Allow configuring secure RBAC in glance

Adding new parameter GlanceEnforceSecureRbac to support for project persona of secure RBAC. To make the secure RBAC work, 'oslo_policy/enforce_new_defaults' is also required to be enabled with 'enforce_secure_rbac' in glance. Depends-On: I1db7fa2694bc9a448a47e435cfd95264504086c6 Partially Implements: blueprint secure-rbac Change-Id: I312f9255adbaec270d4e3379e9f8c8fdf716c190
2021-03-29 09:50:19 +00:00 · 2021-03-29 09:50:19 +00:00 · 9193090b13
commit 9193090b13
parent 5670359777
2 changed files with 23 additions and 0 deletions
--- a/deployment/glance/glance-api-container-puppet.yaml
+++ b/deployment/glance/glance-api-container-puppet.yaml
@ -193,6 +193,17 @@ parameters:
    description: >
      When using GlanceBackend 'file' and 'rbd' to enable or not sparse upload.
    type: boolean
+  EnforceSecureRbac:
+    type: boolean
+    default: false
+    description: >-
+      Setting this option to True will configure each OpenStack service to
+      enforce Secure RBAC by setting `[oslo_policy] enforce_new_defaults` and
+      `[oslo_policy] enforce_scope` to True. This introduces a consistent set
+      of RBAC personas across OpenStack services that include support for
+      system and project scope, as well as keystone's default roles, admin,
+      member, and reader. Do not enable this functionality until all services in
+      your deployment actually support secure RBAC.
  KeystoneRegion:
    type: string
    default: 'regionOne'
@ -574,6 +585,10 @@ outputs:
          - if:
            - glance_workers_set
            - glance::api::workers: {get_param: GlanceWorkers}
+          - if:
+            - {get_param: EnforceSecureRbac}
+            - glance::api::enforce_secure_rbac: true
+              glance::policy::enforce_new_defaults: true
          - if:
            - cinder_backend_enabled
            - glance::backend::cinder::cinder_store_auth_address: {get_param: [EndpointMap, KeystoneV3Internal, uri]}
--- a/releasenotes/notes/enable_secure_rbac_support_for_glance-167d53c491cd326c.yaml
+++ b/releasenotes/notes/enable_secure_rbac_support_for_glance-167d53c491cd326c.yaml
@ -0,0 +1,8 @@
+---
+features:
+  - |
+    The new parameter ``EnforceSecureRbac`` has been added to
+    enforce authorization based on common RBAC personas.
+    Currently in glance the support is only available for project-admin,
+    project-member and project-reader personas and system personas
+    will come in a later release.