR_ENFORCE_SCOPE:-${IRONIC_ENFORCE_SCOPE:-False}} # and then fallback to trueorfalse to put it into the standardized string format for the jobs. -IRONIC_INSPECTOR_ENFORCE_SCOPE=$(trueorfalse False IRONIC_INSPECTOR_ENFORCE_SCOPE) +IRONIC_INSPECTOR_ENFORCE_SCOPE=$(trueorfalse True IRONIC_INSPECTOR_ENFORCE_SCOPE) # Reset the input in the event the plugin is running separately from ironic's # devstack plugin. -IRONIC_ENFORCE_SCOPE=$(trueorfalse False IRONIC_ENFORCE_SCOPE) +IRONIC_ENFORCE_SCOPE=$(trueorfalse True IRONIC_ENFORCE_SCOPE) if [[ -n ${IRONIC_INSPECTOR_MANAGE_FIREWALL} ]] ; then diff --git a/ironic_inspector/policy.py b/ironic_inspector/policy.py index f2aeb6509..90640db1e 100644 --- a/ironic_inspector/policy.py +++ b/ironic_inspector/policy.py @@ -28,7 +28,9 @@ _ENFORCER = None # once oslo_policy change the default value to 'policy.yaml'. # https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49 DEFAULT_POLICY_FILE = 'policy.yaml' -opts.set_defaults(cfg.CONF, DEFAULT_POLICY_FILE) +opts.set_defaults(cfg.CONF, DEFAULT_POLICY_FILE, + enforce_scope=True, + enforce_new_defaults=True) # Generic policy check string for system administrators. These are the people # who need the highest level of authorization to operate the deployment. diff --git a/releasenotes/notes/legacy-rbac-policy-disabled-6fc45ad1237f4d57.yaml b/releasenotes/notes/legacy-rbac-policy-disabled-6fc45ad1237f4d57.yaml new file mode 100644 index 000000000..f2e0672e2 --- /dev/null +++ b/releasenotes/notes/legacy-rbac-policy-disabled-6fc45ad1237f4d57.yaml @@ -0,0 +1,35 @@ +--- +upgrade: + - | + The legacy Role Based Access Control policy used by ironic-inspector has + been disabled by default. The end result of this is that the legacy + ``baremetal_admin`` and ``baremetal_observer`` roles are no longer enabled + by default. System scoped access can be utilized to connect to the + ``ironic-inspector`` service, or alternatively a user with an ``admin`` + or ``service`` role. + + The Ironic project does not anticipate any issues with this change, as the + the ``ironic-inspector`` service is a service *for* the system itself. + That being said, if the operator deployed configuration is reliant upon + the deprecated roles, configuration changes will be required. + + This change is a result of the new policy which was introduced as part of + `Consistent and Secure RBAC`_ community goal and the underlying + ``[oslo_policy] enforce_scope`` and ``[oslo_policy] enforce_new_defaults`` + settings being changed to ``True``. + + Operators wishing to revert to the old policy configuration may do so + by setting the following values in ``ironic-inspector.conf``.:: + + [oslo_policy] + enforce_new_defaults=False + enforce_scope=False + + Operators who revert the configuration are encouraged to make the + necessary changes to their configuration, as the legacy RBAC policy + will be removed at some point in the future. Please review + `2024.1-Release Timeline`_. Failure to do so will may force operators + to craft custom policy override configuration. + + .. _`Consistent and Secure RBAC`: https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html + .. _`2024.1-Release Timeline`: https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#id3 diff --git a/zuul.d/ironic-inspector-jobs.yaml b/zuul.d/ironic-inspector-jobs.yaml index b03ca54d6..ba864f38a 100644 --- a/zuul.d/ironic-inspector-jobs.yaml +++ b/zuul.d/ironic-inspector-jobs.yaml @@ -173,6 +173,8 @@ CIRROS_VERSION: 0.6.1 MYSQL_GATHER_PERFORMANCE: False INSTANCE_WAIT: 120 + IRONIC_INSPECTOR_ENFORCE_SCOPE: True + IRONIC_ENFORCE_SCOPE: True old: IRONIC_VM_LOG_DIR: '{{ devstack_bases.old }}/ironic-bm-logs' grenade_localrc: