octavia/doc/source/configuration/policy.rst

Octavia Policies

Warning

JSON formatted policy file is deprecated since Octavia 8.0.0 (Wallaby). This oslopolicy-convert-json-to-yaml tool will migrate your existing JSON-formatted policy file to YAML in a backward-compatible way.

Octavia Advanced Role Based Access Control (RBAC)

Octavia adopted the "Advanced Role Based Access Control (RBAC)" default policies in the Pike release of OpenStack. This provides a fine-grained default access control policy for the Octavia service.

The Octavia Advanced RBAC goes beyond the OpenStack legacy RBAC policies of allowing "owners and admins" full access to all services. It also provides a more fine-grained RBAC policy than the newer Keystone Default Roles .

The default policy is to not allow access unless the auth_strategy is 'noauth'.

Users must be a member of one of the following roles to have access to the load-balancer API:

role:load-balancer_observer

User has access to load-balancer read-only APIs.

role:load-balancer_global_observer

User has access to load-balancer read-only APIs including resources owned by others.

role:load-balancer_member

User has access to load-balancer read and write APIs.

role:load-balancer_quota_admin

User is considered an admin for quota APIs only.

role:load-balancer_admin

User is considered an admin for all load-balancer APIs including resources owned by others.

role:admin and system_scope:all

User is admin to all service APIs, including Octavia.

Note

'is_admin:True' is a policy rule that takes into account the auth_strategy == noauth configuration setting. It is equivalent to 'rule:context_is_admin or {auth_strategy == noauth}' if that would be valid syntax.

These roles are in addition to the Keystone Default Roles:

• role:reader
• role:member

In addition, the Octavia API supports Keystone scoped tokens. When enabled in Oslo Policy, users will need to present a token scoped to either the "system" or a specific "project". See the section Upgrade Considerations for more information.

See the section Managing Octavia User Roles for examples and advice on how to apply these RBAC policies in production.

Legacy Admin or Owner Policy Override File

An alternate policy file has been provided in octavia/etc/policy called admin_or_owner-policy.yaml that removes the load-balancer RBAC role requirement. Please see the README.rst in that directory for more information.

This will drop the role requirements to allow access to all with the "admin" role or if the user is a member of the project that created the resource. All users have access to the Octavia API to create and manage load balancers under their project.

OpenStack Default Roles Policy Override File

An alternate policy file has been provided in octavia/etc/policy called keystone_default_roles-policy.yaml that removes the load-balancer RBAC role requirement. Please see the README.rst in that directory for more information.

This policy will honor the following Keystone Default Roles in the Octavia API:

• System scoped - Admin
• System scoped - Reader
• Project scoped - Reader
• Project scoped - Member

Managing Octavia User Roles

User and group roles are managed through the Keystone (identity) project.

A role can be added to a user with the following command:

openstack role add --project <project name or id> --user <user name or id> <role>

An example where user "jane", in the "engineering" project, gets a new role "load-balancer_member":

openstack role add --project engineering --user jane load-balancer_member

Keystone Group Roles

Roles can also be assigned to Keystone groups. This can simplify the management of user roles greatly.

For example, your cloud may have a "users" group defined in Keystone. This group is set up to have all of the regular users of your cloud as a member. If you want all of your users to have access to the load balancing service Octavia, you could add the "load-balancer_member" role to the "users" group:

openstack role add --domain default --group users load-balancer_member

Upgrade Considerations

Starting with the Wallaby release of Octavia, Keystone token scopes and default roles can be enforced. By default, in the Wallaby release, Oslo Policy will not be enforcing these new roles and scopes. However, at some point in the future they may become the default. You may want to enable them now to be ready for the later transition. This section will describe those settings.

The Oslo Policy project defines two configuration settings, among others, that can be set in the Octavia configuration file to influence how policies are handled in the Octavia API. Those two settings are enforce_scope and enforce_new_defaults.

[oslo_policy] enforce_scope

Keystone has introduced the concept of token scopes. Currently, Oslo Policy defaults to not enforce the scope validation of a token for backward compatibility reasons.

