Merge "Disable legacy RBAC policy by default."

devstack/lib/ironic

@@ -183,10 +183,8 @@ if [[ "$hostdomain" =~ "rax" ]] || [[ "$hostdomain" =~ "iweb" ]]; then
 fi
 
 
-# Oslo Policy, as of Wallaby defaults to not enforcing request scope
-# against requestors. This is anticipated to change in Xena or after
-# the Xena release of OpenStack.
-IRONIC_ENFORCE_SCOPE=$(trueorfalse False IRONIC_ENFORCE_SCOPE)
+# Oslo Policy enforcement for Scope and new policy enforcement.
+IRONIC_ENFORCE_SCOPE=$(trueorfalse True IRONIC_ENFORCE_SCOPE)
 
 if [[ "$IRONIC_ENFORCE_SCOPE" == "True" ]]; then
     IRONIC_OS_CLOUD=devstack-system-admin
@@ -201,6 +199,12 @@ fi
 # we need this variable for Xena and possibly Wallaby grenade.
 OS_CLOUD=${OS_CLOUD:-devstack-admin}
 
+# If the node owner needs to be set on nodes, for example, jobs
+# such as metalsmith have hardcoded OS_CLOUD variables which mean
+# an ironic in a full system scope enforced mode can't find nodes
+# for an allocation as suddenly the owner is applied.
+IRONIC_SET_NODE_OWNER=${IRONIC_SET_NODE_OWNER:-}
+
 # Versions and command line for API client
 IRONIC_DEFAULT_API_VERSION=${IRONIC_DEFAULT_API_VERSION:-}
 IRONIC_CMD="openstack --os-cloud $IRONIC_OS_CLOUD baremetal"
@@ -1528,9 +1532,9 @@ function configure_ironic {
     if [[ "$IRONIC_JSON_RPC_AUTH_STRATEGY" == "" ]] || [[ "$IRONIC_JSON_RPC_AUTH_STRATEGY" == "keystone" ]]; then
         configure_client_for json_rpc
     fi
-    if [[ "$IRONIC_ENFORCE_SCOPE" == "True" ]]; then
-        iniset $IRONIC_CONF_FILE oslo_policy enforce_scope true
-        iniset $IRONIC_CONF_FILE oslo_policy enforce_new_defaults true
+    if [[ "$IRONIC_ENFORCE_SCOPE" == "False" ]]; then
+        iniset $IRONIC_CONF_FILE oslo_policy enforce_scope false
+        iniset $IRONIC_CONF_FILE oslo_policy enforce_new_defaults false
     fi
 
     # Set fast track options
@@ -1859,8 +1863,8 @@ function create_ironic_cache_dir {
 # Project     User       Roles
 # ------------------------------------------------------------------
 # service     ironic     admin
-# service              nova       baremetal_admin
-# demo                 demo       baremetal_observer
+# service     nova       baremetal_admin # Legacy, Pre-SRBAC effort
+# demo        demo       baremetal_observer # Legacy, Pre-SRBAC effort
 function create_ironic_accounts {
     if [[ "$ENABLED_SERVICES" =~ "ir-api" && "$ENABLED_SERVICES" =~ "key" ]]; then
         # Define service and endpoints in Keystone
@@ -1875,6 +1879,7 @@ function create_ironic_accounts {
         create_service_user "ironic" "admin"
 
         # Create additional bare metal tenant and roles
+        # TODO(TheJulia): Remove when we remove the legacy RBAC policies.
         get_or_create_role baremetal_admin
         get_or_create_role baremetal_observer
         if is_service_enabled nova; then
@@ -1971,6 +1976,14 @@ function start_ironic_api {
 function start_ironic_conductor {
     run_process ir-cond "$IRONIC_BIN_DIR/ironic-conductor --config-file=$IRONIC_CONF_FILE"
 
+    # Unset variables which we shouldn't have... Grenade resets these :\
+    # in grenade/projects/60_nova/resources.sh as part of the resource
+    # creation tests.
+    unset OS_TENANT_NAME
+    unset OS_USERNAME
+    unset OS_PROJECT_NAME
+    unset OS_PASSWORD
+
     # Wait up to 30 seconds for ironic-conductor to start and register itself
     local attempt
     local max_attempts=7
@@ -2280,10 +2293,12 @@ function wait_for_nova_resources {
     local resource_class=${IRONIC_DEFAULT_RESOURCE_CLASS^^}
 
