Add more usage documentation

The documentation was a bit too dry. Take some information from mikal's blogposts and expose them in the user doc section. Change-Id: I93a91c12e78c5d56913b0953c5a9cfa16e45a265
2019-04-04 15:29:47 +02:00 · 2019-04-04 15:29:47 +02:00 · 6c3a6e27a6
commit 6c3a6e27a6
parent d84c76108b
2 changed files with 109 additions and 5 deletions
--- a/doc/source/index.rst
+++ b/doc/source/index.rst
@ -2,7 +2,16 @@
 oslo.privsep
 ==============
-OpenStack library for privilege separation
+oslo.privsep is an OpenStack library for privilege separation.
 It helps applications perform actions which require more or less
 privileges than they were started with in a safe, easy to code
 and easy to use manner. For more information on why this is generally
 a good idea please read over the `principle of least privilege`_ and
 the `specification`_ which created this library.
 .. _principle of least privilege: https://en.wikipedia.org/wiki/Principle_of_least_privilege
 .. _specification: https://specs.openstack.org/openstack/oslo-specs/specs/liberty/privsep.html
 Contents
 ========
--- a/doc/source/user/index.rst
+++ b/doc/source/user/index.rst
@ -2,14 +2,109 @@
 Usage
 =======
-To use oslo.privsep in a project::
+oslo.privsep lets you define in your code specific functions that will run
 in predefined privilege contexts. This lets you run functions with more (or
 less) privileges than the rest of the code. Privsep functions live in a
 specific ``privsep`` submodule (for example, ``nova.privsep`` for nova).
-    import oslo_privsep
+Defining a context
 ==================
-You can read the following blog posts in order to know a bit more:
+Contexts are defined in the ``privsep/__init__.py`` file. For example, this
 defines a sys_admin_pctxt with ``CAP_CHOWN``, ``CAP_DAC_OVERRIDE``,
 ``CAP_DAC_READ_SEARCH``, ``CAP_FOWNER``, ``CAP_NET_ADMIN``, and
 ``CAP_SYS_ADMIN`` rights (equivalent to ``sudo`` rights)::
  from oslo_privsep import capabilities
  from oslo_privsep import priv_context
  sys_admin_pctxt = priv_context.PrivContext(
      'nova',
      cfg_section='nova_sys_admin',
      pypath=__name__ + '.sys_admin_pctxt',
      capabilities=[capabilities.CAP_CHOWN,
                    capabilities.CAP_DAC_OVERRIDE,
                    capabilities.CAP_DAC_READ_SEARCH,
                    capabilities.CAP_FOWNER,
                    capabilities.CAP_NET_ADMIN,
                    capabilities.CAP_SYS_ADMIN],
  )
 Defining a privileged function
 ==============================
 Functions are defined in files under the ``privsep/`` subdirectory, for
 example in a ``privsep/motd.py`` file for functions touching the MOTD file.
 They make use of a decorator pointing to the context we defined above::
  import nova.privsep
  @nova.privsep.sys_admin_pctxt.entrypoint
  def update_motd(message):
      with open('/etc/motd', 'w') as f:
          f.write(message)
 Privileged functions must be as simple, specialized and narrow as possible,
 so as to prevent further escalation. In this example, ``update_motd(message)``
 is narrow: it only allows the service to overwrite the MOTD file. If a more
 generic ``update_file(filename, content)`` was created, it could be used to
 overwrite any file in the filesystem, allowing easy escalation to root
 rights. That would defeat the whole purpose of oslo.privsep.
 Using a privileged function
 ===========================
 To use the privileged function in the regular code, you can just call it::
  import nova.privsep.motd
  ...
  nova.privsep.motd.update_motd('This node is currently idle')
 It is better to import the complete path (``import nova.privsep.motd``) rather
 than the motd name (``from nova.privsep import motd``) so that it is easier to
 spot that the function runs in a different privileged context.
 For more details, you can read the following blog post:
 * `How to make a privileged call with oslo privsep`_
 * `Adding oslo privsep to a new project, a worked example`_
 .. _How to make a privileged call with oslo privsep: https://www.madebymikal.com/how-to-make-a-privileged-call-with-oslo-privsep/
 Converting from rootwrap to privsep
 ===================================
 oslo.rootwrap is a precursor of oslo.privsep to allow code to run commands
 under sudo if they match a predefined filter. For example, you could define
 a filter that would allow you to run chmod as root using the following
 filter::
  chmod: CommandFilter, chmod, root
 Beyond the bad performance of calling full commands in order to accomplish
 simple tasks, rootwrap also led to bad security: it was difficult to filter
 commands in a way that would not easily allow privilege escalation.
 Replacing rootwrap filters with privsep functions is easy. The chmod filter
 above can be replaced with a function that calls ``os.chmod()``. However a
 straight 1:1 filter:function replacement generally results in functions that
 are still too broad for good security. It is better to replace each chmod
 rootwrap *call* with a narrow privsep function that will limit it to specific
 files.
 Sometimes it is necessary to refactor the calling code: the rootwrap design
 discouraged the creation of new filters and therefore often resulted in the
 creation of overly-broad calling functions.
 As an example, this `patch series`_ is work-in-progress to transition Nova
 from rootwrap to privsep.
 For more details, you can read the following blog post:
 * `Adding oslo privsep to a new project, a worked example`_
 .. _patch series: https://review.openstack.org/#/q/project:openstack/nova+branch:master+topic:my-own-personal-alternative-universe
 .. _Adding oslo privsep to a new project, a worked example: https://www.madebymikal.com/adding-oslo-privsep-to-a-new-project-a-worked-example/