starlingx
/
openstack-armada-app
Code Issues Proposed changes

RBAC Patch 1: policies and common files 

This commit aims to suggest a set of default policies for user
management on stx-openstack. We suggest the creation of the project_admin
and project_readonly roles and provide some policies to fine tune the
access control over the Openstack services to those roles, as described
on README.md.

Also, we provide a set of tests to ensure the policies and permissions
are all working as expected on site for the cloud administrators.

Story: 2008910
Task: 42501

Signed-off-by: Heitor Matsui <heitorvieira.matsui@windriver.com>
Signed-off-by: Thiago Brito <thiago.brito@windriver.com>
Co-authored-by: Miriam Yumi Peixoto <miriam.yumipeixoto@windriver.com>
Co-authored-by: Leonardo Zaccarias <leonardo.zaccarias@windriver.com>
Co-authored-by: Rogerio Oliveira Ferraz <rogeriooliveira.ferraz@windriver.com>
Change-Id: I4040fe9f7be94ea7e0eb208579b2d5aa7579a8b1
This commit is contained in:
Thiago Brito 2021-05-04 15:28:16 -03:00 committed by Heitor Matsui
parent 963e63cd55
commit 207ee7e017
9 changed files with 2139 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
enhanced-policies/.gitignore vendored Normal file
View File

@ -0,0 +1,55 @@
*.py[cod]
.venv
# C extensions
*.so
# Packages
.eggs
*.egg
*.egg-info
dist
build
eggs
parts
bin
var
sdist
develop-eggs
.installed.cfg
lib
lib64
# Installer logs
pip-log.txt
# Unit test / coverage reports
.coverage
cover/*
.tox
nosetests.xml
.testrepository
.stestr
# Translations
*.mo
# Mr Developer
.mr.developer.cfg
.project
.pydevproject
# Complexity
output/*.html
output/*/index.html
# Sphinx
doc/build
# pbr generates these
AUTHORS
ChangeLog
# Editors
*~
.*.swp