     # TODO(dtantsur): switch to Placement OSC plugin, once it exists
+    # Normally, we would want to use IRONIC_OS_CLOUD, but tokens need to be
+    # scoped. In this case, devstack-admin is the appropriate os-cloud to use.
     local token
-    token=$(openstack --os-cloud $IRONIC_OS_CLOUD token issue -f value -c id)
+    token=$(openstack --os-cloud devstack-admin token issue -f value -c id)
     local endpoint
-    endpoint=$(openstack --os-cloud $IRONIC_OS_CLOUD endpoint list --service placement --interface public -f value -c URL)
+    endpoint=$(openstack --os-cloud devstack-admin endpoint list --service placement --interface public -f value -c URL)
     die_if_not_set $LINENO endpoint "Cannot find Placement API endpoint"
 
     local i
@@ -2604,6 +2619,14 @@ function enroll_nodes {
             $IRONIC_CMD node add trait $node_id $IRONIC_DEFAULT_TRAITS
         fi
 
+        if [[ -n "$IRONIC_SET_NODE_OWNER" ]]; then
+            # If set, apply an owner project project ID to the node,
+            # to allow tools like metalsmith to be abel to view and
+            # allocate the node.
+            owner_project_id=$(openstack project show $IRONIC_SET_NODE_OWNER -f value -c id)
+            $IRONIC_CMD node set --owner $owner_project_id $node_id
+        fi
+
         $IRONIC_CMD node manage $node_id --wait $IRONIC_MANAGE_TIMEOUT || \
             die $LINENO "Node did not reach manageable state in $IRONIC_MANAGE_TIMEOUT seconds"
 

devstack/upgrade/upgrade.sh

@@ -144,7 +144,7 @@ ensure_services_started $ensure_started
 # internal tag, that was assigned to network will be the same. As result we need to update
 # tag on link between br-int and brbm to new value after restart.
 if [[ -z "${IRONIC_PROVISION_NETWORK_NAME}" ]]; then
-    net_id=$(openstack network show ironic_grenade -f value -c id)
+    net_id=$(openstack --os-cloud devstack-admin network show ironic_grenade -f value -c id)
     create_ovs_taps $net_id
 fi
 

ironic/common/policy.py

@@ -36,7 +36,9 @@ LOG = log.getLogger(__name__)
 # once oslo_policy change the default value to 'policy.yaml'.
 # https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49
 DEFAULT_POLICY_FILE = 'policy.yaml'
-opts.set_defaults(cfg.CONF, DEFAULT_POLICY_FILE)
+opts.set_defaults(cfg.CONF, DEFAULT_POLICY_FILE,
+                  enforce_scope=True,
+                  enforce_new_defaults=True)
 
 # Generic policy check string for system administrators. These are the people
 # who need the highest level of authorization to operate the deployment.

ironic/tests/unit/api/test_acl_basic.yaml

@@ -13,13 +13,13 @@ unauthenticated_user_cannot_get_node:
   path: &node_path '/v1/nodes/{node_uuid}'
   assert_status: 404
 
+# With new defaults, by default admin rights don't let you see
+# everything without rights. Since this is default/basic behavior
+# it doesn't make sense to mock it out.
 project_admin_can_get_node:
   path: *node_path
   headers: *project_admin_headers
-  assert_dict_contains:
-    uuid: '{node_uuid}'
-    driver: 'fake-hardware'
-  assert_status: 200
+  assert_status: 404
 
 project_member_cannot_get_node:
   path: *node_path

ironic/tests/unit/common/test_policy.py

@@ -174,7 +174,7 @@ class PolicyInCodeTestCase(base.TestCase):
             }]),
         dict(
             rule='baremetal:node:get',
-            check=True,
+            check=False,
             targets=[],
             creds=[{
                 'roles': ['baremetal_observer'],
@@ -188,7 +188,7 @@ class PolicyInCodeTestCase(base.TestCase):
             creds=[{'roles': ['generic_user'], 'tenant': 'demo'}]),
         dict(
             rule='baremetal:node:create',
-            check=True,
+            check=False,
             targets=[],
             creds=[{
                 'roles': ['baremetal_admin'],