The Octavia API supports enforcing the Keystone token scopes as of the Wallaby release. If you are ready to start enforcing the Keystone token scope in the Octavia API you can add the following setting to your Octavia API configuration file:

[oslo_policy]
enforce_scope = True

Currently the primary effect of this setting is to allow a system scoped admin token when performing administrative API calls to the Octavia API. It will also allow system scoped reader tokens to have the equivalent of the load-balancer_global_observer role.

The Octavia API already enforces the project scoping in Keystone tokens.

[oslo_policy] enforce_new_defaults

The Octavia Wallaby release added support for Keystone Default Roles in the default policies. The previous Octavia Advanced RBAC policies have now been deprecated in favor of the new policies requiring one of the new Keystone Default Roles. Currently, Oslo Policy defaults to using the deprecated policies that do not require the new Keystone Default Roles for backward compatibility.

The Octavia API supports requiring these new Keystone Default Roles as of the Wallaby release. If you are ready to start requiring these roles you can enable the new policies by adding the following setting to your Octavia API configuration file:

[oslo_policy]
enforce_new_defaults = True

When the new default policies are enabled in the Octavia API, users with the load-balancer:observer role will also require the Keystone default role of "role:reader". Users with the load-balancer:member role will also require the Keystone default role of "role:member".

Sample File Generation

To generate a sample policy.yaml file from the Octavia defaults, run the oslo policy generation script:

oslopolicy-sample-generator
--config-file etc/policy/octavia-policy-generator.conf
--output-file policy.yaml.sample

Merged File Generation

This will output a policy file which includes all registered policy defaults and all policies configured with a policy file. This file shows the effective policy in use by the project:

oslopolicy-policy-generator
--config-file etc/policy/octavia-policy-generator.conf

This tool uses the output_file path from the config-file.

List Redundant Configurations

This will output a list of matches for policy rules that are defined in a configuration file where the rule does not differ from a registered default rule. These are rules that can be removed from the policy file with no change in effective policy:

oslopolicy-list-redundant
--config-file etc/policy/octavia-policy-generator.conf

Default Octavia Policies - API Effective Rules

This section will list the RBAC rules the Octavia API will use followed by a list of the roles that will be allowed access.

Without enforce_scope and enforce_new_defaults:

• load-balancer:read
  • load-balancer_admin
  • load-balancer_global_observer
  • load-balancer_member and <project member>
  • load-balancer_observer and <project member>
  • role:admin
• load-balancer:read-global
  • load-balancer_admin
  • load-balancer_global_observer
  • role:admin
• load-balancer:write
  • load-balancer_admin
  • load-balancer_member and <project member>
  • role:admin
• load-balancer:read-quota
  • load-balancer_admin
  • load-balancer_global_observer
  • load-balancer_member and <project member>
  • load-balancer_observer and <project member>
  • load-balancer_quota_admin
  • role:admin
• load-balancer:read-quota-global
  • load-balancer_admin
  • load-balancer_global_observer
  • load-balancer_quota_admin
  • role:admin
• load-balancer:write-quota
  • load-balancer_admin
  • load-balancer_quota_admin
  • role:admin

With enforce_scope and enforce_new_defaults:

• load-balancer:read
  • load-balancer_admin
  • load-balancer_global_observer
  • load-balancer_member and <project member> and role:member
  • load-balancer_observer and <project member> and role:reader
  • role:admin and system_scope:all
  • role:reader and system_scope:all
• load-balancer:read-global
  • load-balancer_admin
  • load-balancer_global_observer
  • role:admin and system_scope:all
  • role:reader and system_scope:all
• load-balancer:write
  • load-balancer_admin
  • load-balancer_member and <project member> and role:member
  • role:admin and system_scope:all
• load-balancer:read-quota
  • load-balancer_admin
  • load-balancer_global_observer
  • load-balancer_member and <project member> and role:member
  • load-balancer_observer and <project member> and role:reader
  • load-balancer_quota_admin
  • role:admin and system_scope:all
  • role:reader and system_scope:all
• load-balancer:read-quota-global
  • load-balancer_admin
  • load-balancer_global_observer
  • load-balancer_quota_admin
  • role:admin and system_scope:all
  • role:reader and system_scope:all
• load-balancer:write-quota
  • load-balancer_admin
  • load-balancer_quota_admin
  • role:admin and system_scope:all

Default Octavia Policies - Generated From The Octavia Code

_static/octavia.policy.yaml.sample