Browse Source

Merge "Enable policy rule management in nova-compute"

changes/59/824459/5
Zuul 4 months ago committed by Gerrit Code Review
parent
commit
de62d2df65
  1. 89
      deployment/nova/nova-api-container-puppet.yaml
  2. 89
      deployment/nova/nova-base-puppet.yaml

89
deployment/nova/nova-api-container-puppet.yaml

@ -59,17 +59,6 @@ parameters:
default: 0
description: Number of workers for Nova services.
type: number
EnforceSecureRbac:
type: boolean
default: false
description: >-
Setting this option to True will configure each OpenStack service to
enforce Secure RBAC by setting `[oslo_policy] enforce_new_defaults` and
`[oslo_policy] enforce_scope` to True. This introduces a consistent set
of RBAC personas across OpenStack services that include support for
system and project scope, as well as keystone's default roles, admin,
member, and reader. Do not enable this functionality until all services in
your deployment actually support secure RBAC.
KeystoneRegion:
type: string
default: 'regionOne'
@ -95,12 +84,6 @@ parameters:
default: 'public'
description: Default pool for floating IP addresses
type: string
NovaApiPolicies:
description: |
A hash of policies to configure for Nova API.
e.g. { nova-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
default: {}
type: json
NovaAllowResizeToSameHost:
default: false
description: Allow destination machine to match source for resize.
@ -247,46 +230,6 @@ parameters:
description: |
Use the advanced (eventlet safe) memcached client pool.
default: true
NovaRestrictLiveMigration:
type: boolean
description: |
Restrict live migration by limit access to 'os_compute_api:os-migrate-server:migrate_live'
api policy to the NovaLiveMigrationRole role. This can be used to
disallow the default admin role use live migration.
Additional policies specified using NovaApiPolicies get merged with this
policy.
default: false
NovaRestrictLiveMigrationRole:
description: |
Name of the user role which gets set to limit live migration when
NovaRestrictLiveMigration is enabled.
default: 'live-migration'
type: string
NovaShowHostStatus:
type: string
description: |
Allow overriding API policies to access the compute host status in the
requested Nova server details. The default value 'hidden' allows only admins to
access it. Setting it to 'all' ('unknown-only') without additional fine-grained
tuning of NovaApiHostStatusPolicy shows the full (limited) host_status
to the system/project readers.
default: 'hidden'
constraints:
- allowed_values: ['all', 'unknown-only', 'hidden']
NovaApiHostStatusPolicy:
description: |
A custom API policy for os_compute_api:servers:show:host_status and
os_compute_api:servers:show:host_status:unknown-only.
These rules, or roles, replace the admins-only policies based on the given
NovaShowHostStatus: 'unknown-only' shows the limited host status UNKNOWN
whenever a heartbeat was not received within the configured threshold, and
'all' also reveals UP, DOWN, or MAINTENANCE statuses in the Nova server
details. NovaShowHostStatus 'hidden' puts it back being visible only for admins.
Additional policies specified using NovaApiPolicies get merged with this
policy.
# TODO(bogdando): use rule:system_or_project_reader once tripleo enforces scopes
default: 'role:reader'
type: string
parameter_groups:
- label: deprecated
@ -425,36 +368,6 @@ outputs:
params:
$NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]}
nova::api::instance_name_template: {get_param: InstanceNameTemplate}
nova::policy::purge_config: true
nova::policy::policies:
map_merge:
- {get_param: NovaApiPolicies}
- if:
- {get_param: NovaRestrictLiveMigration}
- limit_live_migration:
key: 'os_compute_api:os-migrate-server:migrate_live'
value:
str_replace:
template: 'role:LMROLENAME'
params:
LMROLENAME: {get_param: NovaRestrictLiveMigrationRole}
- {}
- if:
- equals:
- {get_param: NovaShowHostStatus}
- 'all'
- nova-host_status:
key: 'os_compute_api:servers:show:host_status'
value: {get_param: NovaApiHostStatusPolicy}
- {}
- if:
- equals:
- {get_param: NovaShowHostStatus}
- 'unknown-only'
- nova-host_status_unknown_only:
key: 'os_compute_api:servers:show:host_status:unknown-only'
value: {get_param: NovaApiHostStatusPolicy}
- {}
nova::api::allow_resize_to_same_host: {get_param: NovaAllowResizeToSameHost}
nova_enable_db_purge: {get_param: NovaEnableDBPurge}
nova::cron::purge_shadow_tables::minute: {get_param: NovaCronPurgeShadowTablesMinute}
@ -483,8 +396,6 @@ outputs:
nova::cron::archive_deleted_rows::all_cells: {get_param: NovaCronArchiveDeleteAllCells}
nova::cron::archive_deleted_rows::age: {get_param: NovaCronArchiveDeleteRowsAge}
nova::cron::archive_deleted_rows::task_log: {get_param: NovaCronArchiveDeleteRowsTaskLog}
nova::policy::enforce_new_defaults: {get_param: EnforceSecureRbac}
nova::policy::enforce_scope: {get_param: EnforceSecureRbac}
- if:
- nova_workers_set
- nova::api::osapi_compute_workers: {get_param: NovaWorkers}

