26 Commits

Author SHA1 Message Date
Zuul
b9454b4363 Merge "Update project personas policies in custom neutron policy" 2021-11-25 01:38:41 +00:00
Zuul
ad7d839edd Merge "Implement project personas in custom barbican policy file" 2021-11-16 18:36:39 +00:00
Slawek Kaplonski
1f79df6dab Update project personas policies in custom neutron policy
Neutron networks which are confiugred as external (router:external=True)
are visible for all projects so that attribute "router:external" should
be also visible for all networks for all users.
This patch changes that policy to make it visible always.

Closes-Bug: #1950478
Change-Id: I6dd96183384c269f77acc3bf3e90e6f2b8bdc7c7
2021-11-12 13:42:25 +01:00
Zuul
8e5e6a8281 Merge "Implement project personas in custom keystone policy file" 2021-11-04 02:34:16 +00:00
Lance Bragstad
839ddccdbd Implement project personas in custom barbican policy file
This commit updates the default barbican policies in enable-secure-rbac.yaml to
implement consistent support for project personas (project-admin,
project-member, and project-reader) with other OpenStack services. The
project-admin is still considered a system administrator.

This behavior will change in future releases (likely Yoga) when we have
a community wide goal to finish system-scope adoption. At that point, we
can remove these overrides and use the defaults in barbican, which is working
to adopt full support for system peronas in Yoga, and we'll get more
functionality without these overrides.

Change-Id: Iadd24554727d9a5000c6842954fe1deede833a8e
2021-11-01 17:42:01 -05:00
Zuul
5a7abf2ea4 Merge "Implement project personas in custom neutron policy file" 2021-10-14 15:07:51 +00:00
Zuul
4eb32b4f64 Merge "Implement project personas in custom manila policy file" 2021-10-14 15:07:47 +00:00
Zuul
03a8a64e39 Merge "Use double quotes for string comparisons policies in glance" 2021-10-13 17:41:57 +00:00
Zuul
1d62ad289a Merge "Implement project personas in custom placement policy file" 2021-10-12 23:15:47 +00:00
Lance Bragstad
1cbd03a139 Use double quotes for string comparisons policies in glance
TripleO lays down policy check strings wrapped in single quotes, which
will break if we don't escape them. This commit updates the policies to
use double quotes so it's not an issue.

Otherwise, if you deploy this file in an environment glance will throw
500s with the following error:

  expected <block end>, but found '<scalar>'
  in "<unicode string>", line 22, column 110:
     ... or project_id:%(member_id)s or 'community':%(visibility)s or 'pu ...

Change-Id: I9315a1039246f3db10c3902583eb6ca51cffdba4
2021-10-12 20:33:47 +00:00
Zuul
36d706d80d Merge "Implement project personas in custom cinder policy file" 2021-10-12 01:12:54 +00:00
Zuul
f8bb7ba772 Merge "Implement project personas in custom ironic policy file" 2021-10-09 09:18:29 +00:00
Lance Bragstad
3d2fec12b9 Implement project personas in custom cinder policy file
This commit updates the default cinder policies in
enable-secure-rbac.yaml to implement consistent support for project
personas (project-admin, project-member, and project-reader) with other
OpenStack services. The project-admin is still considered a system
administrator.

This behavior will change in future releases (likely Yoga) when we have
a community wide goal to finish system-scope adoption. At that point, we
can remove these overrides and use the defaults in cinder, which should
adhere to system and project personas and we'll get more functionality
without these overrides.

Change-Id: Ic8199cb3eaa23476157be0f3b69d2ee08f77f17b
2021-10-08 13:56:47 +00:00
Zuul
427a792746 Merge "Implement project personas in custom octavia policy file" 2021-10-07 18:15:41 +00:00
Lance Bragstad
2202412db3 Implement project personas in custom neutron policy file
This commit updates the default neutron policies in
enable-secure-rbac.yaml to implement consistent support for project
personas (project-admin, project-member, and project-reader) with other
OpenStack services. The project-admin is still considered a system
administrator.

This behavior will change in future releases (likely Yoga) when we have
a community wide goal to finish system-scope adoption. At that point, we
can remove these overrides and use the defaults in neutron, which adhere to
system and project personas and we'll get more functionality without these
overrides.

Change-Id: Ie2273adbdf0dda7947e570933aaca661aa8a67da
2021-10-07 14:12:55 +00:00
Lance Bragstad
433cc93755 Implement project personas in custom keystone policy file
This change implements all project personas (project-admin,
project-member, and project-reader) where project-admins are technically
considered system-administrators using policy overrides.

This file was modified by generating the default sample policy file in
keystone:

  $ oslopolicy-sample-generator --namespace keystone

Then, working through the file to remove any system-specific checks
(e.g., role:admin and system_scope:all). After that, I used the
convert_policy_yaml_to_heat_template.py tool to update the existing
enable-secure-rbac.yaml file, resulting in a diff of the original
defaults, hopefully making it easier for reviews to see what exactly is
changing.

