Move system scoped secure-RBAC to separate file

This patch moves the system scope configuration in the policy override example files out to a separate override file. This way the new default roles can be enabled independently of system scoped tokens. This helps us align to the changes in the secure-RBAC spec[1].

[1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html

Change-Id: I1b41780f3ca84ceca563d668ae8bb40011a60bf4
(cherry picked from commit 5ab6e3d30f)
(cherry picked from commit c8dd836e9c)
This commit is contained in:
Michael Johnson 2022-07-15 23:39:09 +00:00 committed by Gregory Thiemonge
parent 3236435a2c
commit 11b9d8ae76
4 changed files with 60 additions and 3 deletions

View File

@ -92,11 +92,19 @@ requirement. Please see the README.rst in that directory for more information.
This policy will honor the following `Keystone Default Roles`_ in the Octavia This policy will honor the following `Keystone Default Roles`_ in the Octavia
API: API:
* Admin
* Project scoped - Reader
* Project scoped - Member
In addition, there is an alternate policy file that enables system scoped
tokens checking called keystone_default_roles_scoped-policy.yaml.
* System scoped - Admin * System scoped - Admin
* System scoped - Reader * System scoped - Reader
* Project scoped - Reader * Project scoped - Reader
* Project scoped - Member * Project scoped - Member
Managing Octavia User Roles Managing Octavia User Roles
--------------------------- ---------------------------

View File

@ -22,6 +22,18 @@ have one of the load-balancer:* roles.
This policy will honor the following Keystone default roles in the Octavia API: This policy will honor the following Keystone default roles in the Octavia API:
* Admin
* Project scoped - Reader
* Project scoped - Member
keystone_default_roles_scoped-policy.yaml
----------------------------------
This policy file disables the requirement for load-balancer service users to
have one of the load-balancer:* roles.
This policy will honor the following Keystone default roles and scopes in the
Octavia API:
* System scoped - Admin * System scoped - Admin
* System scoped - Reader * System scoped - Reader
* Project scoped - Reader * Project scoped - Reader

View File

@ -8,12 +8,12 @@
# Keystone token scoping and "default roles"/personas will still be enforced. # Keystone token scoping and "default roles"/personas will still be enforced.
# Role Rules # Role Rules
"system_admin": "role:admin and system_scope:all" "system_admin": "role:admin"
"system_reader": "role:reader and system_scope:all" "system_reader": "role:reader"
"project_reader": "role:reader and project_id:%(project_id)s" "project_reader": "role:reader and project_id:%(project_id)s"
"project_member": "role:member and project_id:%(project_id)s" "project_member": "role:member and project_id:%(project_id)s"
"context_is_admin": "role:admin and system_scope:all" "context_is_admin": "role:admin"
# API Rules # API Rules
"load-balancer:admin": "is_admin:True or "load-balancer:admin": "is_admin:True or

View File

@ -0,0 +1,37 @@
# This policy YAML file will revert the Octavia API to follow the keystone
# "default role" RBAC policies.
#
# The [oslo_policy] enforce_scope and enforce_new_defaults must be True.
#
# Users will not be required to be a member of the load-balancer_* roles
# to take action on Octavia resources.
# Keystone token scoping and "default roles"/personas will still be enforced.
# Role Rules
"system_admin": "role:admin and system_scope:all"
"system_reader": "role:reader and system_scope:all"
"project_reader": "role:reader and project_id:%(project_id)s"
"project_member": "role:member and project_id:%(project_id)s"
"context_is_admin": "role:admin and system_scope:all"
# API Rules
"load-balancer:admin": "is_admin:True or
rule:system_admin or
role:load-balancer_admin"
"load-balancer:read": "is_admin:True or
rule:system_reader or
rule:project_reader"
"load-balancer:read-global": "is_admin:True or rule:system_reader"
"load-balancer:write": "is_admin:True or rule:project_member"
"load-balancer:read-quota": "is_admin:True or
rule:system_reader or
rule:project_reader"
"load-balancer:read-quota-global": "is_admin:True or rule:system_reader"
"load-balancer:write-quota": "is_admin:True"