89
deployment/nova/nova-base-puppet.yaml

@ -78,6 +78,63 @@ parameters:
type: string
description: Nova Compute upgrade level
default: ''
NovaApiPolicies:
description: |
A hash of policies to configure for Nova API.
e.g. { nova-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
default: {}
type: json
EnforceSecureRbac:
type: boolean
default: false
description: >-
Setting this option to True will configure each OpenStack service to
enforce Secure RBAC by setting `[oslo_policy] enforce_new_defaults` and
`[oslo_policy] enforce_scope` to True. This introduces a consistent set
of RBAC personas across OpenStack services that include support for
system and project scope, as well as keystone's default roles, admin,
member, and reader. Do not enable this functionality until all services in
your deployment actually support secure RBAC.
NovaRestrictLiveMigration:
type: boolean
description: |
Restrict live migration by limit access to 'os_compute_api:os-migrate-server:migrate_live'
api policy to the NovaLiveMigrationRole role. This can be used to
disallow the default admin role use live migration.
Additional policies specified using NovaApiPolicies get merged with this
policy.
default: false
NovaRestrictLiveMigrationRole:
description: |
Name of the user role which gets set to limit live migration when
NovaRestrictLiveMigration is enabled.
default: 'live-migration'
type: string
NovaShowHostStatus:
type: string
description: |
Allow overriding API policies to access the compute host status in the
requested Nova server details. The default value 'hidden' allows only admins to
access it. Setting it to 'all' ('unknown-only') without additional fine-grained
tuning of NovaApiHostStatusPolicy shows the full (limited) host_status
to the system/project readers.
default: 'hidden'
constraints:
- allowed_values: ['all', 'unknown-only', 'hidden']
NovaApiHostStatusPolicy:
description: |
A custom API policy for os_compute_api:servers:show:host_status and
os_compute_api:servers:show:host_status:unknown-only.
These rules, or roles, replace the admins-only policies based on the given
NovaShowHostStatus: 'unknown-only' shows the limited host status UNKNOWN
whenever a heartbeat was not received within the configured threshold, and
'all' also reveals UP, DOWN, or MAINTENANCE statuses in the Nova server
details. NovaShowHostStatus 'hidden' puts it back being visible only for admins.
Additional policies specified using NovaApiPolicies get merged with this
policy.
# TODO(bogdando): use rule:system_or_project_reader once tripleo enforces scopes
default: 'role:reader'
type: string
NovaOVSDBConnection:
type: string
description: OVS DB connection string to used by Nova
@ -203,6 +260,38 @@ outputs:
if:
- compute_upgrade_level_set
- {get_param: UpgradeLevelNovaCompute}
nova::policy::enforce_new_defaults: {get_param: EnforceSecureRbac}
nova::policy::enforce_scope: {get_param: EnforceSecureRbac}
nova::policy::purge_config: true
nova::policy::policies:
map_merge:
- {get_param: NovaApiPolicies}
- if:
- {get_param: NovaRestrictLiveMigration}
- limit_live_migration:
key: 'os_compute_api:os-migrate-server:migrate_live'
value:
str_replace:
template: 'role:LMROLENAME'
params:
LMROLENAME: {get_param: NovaRestrictLiveMigrationRole}
- {}
- if:
- equals:
- {get_param: NovaShowHostStatus}
- 'all'
- nova-host_status:
key: 'os_compute_api:servers:show:host_status'
value: {get_param: NovaApiHostStatusPolicy}
- {}
- if:
- equals:
- {get_param: NovaShowHostStatus}
- 'unknown-only'
- nova-host_status_unknown_only:
key: 'os_compute_api:servers:show:host_status:unknown-only'
value: {get_param: NovaApiHostStatusPolicy}
- {}
- get_attr: [RoleParametersValue, value]
service_config_settings:
rabbitmq:

Loading…
Cancel
Save