Merge "Minor updates to rbac doc"
This commit is contained in:
Zuul
Gerrit Code Review
commit
8eec87bbe4
@ -16,7 +16,7 @@ customization of these policies to consult some reference material
|
|||||||
in hopes of understanding the context.
|
in hopes of understanding the context.
|
||||||
|
|
||||||
* `Keystone Adminstrator Guide - Service API Protection <https://docs.openstack.org/keystone/latest/admin/service-api-protection.html>`_
|
* `Keystone Adminstrator Guide - Service API Protection <https://docs.openstack.org/keystone/latest/admin/service-api-protection.html>`_
|
||||||
* `Ironic Scoped Role Based Access Control Specification <https://specs.openstack.org/openstack/ironic-specs/specs/not-implemented/secure-rbac.html>`_
|
* `Ironic Scoped Role Based Access Control Specification <https://specs.openstack.org/openstack/ironic-specs/specs/17.0/secure-rbac.html>`_
|
||||||
|
|
||||||
Historical Context - How we reached our access model
|
Historical Context - How we reached our access model
|
||||||
----------------------------------------------------
|
----------------------------------------------------
|
||||||
@ -45,7 +45,7 @@ policy enforcement framework the information necessary to make decisions.
|
|||||||
System scoped requests very much align with the access controls of Ironic
|
System scoped requests very much align with the access controls of Ironic
|
||||||
before the Secure RBAC effort. The original custom role ``baremetal_admin``
|
before the Secure RBAC effort. The original custom role ``baremetal_admin``
|
||||||
privileges are identical to a system scoped ``admin``'s privileges.
|
privileges are identical to a system scoped ``admin``'s privileges.
|
||||||
Similarly ``baremetal_reader`` is identical to a system scoped ``reader``.
|
Similarly ``baremetal_observer`` is identical to a system scoped ``reader``.
|
||||||
In these concepts, the ``admin`` is allowed to create/delete objects/items.
|
In these concepts, the ``admin`` is allowed to create/delete objects/items.
|
||||||
The ``reader`` is allowed to read details about items and is intended for
|
The ``reader`` is allowed to read details about items and is intended for
|
||||||
users who may need an account with read-only access for or front-line support
|
users who may need an account with read-only access for or front-line support
|
||||||
@ -101,7 +101,7 @@ How Project Scoped Works
|
|||||||
------------------------
|
------------------------
|
||||||
|
|
||||||
Ironic has two project use models where access is generally more delegative
|
Ironic has two project use models where access is generally more delegative
|
||||||
to an ``owner`` where access to a ``lessee`` is generally more utilitarian.
|
to an ``owner`` and access to a ``lessee`` is generally more utilitarian.
|
||||||
|
|
||||||
The purpose of an owner, is more to enable the System Operator to delegate
|
The purpose of an owner, is more to enable the System Operator to delegate
|
||||||
much of the administrative activity of a Node to the owner.
|
much of the administrative activity of a Node to the owner.
|
||||||
@ -131,13 +131,13 @@ Field value visibility restrictions
|
|||||||
|
|
||||||
Ironic's API, by default has a concept of filtering node values to prevent
|
Ironic's API, by default has a concept of filtering node values to prevent
|
||||||
sensitive data from being leaked. System scoped users are subjected to basic
|
sensitive data from being leaked. System scoped users are subjected to basic
|
||||||
restrictions, where as project scoped users are, by default, examined further
|
restrictions, whereas project scoped users are, by default, examined further
|
||||||
and against additional policies. This threshold is controlled with the
|
and against additional policies. This threshold is controlled with the
|
||||||
``baremetal:node:get:filter_threshold``.
|
``baremetal:node:get:filter_threshold``.
|
||||||
|
|
||||||
By default, the following fields are masked on Nodes and are controlled by the
|
By default, the following fields are masked on Nodes and are controlled by the
|
||||||
associated policies. By default, owner's are able to see insight into the
|
associated policies. By default, owners are able to see insight into the
|
||||||
infrastructure, where as lessee users *CANNOT* view these fields by default.
|
infrastructure, whereas lessee users *CANNOT* view these fields by default.
|
||||||
|
|
||||||
* ``last_error`` - ``baremetal:node:get:last_error``
|
* ``last_error`` - ``baremetal:node:get:last_error``
|
||||||
* ``reservation`` - ``baremetal:node:get:reservation``
|
* ``reservation`` - ``baremetal:node:get:reservation``
|
||||||
@ -175,7 +175,7 @@ Allocations
|
|||||||
~~~~~~~~~~~
|
~~~~~~~~~~~
|
||||||
|
|
||||||
The ``allocations`` endpoint of the API is somewhat different than other
|
The ``allocations`` endpoint of the API is somewhat different than other
|
||||||
other endpoints as it allows for the allocation of physical machines to
|
endpoints as it allows for the allocation of physical machines to
|
||||||
an admin. In this context, there is not already an ``owner`` or ``project_id``
|
an admin. In this context, there is not already an ``owner`` or ``project_id``
|
||||||
to leverage to control access for the creation process, any project member
|
to leverage to control access for the creation process, any project member
|
||||||
does have the inherent privilege of requesting an allocation. That being said,
|
does have the inherent privilege of requesting an allocation. That being said,
|
||||||
@ -188,7 +188,7 @@ and any new allocation being requested with a specific owner, if made in
|
|||||||
the allocation.
|
the allocation.
|
||||||
|
|
||||||
Ultimately, an operational behavior difference exists between the ``owner``
|
Ultimately, an operational behavior difference exists between the ``owner``
|
||||||
and ``lessee`` rights in terms of allocations exists. With the standard
|
and ``lessee`` rights in terms of allocations. With the standard
|
||||||
access rights, ``lessee`` users are able to create allocations if they
|
access rights, ``lessee`` users are able to create allocations if they
|
||||||
own nodes which are not allocated or deployed, but they cannot reprovision
|
own nodes which are not allocated or deployed, but they cannot reprovision
|
||||||
nodes when using only a ``member`` role. This limitation is not the case
|
nodes when using only a ``member`` role. This limitation is not the case
|
||||||
@ -216,7 +216,7 @@ the user to be a ``system`` scoped user with ``admin`` privileges.
|
|||||||
|
|
||||||
The most noticeable difference for API consumers is the HTTP 403 access
|
The most noticeable difference for API consumers is the HTTP 403 access
|
||||||
code is now mainly a HTTP 404 access code. The access concept has changed
|
code is now mainly a HTTP 404 access code. The access concept has changed
|
||||||
from "Does the user user broadly has access to the API?" to
|
from "Does the user broadly have access to the API?" to
|
||||||
"Does user have access to the node, and then do they have access
|
"Does user have access to the node, and then do they have access
|
||||||
to the specific resource?".
|
to the specific resource?".
|
||||||
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user