openstack/nova
Code Issues Proposed changes
f788cbe26c
nova/releasenotes/notes/bp-policy-defaults-refresh-2-473c70f641f9f397.yaml
Ghanshyam Mann f9c1d1163d Complete phase-1 of RBAC community-wide goal 
After moving the nova APIs policy as per the new guidlines
where system scoped token will be only allowed to access
system level APIs and will not be allowed any operation
on project level APIs. With that we do not need below
base rules (who have hardcoded 'system_scope:all' check_str):
- system_admin_api
- system_reader_api
- system_admin_or_owner
- system_or_project_reader

At this stage (phase-1 target), we allow below roles as targeted
in phase-1 [1]
1. ADMIN(this is System Administrator with scope_type 'system'
when scope enabled otherwise legacy admin)
2. PROJECT_ADMIN
3. PROJECT_MEMBER
4. PROJECT_READER
 & below one specific to nova
5. PROJECT_READER_OR_ADMIN (to allow system admin and project reader
to list flavor extra specs)

This complete the phase-1 of RBAC community-wide goal[2] for nova.

Add release notes too.

[1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#how-operator
[2] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#yoga-timeline-7th-mar-2022

Partial implement blueprint policy-defaults-refresh-2

Change-Id: I075005d13ff6bfe048bbb21d80d71bf1602e4c02
2022-02-24 16:33:34 +00:00

31 lines
1.2 KiB
YAML
Raw Blame History

---
features:
- |
The Nova policies have been modified to isolate the system and project
level APIs policy. This means system users will be allowed to perform
the operation on system level resources and will not to allowed any
operation on project level resources. Project Level APIs operation will be
performed by the project scoped users.
Currently, nova supports:
* ``system admin``
* ``project admin``
* ``project member``
* ``project reader``
For the details on what changed from the existing policy, please refer the
`RBAC new guidelines`_. We have implemented only phase-1
`RBAC new guidelines`_.
Currently, scope checks and new defaults are disabled by default. You can
enable them by switching the below config option in ``nova.conf`` file::
[oslo_policy]
enforce_new_defaults=True
enforce_scope=True
Please refer `Policy New Defaults`_ for detail about policy new defaults
and migration plan.
.. _RBAC new guidelines: https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#phase-1
.. _Policy New Defaults: https://docs.openstack.org/nova/latest/configuration/policy-concepts.html
View Git Blame Copy Permalink