releasenotes/notes/change-default-rbac-policy-f2f154043910f26a.yaml

@@ -0,0 +1,57 @@
+---
+upgrade:
+  - |
+    The Ironic service API Role Based Access Control policy has been updated
+    to disable the legacy RBAC policy by default. The effect of this is that
+    deprecated legacy roles of ``baremetal_admin`` and ``baremetal_observer``
+    are no longer functional by default, and policy checks may prevent actions
+    such as viewing nodes when access rights do not exist by default.
+
+    This change is a result of the new policy which was introduced as part of
+    `Secure Role Based Access Control`_ effort along with the
+    `Consistent and Secure RBAC`_ community goal and the underlying
+    ``[oslo_policy] enforce_scope`` and ``[oslo_policy] enforce_new_defaults``
+    settings being changed to ``True``.
+
+    The Ironic project believes most operators will observe no direct impact
+    from this change, unless they are specifically running legacy access
+    configurations utilizing the legacy roles for access.
+
+    Operators which are suddenly unable to list or deploy nodes may have
+    a misconfiguration in credentials, or need to allow the user's project
+    the ability to view and act upon the node through the node ``owner`` or
+    ``lessee`` fields. By default, the `Ironic API policy`_ permits
+    authenticated requests with a ``system`` scoped token to access
+    all resources, and applies a finer grained access model across the API
+    for project scoped users.
+
+    Ironic users who have not already changed their ``nova-compute`` service
+    settings for connecting to Ironic may also have issues scheduling
+    Bare Metal nodes. Use of a ``system`` scoped user is available, by
+    setting ``[ironic] system_scope`` to a value of ``all`` in your
+    nova-compute service configuration, which can be done independently
+    of other services, as long as the credentials supplied are also valid
+    with Keystone for system scoped authentication.
+
+    Heat users which encounter any issues after this upgrade, should check
+    their user's roles. Heat's execution and model is entirely project scoped,
+    which means users will need to have access granted through the ``owner``
+    or ``lessee`` field to work with a node.
+
+    Operators wishing to revert to the old policy configuration may do so
+    by setting the following values in ``ironic.conf``.::
+
+      [oslo_policy]
+      enforce_new_defaults=False
+      enforce_scope=False
+
+    Operators who revert the configuration are encourated to make the
+    necessary changes to their configuration, as the legacy RBAC policy
+    will be removed at some point in the future in alignment with
+    `2024.1-Release Timeline`_. Failure to do so will
+    may force operators to craft custom policy override configuration.
+
+    .. _`Secure Role Based Access Control`: https://specs.openstack.org/openstack/ironic-specs/specs/17.0/secure-rbac.html
+    .. _`Ironic API Policy`: https://docs.openstack.org/ironic/latest/configuration/sample-policy.html
+    .. _`Consistent and Secure RBAC`: https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html
+    .. _`2024.1-Release Timeline`: https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#id3

zuul.d/ironic-jobs.yaml

@@ -380,7 +380,9 @@
         IRONIC_TEMPEST_WHOLE_DISK_IMAGE: True
         IRONIC_VM_EPHEMERAL_DISK: 0
         IRONIC_AUTOMATED_CLEAN_ENABLED: False
-        IRONIC_ENFORCE_SCOPE: True
+        # NOTE(TheJulia): Explicitly set scope enforcement to False until we
+        # remove the legacy policies.
+        IRONIC_ENFORCE_SCOPE: False
         IRONIC_BOOT_MODE: bios
         Q_AGENT: ovn
         Q_ML2_TENANT_NETWORK_TYPE: vlan
@@ -981,6 +983,9 @@
           INSTANCE_WAIT: 120
           MYSQL_GATHER_PERFORMANCE: False
           CIRROS_VERSION: 0.6.1
+          # Required as different access rights are used by default
+          # and the classic devstack config which is defaulted doesn't work.
+          IRONIC_ENFORCE_SCOPE: True
         old:
           IRONIC_VM_LOG_DIR: '{{ devstack_bases.old }}/ironic-bm-logs'
       grenade_localrc: