diff --git a/doc/source/configuration/policy.rst b/doc/source/configuration/policy.rst index 78d886429b..dec9fb9922 100644 --- a/doc/source/configuration/policy.rst +++ b/doc/source/configuration/policy.rst @@ -92,11 +92,19 @@ requirement. Please see the README.rst in that directory for more information. This policy will honor the following `Keystone Default Roles`_ in the Octavia API: +* Admin +* Project scoped - Reader +* Project scoped - Member + +In addition, there is an alternate policy file that enables system scoped +tokens checking called keystone_default_roles_scoped-policy.yaml. + * System scoped - Admin * System scoped - Reader * Project scoped - Reader * Project scoped - Member + Managing Octavia User Roles --------------------------- diff --git a/etc/policy/README.rst b/etc/policy/README.rst index 97369409c1..ed00f07eef 100644 --- a/etc/policy/README.rst +++ b/etc/policy/README.rst @@ -22,6 +22,18 @@ have one of the load-balancer:* roles. This policy will honor the following Keystone default roles in the Octavia API: +* Admin +* Project scoped - Reader +* Project scoped - Member + +keystone_default_roles_scoped-policy.yaml +---------------------------------- +This policy file disables the requirement for load-balancer service users to +have one of the load-balancer:* roles. + +This policy will honor the following Keystone default roles and scopes in the +Octavia API: + * System scoped - Admin * System scoped - Reader * Project scoped - Reader diff --git a/etc/policy/keystone_default_roles-policy.yaml b/etc/policy/keystone_default_roles-policy.yaml index 61d7bb857d..e64ad7444b 100644 --- a/etc/policy/keystone_default_roles-policy.yaml +++ b/etc/policy/keystone_default_roles-policy.yaml @@ -8,12 +8,12 @@ # Keystone token scoping and "default roles"/personas will still be enforced. # Role Rules -"system_admin": "role:admin and system_scope:all" -"system_reader": "role:reader and system_scope:all" +"system_admin": "role:admin" +"system_reader": "role:reader" "project_reader": "role:reader and project_id:%(project_id)s" "project_member": "role:member and project_id:%(project_id)s" -"context_is_admin": "role:admin and system_scope:all" +"context_is_admin": "role:admin" # API Rules "load-balancer:admin": "is_admin:True or diff --git a/etc/policy/keystone_default_roles_scoped-policy.yaml b/etc/policy/keystone_default_roles_scoped-policy.yaml new file mode 100644 index 0000000000..61d7bb857d --- /dev/null +++ b/etc/policy/keystone_default_roles_scoped-policy.yaml @@ -0,0 +1,37 @@ +# This policy YAML file will revert the Octavia API to follow the keystone +# "default role" RBAC policies. +# +# The [oslo_policy] enforce_scope and enforce_new_defaults must be True. +# +# Users will not be required to be a member of the load-balancer_* roles +# to take action on Octavia resources. +# Keystone token scoping and "default roles"/personas will still be enforced. + +# Role Rules +"system_admin": "role:admin and system_scope:all" +"system_reader": "role:reader and system_scope:all" +"project_reader": "role:reader and project_id:%(project_id)s" +"project_member": "role:member and project_id:%(project_id)s" + +"context_is_admin": "role:admin and system_scope:all" + +# API Rules +"load-balancer:admin": "is_admin:True or + rule:system_admin or + role:load-balancer_admin" + +"load-balancer:read": "is_admin:True or + rule:system_reader or + rule:project_reader" + +"load-balancer:read-global": "is_admin:True or rule:system_reader" + +"load-balancer:write": "is_admin:True or rule:project_member" + +"load-balancer:read-quota": "is_admin:True or + rule:system_reader or + rule:project_reader" + +"load-balancer:read-quota-global": "is_admin:True or rule:system_reader" + +"load-balancer:write-quota": "is_admin:True"