Change-Id: I3bddbb74dcaedf3f6c2f71ab826b2912b4bc7912
2021-10-07 14:09:35 +00:00
Zuul
23095855dd Merge "Add a note about how glance currently supports project personas" 2021-10-06 23:04:54 +00:00
Zuul
8c110aba8a Merge "Implement project personas in custom designate policy file" 2021-10-06 23:04:46 +00:00
Lance Bragstad
bf6f118248 Add a note about how glance currently supports project personas
This commit leaves the generated default policies for glance alone since
they implement project personas. We don't need to do anything special to
override those policies and get that behavior.

Leaving them defined in the environment for completeness.

Change-Id: I414760f8e50e767035fbedc4f8ea7c7e4d166f8e
2021-10-06 14:40:56 +00:00
Lance Bragstad
b30b3cc82b Implement project personas in custom placement policy file
This change implements all the project personas for placement, which is
really only two (project-admin and project-reader) since placement is
pretty much isolated to administrator use. There is one API left open to
project readers to get useage.

This file was modified by generating the default sample policy file in
placement:

  $ oslopolicy-sample-generator --namespace placement

Then, working through the file and implement project-admin instead of
the system peresona. After that, I used the
convert_policy_yaml_to_heat_template.py tool to update the existing
defaults in enable-secure-rbac.yaml.

Change-Id: I11dcda89a5fbfdacd085bab89ed47b544f0b797f
2021-10-05 20:35:22 +00:00
Lance Bragstad
bdbd440cb6 Implement project personas in custom designate policy file
This commit updates the default policies in enable-secure-rbac.yaml to
implement consistent project personas (project-admin, project-member,
and project-reader) with other OpenStack services. The project-admin is
still considered a system administrator.

This behavior will change in future releases when more OpenStack
services adopt system-scope. At that time, we can go back to using the
default designate policies.

Change-Id: I108af0be37ab77510777168bb689b9d4718bc26a
2021-09-28 13:42:51 +00:00
Lance Bragstad
43a685e4bc Implement project personas in custom octavia policy file
This change updates the default octavia policies to implement consistent
support for project personas (project-admin, project-member, and
project-reader) with other OpenStack services. The project-admin is
still considered a system administrator.

This behavior will change in future releases when more OpenStack
services adopt system-scope. At that time, we can go back to use the
default octavia policies or update them to use system scope.

Change-Id: I768fc10144a634ea6058b7b48a1862be9d70da79
2021-09-28 13:42:40 +00:00
Lance Bragstad
4e307cfd6d Implement project personas in custom ironic policy file
This commit updates the ironic default policies in
enable-secure-rbac.yaml to implement project personas (project-admin,
project-member, and project-reader) to be consistent across OpenStack
services. The project-admin is still considered a system adminsitrator.

This behavior will change in future releases when more OpenStack
services adopt system-scope. At that time, we can go back and use the
default ironic policies that implement system and project personas.

Change-Id: Id419f2e695d9510178c0ece6fc8777e52c30198c
2021-09-28 13:42:33 +00:00
Lance Bragstad
4477e28626 Implement project personas in custom manila policy file
This commit updates the default manila policies in
enable-secure-rbac.yaml to implement consistent support for project
personas (project-admin, project-member, and project-reader) with other
OpenStack services. The project-admin is still considered a system
administrator.

This behavior will change in future releases (likely Yoga) when we have
a community wide goal to finish system-scope adoption. At that point, we can
remove these overrides and use the defaults in manila, which adhere to system
and project personas and we'll get more functionality without these overrides.

Change-Id: I0dea2c6e273a1aca77386119f27702bda3cf4bf7
2021-09-28 13:42:10 +00:00
Lance Bragstad
88494c90d0 Implement project personas in custom nova policy file
This commit updates the default nova policies in enable-secure-rbac.yaml
to implement consistent project personas (project-admin, project-member,
and project-reader) with other OpenStack services. The project-admin is
still considered a system administrator, even though the default
policies in nova upstream use system scope.

This behavior will change in future releases when more OpenStack
services adopt system scope, which is a Yoga community goal. At that
time, we can drop custom policy overrides all together and get
consistent behavior with the defaults upstream.

Change-Id: Ia6681703a9ca000b2fa712ee3a9906f05909d24a
2021-09-28 13:41:20 +00:00
Lance Bragstad
c9635bf92e Implement a tool for converting policy.yaml files to heat templates
This commit adds a tool that parses a directory of service.yaml policy
files and then converts them to the appropriate THT structure, using the
necessary service variables and templating.

The enable-secure-rbac.yaml is simply the current defaults generated
from code. First, generate all the policy files for each OpenStack
service:

  $ oslopolicy-sample-generator --namespace $SERVICE --output-file $DEST/$SERVICE.yaml

Next, uncomment all the default policies as a starting point for making
policy changes:

  $ sed -i 's/^#"/"/g' $DEST/$SERVICE.yaml

Next you can make changes to the policy files to reflect the changes you
want in your deployment.

Finally, you can generate the necessary heat template:

  $ ./convert_policy_yaml_to_heat_template.py -d $DEST

The tool outputs to stdout. It's up to the user to redirect to a file if
they wish to save results.

The enable-secure-rbac.yaml environment will be updated in subsequent
patches to implement project personas.

Change-Id: I9957243d307758f56b84cde3a408006d8161fa41
2021-09-28 13:33:53 +00:00