From 11b9d8ae768f536ce7dca316fcb6833852727af8 Mon Sep 17 00:00:00 2001 From: Michael Johnson Date: Fri, 15 Jul 2022 23:39:09 +0000 Subject: [PATCH] Move system scoped secure-RBAC to separate file This patch moves the system scope configuration in the policy override example files out to a separate override file. This way the new default roles can be enabled independently of system scoped tokens. This helps us align to the changes in the secure-RBAC spec[1]. [1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html Change-Id: I1b41780f3ca84ceca563d668ae8bb40011a60bf4 (cherry picked from commit 5ab6e3d30f6af23084782345845cad9bcdcd1953) (cherry picked from commit c8dd836e9cc8f143c0be12bb34d1309ba1181c6e) --- doc/source/configuration/policy.rst | 8 ++++ etc/policy/README.rst | 12 ++++++ etc/policy/keystone_default_roles-policy.yaml | 6 +-- .../keystone_default_roles_scoped-policy.yaml | 37 +++++++++++++++++++ 4 files changed, 60 insertions(+), 3 deletions(-) create mode 100644 etc/policy/keystone_default_roles_scoped-policy.yaml diff --git a/doc/source/configuration/policy.rst b/doc/source/configuration/policy.rst index 78d886429b..dec9fb9922 100644 --- a/doc/source/configuration/policy.rst +++ b/doc/source/configuration/policy.rst @@ -92,11 +92,19 @@ requirement. Please see the README.rst in that directory for more information. This policy will honor the following `Keystone Default Roles`_ in the Octavia API: +* Admin +* Project scoped - Reader +* Project scoped - Member + +In addition, there is an alternate policy file that enables system scoped +tokens checking called keystone_default_roles_scoped-policy.yaml. + * System scoped - Admin * System scoped - Reader * Project scoped - Reader * Project scoped - Member + Managing Octavia User Roles --------------------------- diff --git a/etc/policy/README.rst b/etc/policy/README.rst index 97369409c1..ed00f07eef 100644 --- a/etc/policy/README.rst +++ b/etc/policy/README.rst @@ -22,6 +22,18 @@ have one of the load-balancer:* roles. This policy will honor the following Keystone default roles in the Octavia API: +* Admin +* Project scoped - Reader +* Project scoped - Member + +keystone_default_roles_scoped-policy.yaml +---------------------------------- +This policy file disables the requirement for load-balancer service users to +have one of the load-balancer:* roles. + +This policy will honor the following Keystone default roles and scopes in the +Octavia API: + * System scoped - Admin * System scoped - Reader * Project scoped - Reader diff --git a/etc/policy/keystone_default_roles-policy.yaml b/etc/policy/keystone_default_roles-policy.yaml index 61d7bb857d..e64ad7444b 100644 --- a/etc/policy/keystone_default_roles-policy.yaml +++ b/etc/policy/keystone_default_roles-policy.yaml @@ -8,12 +8,12 @@ # Keystone token scoping and "default roles"/personas will still be enforced. # Role Rules -"system_admin": "role:admin and system_scope:all" -"system_reader": "role:reader and system_scope:all" +"system_admin": "role:admin" +"system_reader": "role:reader" "project_reader": "role:reader and project_id:%(project_id)s" "project_member": "role:member and project_id:%(project_id)s" -"context_is_admin": "role:admin and system_scope:all" +"context_is_admin": "role:admin" # API Rules "load-balancer:admin": "is_admin:True or diff --git a/etc/policy/keystone_default_roles_scoped-policy.yaml b/etc/policy/keystone_default_roles_scoped-policy.yaml new file mode 100644 index 0000000000..61d7bb857d --- /dev/null +++ b/etc/policy/keystone_default_roles_scoped-policy.yaml @@ -0,0 +1,37 @@ +# This policy YAML file will revert the Octavia API to follow the keystone +# "default role" RBAC policies. +# +# The [oslo_policy] enforce_scope and enforce_new_defaults must be True. +# +# Users will not be required to be a member of the load-balancer_* roles +# to take action on Octavia resources. +# Keystone token scoping and "default roles"/personas will still be enforced. + +# Role Rules +"system_admin": "role:admin and system_scope:all" +"system_reader": "role:reader and system_scope:all" +"project_reader": "role:reader and project_id:%(project_id)s" +"project_member": "role:member and project_id:%(project_id)s" + +"context_is_admin": "role:admin and system_scope:all" + +# API Rules +"load-balancer:admin": "is_admin:True or + rule:system_admin or + role:load-balancer_admin" + +"load-balancer:read": "is_admin:True or + rule:system_reader or + rule:project_reader" + +"load-balancer:read-global": "is_admin:True or rule:system_reader" + +"load-balancer:write": "is_admin:True or rule:project_member" + +"load-balancer:read-quota": "is_admin:True or + rule:system_reader or + rule:project_reader" + +"load-balancer:read-quota-global": "is_admin:True or rule:system_reader" + +"load-balancer:write-quota": "is_admin:True"