Deprecate legacy policies, update project scoped docs
Deprecates legacy policies which will be removed at a later point in time. Notes these in a release note which covers project scoped access enablement, and updates the Secure RBAC docs to cover additional details Special thanks to Rammstein Radio on Pandora, for without this and all of the amazing artists it brought to my coding jam sessions, this effort would not have reached any sort of conclusion in the relatively short time for such a massive amount of work. Change-Id: I3bf0fa0de07e19d6058f0299e7abbff91b48b360
This commit is contained in:
parent
043de26884
commit
426353c3f5
doc/source/admin
ironic
releasenotes/notes
@ -191,13 +191,44 @@ from "Does the user user broadly has access to the API?" to
|
||||
"Does user have access to the node, and then do they have access
|
||||
to the specific resource?".
|
||||
|
||||
What is an owner or lessee?
|
||||
---------------------------
|
||||
|
||||
An ``owner`` or ``lessee`` is the project which has been assigned baremetal
|
||||
resources. Generally these should be service projects as opposed to a project
|
||||
dedicated to a specific user. This will help prevent the need to involve a
|
||||
``system`` scoped administrator from having to correct ownership records
|
||||
should a project need to be removed due to an individual's departure.
|
||||
|
||||
The underlying ``project_id`` is used to represent and associate the owner or
|
||||
lessee.
|
||||
|
||||
How do I assign an owner?
|
||||
-------------------------
|
||||
|
||||
.. todo: need to add information on the owner assignment
|
||||
and also cover what this generally means... maybe?
|
||||
.. code-block:: console
|
||||
|
||||
# baremetal node set --owner <project_id> <node>
|
||||
|
||||
.. note::
|
||||
With the default access policy, an ``owner`` is able to change
|
||||
the assigned ``lessee`` of a node. However the ``lessee`` is unable to do
|
||||
the same.
|
||||
|
||||
How do I assign a lessee?
|
||||
-------------------------
|
||||
|
||||
.. todo: Need to cover how to assign a lessee.
|
||||
.. code-block:: console
|
||||
|
||||
# baremetal node set --lessee <project_id> <node>
|
||||
|
||||
What is the difference between an owner and lessee?
|
||||
---------------------------------------------------
|
||||
|
||||
This is largely covered in `How Project Scoped Works`_ although
|
||||
as noted it is largely in means of access. A ``lessee`` is far more
|
||||
restrictive and an ``owner`` may revoke access to ``lessee``.
|
||||
|
||||
Access to the underlying baremetal node is not exclusive between the
|
||||
``owner`` and ``lessee``, and this use model expects that some level of
|
||||
communication takes place between the appropriate parties.
|
||||
|
@ -52,6 +52,9 @@ class RequestContext(context.RequestContext):
|
||||
def get_admin_context():
|
||||
"""Create an administrator context."""
|
||||
|
||||
# TODO(TheJulia): Revise in Xena, is_admin should
|
||||
# no longer be a default, much less passed as it is
|
||||
# deprecated.
|
||||
context = RequestContext(auth_token=None,
|
||||
project_id=None,
|
||||
is_admin=True,
|
||||
|
@ -110,8 +110,15 @@ def is_image_available(context, image):
|
||||
# The presence of an auth token implies this is an authenticated
|
||||
# request and we need not handle the noauth use-case.
|
||||
if hasattr(context, 'auth_token') and context.auth_token:
|
||||
# We return true here since we want the *user* request context to
|
||||
# be able to be used.
|
||||
return True
|
||||
|
||||
# TODO(TheJulia): This is potentially a bug below. Admin context doesn't
|
||||
# necessarilly mean the object is *actually* accessible. We should likely
|
||||
# just ask glance... Although everything should also have an auth_token
|
||||
# as noted above. Ultimately we need to tease the is_admin logic apart
|
||||
# and treat things appropriately by checking them as needed.
|
||||
if getattr(image, 'visibility', None) == 'public' or context.is_admin:
|
||||
return True
|
||||
|
||||
|
@ -148,13 +148,19 @@ TARGET_PROPERTIES_READER = (
|
||||
'(' + SYSTEM_READER + ') or (role:admin)'
|
||||
)
|
||||
|
||||
pre_rbac_deprecated_reason = 'Pre-RBAC default rule. This rule does not support scoping system scoping and as such is deprecated.' # noqa
|
||||
|
||||
default_policies = [
|
||||
# Legacy setting, don't remove. Likely to be overridden by operators who
|
||||
# forget to update their policy.json configuration file.
|
||||
# This gets rolled into the new "is_admin" rule below.
|
||||
policy.RuleDefault('admin_api',
|
||||
'role:admin or role:administrator',
|
||||
description='Legacy rule for cloud admin access'),
|
||||
description='Legacy rule for cloud admin access',
|
||||
deprecated_for_removal=True,
|
||||
deprecated_since=versionutils.deprecated.WALLABY,
|
||||
deprecated_reason=pre_rbac_deprecated_reason
|
||||
),
|
||||
# is_public_api is set in the environment from AuthPublicRoutes
|
||||
# TODO(TheJulia): Once legacy policy rules are removed, is_public_api
|
||||
# can be removed from the code base.
|
||||
@ -178,22 +184,40 @@ default_policies = [
|
||||
# TODO(TheJulia): Lets nuke demo from high orbit.
|
||||
policy.RuleDefault('is_member',
|
||||
'(project_domain_id:default or project_domain_id:None) and (project_name:demo or project_name:baremetal)', # noqa
|
||||
description='May be used to restrict access to specific projects'), # noqa
|
||||
description='May be used to restrict access to specific projects', # noqa
|
||||
deprecated_for_removal=True,
|
||||
deprecated_since=versionutils.deprecated.WALLABY,
|
||||
deprecated_reason=pre_rbac_deprecated_reason),
|
||||
policy.RuleDefault('is_observer',
|
||||
'rule:is_member and (role:observer or role:baremetal_observer)', # noqa
|
||||
description='Read-only API access'),
|
||||
description='Read-only API access',
|
||||
deprecated_for_removal=True,
|
||||
deprecated_since=versionutils.deprecated.WALLABY,
|
||||
deprecated_reason=pre_rbac_deprecated_reason),
|
||||
policy.RuleDefault('is_admin',
|
||||
'rule:admin_api or (rule:is_member and role:baremetal_admin)', # noqa
|
||||
description='Full read/write API access'),
|
||||
description='Full read/write API access',
|
||||
deprecated_for_removal=True,
|
||||
deprecated_since=versionutils.deprecated.WALLABY,
|
||||
deprecated_reason=pre_rbac_deprecated_reason),
|
||||
policy.RuleDefault('is_node_owner',
|
||||
'project_id:%(node.owner)s',
|
||||
description='Owner of node'),
|
||||
description='Owner of node',
|
||||
deprecated_for_removal=True,
|
||||
deprecated_since=versionutils.deprecated.WALLABY,
|
||||
deprecated_reason=pre_rbac_deprecated_reason),
|
||||
policy.RuleDefault('is_node_lessee',
|
||||
'project_id:%(node.lessee)s',
|
||||
description='Lessee of node'),
|
||||
description='Lessee of node',
|
||||
deprecated_for_removal=True,
|
||||
deprecated_since=versionutils.deprecated.WALLABY,
|
||||
deprecated_reason=pre_rbac_deprecated_reason),
|
||||
policy.RuleDefault('is_allocation_owner',
|
||||
'project_id:%(allocation.owner)s',
|
||||
description='Owner of allocation'),
|
||||
description='Owner of allocation',
|
||||
deprecated_for_removal=True,
|
||||
deprecated_since=versionutils.deprecated.WALLABY,
|
||||
deprecated_reason=pre_rbac_deprecated_reason),
|
||||
]
|
||||
|
||||
# NOTE(tenbrae): to follow policy-in-code spec, we define defaults for
|
||||
@ -582,21 +606,6 @@ node_policies = [
|
||||
deprecated_reason=deprecated_node_reason,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