147
enhanced-policies/README.md Normal file
View File

@ -0,0 +1,147 @@
Enhanced Policies
==========================
This repository aims to provide enhanced policies for stx-openstack.
|Design|Roles|Permissions summary|
|:-------------|-------------|:-----|
|Default Role:|member|Users with 'member' can manage certain resources of the project.|
|New Role to add:|project_admin|Users with role 'project_admin' could manage all resources of the project|
|New Role to add:|project_readonly|Users with role 'project_readonly' can only get list and detail of resources of the project, and shared resources of other projects|
Setting up the environment
--------------------------
Make sure you have access to the Openstack CLI, follow the instructions on [this doc.](https://docs.starlingx.io/deploy_install_guides/r5_release/openstack/access.html#id4)
1. Transfer the policies to your cloud's controller:
```
rsync -avP *-policy-overrides.yml <user>@<controller-floating-ip>:~/rbac
```
2. Log into your active controller
3. Create your clouds.yaml file
```bash
cat <<EOF >clouds.yaml
clouds:
openstack:
region_name: RegionOne
identity_api_version: 3
endpoint_type: internalURL
auth:
username: 'admin'
password: '<PASSWORD FOR ADMIN>'
project_name: 'admin'
project_domain_name: 'default'
user_domain_name: 'default'
auth_url: 'http://keystone.openstack.svc.cluster.local/v3'
EOF
```
4. Create the custom roles:
```
# Assuming you are using method 1
export OS_CLOUD=openstack
openstack role create project_admin
openstack role create project_readonly
```
5. In order to enable the extensions required for some of the Neutron tests, include the following configuration to the Neutron helm override YML file:
```
conf:
neutron:
DEFAULT:
service_plugins:
- router
- network_segment_range
- qos
- segments
- port_forwarding
- trunk
plugins:
ml2_conf:
ml2:
extension_drivers:
- port_security
- qos
openvswitch_agent:
agent:
extensions:
- qos
- port_forwarding
```
6. Apply the policy overrides for each service to your cloud
```
source /etc/platform/openrc
system helm-override-update stx-openstack keystone openstack --values=rbac/keystone-policy-overrides.yml
system helm-override-update stx-openstack cinder openstack --values=rbac/cinder-policy-overrides.yml
system helm-override-update stx-openstack nova openstack --values=rbac/nova-policy-overrides.yml
system helm-override-update stx-openstack neutron openstack --values=rbac/neutron-policy-overrides.yml
system helm-override-update stx-openstack glance openstack --values=rbac/glance-policy-overrides.yml
system helm-override-update stx-openstack horizon openstack --values=rbac/horizon-policy-overrides.yml
system application-apply stx-openstack
```
7. Watch for application overrides to finish applying
```
watch system application-show stx-openstack
```
Running tests
-------------
Please follow the instructions below to test the enhanced policies on your system. We assume that the New Roles were created on you system and the overrides were successfully applied.
1. Get to the rbac folder you transfered into your controller node
```
cd ~/rbac
```
2. IMPORTANT: create a venv and install the test dependencies
```
if [ ! -d .venv ]; then
python3 -m venv .venv
fi
source .venv/bin/activate
pip install --upgrade pip
pip install -r test-requirements.txt
```
3. Download CirrOS image (dependency for nova and cinder tests)
```
wget http://download.cirros-cloud.net/0.3.4/cirros-0.3.4-x86_64-disk.img
```
4. Execute the tests
On StarlingX:
```
export OS_CLOUD=openstack
pytest tests/
```
On WindRiver Openstack:
```
export OS_CLOUD=openstack
pytest tests/ --env wro
```
If things go awry...
--------------------
**WARNING: The following script might DELETE some existing configuration if not used carefully!**
One can use the run-cleanup-all.sh script to remove any leftovers from the test
on the environment:
```bash
export OS_CLOUD=openstack
bash run-cleanup-all.sh
```
Role Permission Details
-----------------------
|Role Permissions|identity(keystone)|compute(nova)|networking(neutron)|image(glance)|volume(cinder)|
|---|:---|:---|:---|:---|:---|
|member|All operations that legacy role '_member_' can do|1 - Can get list and detail of instances<br>2 - Can create instance/Can open console of instances<br>3 - Can access log of instance<br>4 - Can manage keypairs of his/her own|1 - Can only create/update/delete port<br>2 - Can get list and detail of resources: subnetpool, address scope, networks, subnets, etc.|1,can create and update image, upload image content<br>|1 - Can create volume<br>2 - Can create volume from image<br>3 - Can create volume snapshot<br>4 - Can create volume-backup|
|project_admin|all operations that legacy role '_member_' can do;|all operations that legacy role '_member_' can do<br>|1 - All operations that legacy role '_member_' can do<br>2 - Can create/update/delete 'shared' subnetpool<br>3 - Can create/update/delete address scope<br>4 - Can create/update/delete shared network<br>|1 - All operations that legacy role '_member_' can do<br>2 - Can publicize_image<br>|1 - All operations that legacy role '_member_' can do|
|project_readonly|all operations that legacy role '_member_' can do<br>|1 - Can only get list and detail of instances<br>2 - Can manage key-pairs of his/her own|1 - Can only get list and detail of resources: subnetpool, address scopes, networks, subnets,etc.|1 - Can only get list and detail of images|1 - Can only get list and detail of volumes, backups, snapshots|