),
|
||||
# TODO(TheJulia): So multiple additional fields need policies. This needs
|
||||
# to be reviewed/audited/addressed.
|
||||
# * Get ability on last_error - policy added
|
||||
# * Get ability on reservation (conductor names) - policy added
|
||||
# * get ability on driver_internal_info (internal addressing) added
|
||||
# * ability to get driver_info - policy added
|
||||
# * ability to set driver_info - policy added
|
||||
# * ability to set properties. - added
|
||||
# * ability to set chassis_uuid - added
|
||||
# * ability to set instance_uuid - added
|
||||
# * ability to set a lessee - default only to admin or owner. added
|
||||
# * ability to set driver/*_interface - added
|
||||
# * ability to set network_data - added
|
||||
# * ability to set conductor_group -added
|
||||
# * ability to set name -added
|
||||
policy.DocumentedRuleDefault(
|
||||
name='baremetal:node:update_instance_info',
|
||||
check_str=SYSTEM_OR_OWNER_MEMBER_AND_LESSEE_ADMIN,
|
||||
|
@ -1345,6 +1345,10 @@ class AgentDeployMixin(HeartbeatMixin, AgentOobStepsMixin):
|
||||
image_source = node.instance_info.get('image_source')
|
||||
try:
|
||||
context = task.context
|
||||
# TODO(TheJulia): Uhh, is_admin likely needs to be
|
||||
# addressed in Xena as undesirable behavior may
|
||||
# result, or just outright break in an entirely
|
||||
# system scoped configuration.
|
||||
context.is_admin = True
|
||||
glance = image_service.GlanceImageService(
|
||||
context=context)
|
||||
|
45
releasenotes/notes/project-scoped-rbac-063c44ba593bb82a.yaml
Normal file
45
releasenotes/notes/project-scoped-rbac-063c44ba593bb82a.yaml
Normal file
@ -0,0 +1,45 @@
|
||||
---
|
||||
features:
|
||||
- |
|
||||
Adds capability to use ``project`` scoped requests in concert with
|
||||
``system`` scoped requests for a composite Role Based Access Control
|
||||
(RBAC) model. As Ironic is mainly an administrative service,
|
||||
this capability has only been extended to API endpoints which are
|
||||
not purely administrative in nature. This consists of the following
|
||||
API endpoints: nodes, ports, portgroups, volume connectors, volume
|
||||
targets, and allocations.
|
||||
- |
|
||||
Project ``scoped`` requests for baremetal allocations, will automatically
|
||||
record the ``project_id`` of the requestor as the ``owner`` of the node.
|
||||
deprecations:
|
||||
- >
|
||||
Pre-RBAC support rules have been deprecated. These consist of:
|
||||
* admin_api
|
||||
* is_member
|
||||
* is_observer
|
||||
* is_node_owner
|
||||
* is_node_lessee
|
||||
* is_allocation_owner
|
||||
|
||||
These rules will likely be removed in the Xena development cycle.
|
||||
Operators are advised to review any custom policy rules for these
|
||||
rules and move to the `Secure Role Based Access Controls <https://docs.openstack.org/ironic/latest/admin/secure-rbac.html>`_
|
||||
model.
|
||||
issues:
|
||||
- |
|
||||
The addition of both ``project`` and ``system`` scoped Role Based Access
|
||||
controls does add additional database queries when linked resources are
|
||||
accessed. Example, when attempting to access a ``port`` or ``portgroup``,
|
||||
the associated node needs to be checked as this helps govern overall
|
||||
object access to the object for ``project`` scoped requests. This does not
|
||||
impact ``system`` scoped requests. Operators who adopt project scoped
|
||||
access may find it necessary to verify or add additional database indexes
|
||||
in relation to the node ``uuid`` column as well as ``node_id`` field in
|
||||
any table which may recieve heavy project query scope activity.
|
||||
The ``ironic`` project anticipates that this will be a future work item
|
||||
of the project to help improve database performance.
|
||||
upgrade:
|
||||
- |
|
||||
Legacy policy rules have been deprecated. Operators are advised to review
|
||||
and update any custom policy files in use. Please see
|
||||
`Secure Role Based Access Controls`_ for more information.
|
Loading…
Reference in New Issue
Block a user