149
enhanced-policies/cinder-policy-overrides.yml Normal file
View File

@ -0,0 +1,149 @@
conf:
policy:
admin_api: is_admin:True or (role:admin and is_admin_project:True)
admin_or_owner: is_admin:True or (role:admin and is_admin_project:True) or project_id:%(project_id)s
admin_or_projectadmin_owner: rule:admin_api or rule:projectadmin_and_owner
admin_or_projectadmin_required: rule:admin_api or rule:projectadmin_required
admin_or_projectmember_owner: rule:admin_api or rule:projectmember_and_owner
admin_or_projectmember_required: rule:admin_api or rule:projectmember_required
backup:backup-export: rule:admin_api
backup:backup-import: rule:admin_api
backup:backup_project_attribute: rule:admin_api
backup:create: rule:admin_or_projectmember_owner
backup:delete: rule:admin_or_projectadmin_owner
backup:get: rule:admin_or_owner
backup:get_all: rule:admin_or_owner
backup:restore: rule:admin_or_projectadmin_owner
backup:update: rule:admin_or_projectadmin_owner
clusters:get: rule:admin_api
clusters:get_all: rule:admin_api
clusters:update: rule:admin_api
consistencygroup:create: rule:admin_or_projectadmin_required
consistencygroup:create_cgsnapshot: rule:admin_or_projectadmin_required
consistencygroup:delete: rule:admin_or_projectadmin_required
consistencygroup:delete_cgsnapshot: rule:admin_or_projectadmin_required
consistencygroup:get: ""
consistencygroup:get_all: ""
consistencygroup:get_all_cgsnapshots: ""
consistencygroup:get_cgsnapshot: ""
consistencygroup:update: rule:admin_or_projectadmin_required
default: rule:admin_or_owner
group:access_group_types_specs: rule:admin_api
group:create: rule:admin_or_projectadmin_required
group:create_group_snapshot: rule:admin_or_projectadmin_required
group:delete: rule:admin_or_projectadmin_owner
group:delete_group_snapshot: rule:admin_or_projectadmin_owner
group:disable_replication: rule:admin_or_projectadmin_owner
group:enable_replication: rule:admin_or_projectadmin_owner
group:failover_replication: rule:admin_or_projectadmin_owner
group:get: rule:admin_or_owner
group:get_all: rule:admin_or_owner
group:get_all_group_snapshots: rule:admin_or_owner
group:get_group_snapshot: rule:admin_or_owner
group:group_type_access: rule:admin_or_projectadmin_owner
group:group_types_manage: rule:admin_api
group:group_types_specs: rule:admin_api
group:list_replication_targets: rule:admin_or_owner
group:reset_group_snapshot_status: rule:admin_api
group:reset_status: rule:admin_api
group:update: rule:admin_or_projectadmin_owner
group:update_group_snapshot: rule:admin_or_projectadmin_owner
message:delete: rule:admin_or_projectadmin_owner
message:get: rule:admin_or_owner
message:get_all: rule:admin_or_owner
owner: project_id:%(project_id)s
projectadmin_and_owner: rule:projectadmin_required and rule:owner
projectadmin_required: role:project_admin
projectmember_and_owner: rule:projectmember_required and rule:owner
projectmember_required: role:project_admin or role:member
scheduler_extension:scheduler_stats:get_pools: rule:admin_api
snapshot_extension:list_manageable: rule:admin_api
snapshot_extension:snapshot_actions:update_snapshot_status: rule:admin_or_projectmember_required
snapshot_extension:snapshot_manage: rule:admin_api
snapshot_extension:snapshot_unmanage: rule:admin_api
volume:accept_transfer: rule:admin_or_projectmember_required
volume:attachment_create: rule:admin_or_projectmember_required
volume:attachment_delete: rule:admin_or_projectmember_owner
volume:attachment_update: rule:admin_or_projectmember_owner
volume:create: rule:admin_or_projectmember_required
volume:create_from_image: rule:admin_or_projectmember_required
volume:create_snapshot: rule:admin_or_projectmember_owner
volume:create_transfer: rule:admin_or_projectadmin_owner
volume:create_volume_metadata: rule:admin_or_projectmember_owner
volume:delete: rule:admin_or_projectadmin_owner
volume:delete_snapshot: rule:admin_or_projectadmin_owner
volume:delete_snapshot_metadata: rule:admin_or_projectadmin_owner
volume:delete_transfer: rule:admin_or_projectadmin_owner
volume:delete_volume_metadata: rule:admin_or_projectadmin_owner
volume:extend: rule:admin_or_projectadmin_owner
volume:extend_attached_volume: rule:admin_or_projectadmin_owner
volume:failover_host: rule:admin_api
volume:force_delete: rule:admin_api
volume:freeze_host: rule:admin_api
volume:get: rule:admin_or_owner
volume:get_all: rule:admin_or_owner
volume:get_all_snapshots: rule:admin_or_owner
volume:get_all_transfers: rule:admin_or_owner
volume:get_snapshot: rule:admin_or_owner
volume:get_snapshot_metadata: rule:admin_or_owner
volume:get_transfer: rule:admin_or_owner
volume:get_volume_admin_metadata: rule:admin_api
volume:get_volume_metadata: rule:admin_or_owner
volume:retype: rule:admin_or_projectadmin_owner
volume:revert_to_snapshot: rule:admin_or_projectadmin_owner
volume:thaw_host: rule:admin_api
volume:update: rule:admin_or_projectadmin_owner
volume:update_readonly_flag: rule:admin_or_projectadmin_owner
volume:update_snapshot: rule:admin_or_projectadmin_owner
volume:update_snapshot_metadata: rule:admin_or_projectadmin_owner
volume:update_volume_admin_metadata: rule:admin_api
volume:update_volume_metadata: rule:admin_or_projectadmin_owner
volume_extension:access_types_extra_specs: rule:admin_api
volume_extension:access_types_qos_specs_id: rule:admin_api
volume_extension:backup_admin_actions:force_delete: rule:admin_api
volume_extension:backup_admin_actions:reset_status: rule:admin_api
volume_extension:capabilities: rule:admin_api
volume_extension:extended_snapshot_attributes: rule:admin_or_projectadmin_owner
volume_extension:hosts: rule:admin_api
volume_extension:list_manageable: rule:admin_api
volume_extension:qos_specs_manage:create: rule:admin_api
volume_extension:qos_specs_manage:delete: rule:admin_api
volume_extension:qos_specs_manage:get: rule:admin_api
volume_extension:qos_specs_manage:get_all: rule:admin_api
volume_extension:qos_specs_manage:update: rule:admin_api
volume_extension:quota_classes: rule:admin_api
volume_extension:quota_classes:validate_setup_for_nested_quota_use: rule:admin_api
volume_extension:quotas:delete: rule:admin_api
volume_extension:quotas:show: ""
volume_extension:quotas:update: rule:admin_api
volume_extension:services:index: rule:admin_api
volume_extension:services:update: rule:admin_api
volume_extension:snapshot_admin_actions:force_delete: rule:admin_api
volume_extension:snapshot_admin_actions:reset_status: rule:admin_api
volume_extension:snapshot_backup_status_attribute: rule:admin_or_projectadmin_owner
volume_extension:snapshot_export_attributes: rule:admin_or_projectadmin_owner
volume_extension:types_extra_specs:create: rule:admin_api
volume_extension:types_extra_specs:delete: rule:admin_api
volume_extension:types_extra_specs:index: rule:admin_api
volume_extension:types_extra_specs:show: rule:admin_api
volume_extension:types_extra_specs:update: rule:admin_api
volume_extension:types_manage: rule:admin_api
volume_extension:volume_actions:upload_image: rule:admin_or_projectadmin_owner
volume_extension:volume_actions:upload_public: rule:admin_api
volume_extension:volume_admin_actions:force_delete: rule:admin_api
volume_extension:volume_admin_actions:force_detach: rule:admin_api
volume_extension:volume_admin_actions:migrate_volume: rule:admin_api
volume_extension:volume_admin_actions:migrate_volume_completion: rule:admin_api
volume_extension:volume_admin_actions:reset_status: rule:admin_api
volume_extension:volume_encryption_metadata: rule:admin_or_projectadmin_owner
volume_extension:volume_host_attribute: rule:admin_api
volume_extension:volume_image_metadata: rule:admin_or_owner
volume_extension:volume_manage: rule:admin_api
volume_extension:volume_mig_status_attribute: rule:admin_api
volume_extension:volume_tenant_attribute: rule:admin_or_projectadmin_owner
volume_extension:volume_type_access: rule:admin_or_projectadmin_owner
volume_extension:volume_type_access:addProjectAccess: rule:admin_api
volume_extension:volume_type_access:removeProjectAccess: rule:admin_api
volume_extension:volume_type_encryption: rule:admin_api
volume_extension:volume_unmanage: rule:admin_api
workers:cleanup: rule:admin_api

65
enhanced-policies/glance-policy-overrides.yml Normal file
View File

@ -0,0 +1,65 @@
conf:
policy:
owner: project_id:%(owner)s
admin_or_projectadmin_owner: rule:context_is_admin or rule:projectadmin_and_owner
admin_or_projectadmin_required: rule:context_is_admin or rule:projectadmin_required
admin_or_projectmember_owner: rule:context_is_admin or rule:projectmember_and_owner
admin_or_projectmember_required: rule:context_is_admin or rule:projectmember_required
projectadmin_required: role:project_admin
projectadmin_and_owner: rule:projectadmin_required and rule:owner
projectmember_and_owner: rule:projectmember_required and rule:owner
projectmember_required: role:project_admin or role:member
add_image: rule:admin_or_projectmember_required
add_member: rule:admin_or_projectadmin_owner
add_metadef_namespace: rule:admin_or_projectadmin_required
add_metadef_object: rule:admin_or_projectadmin_required
add_metadef_property: rule:admin_or_projectadmin_required
add_metadef_resource_type_association: rule:admin_or_projectadmin_required
add_metadef_tag: rule:admin_or_projectadmin_required
add_metadef_tags: rule:admin_or_projectadmin_required
add_task: rule:admin_or_projectadmin_owner
communitize_image: rule:admin_or_projectadmin_required
context_is_admin: role:admin
copy_from: rule:admin_or_projectadmin_owner
deactivate: rule:admin_or_projectadmin_owner
default: role:admin
delete_image: rule:admin_or_projectadmin_owner
delete_image_location: rule:admin_or_projectadmin_owner
delete_member: rule:admin_or_projectadmin_owner
delete_metadef_namespace: rule:admin_or_projectadmin_owner
delete_metadef_object: rule:admin_or_projectadmin_owner
delete_metadef_tag: rule:admin_or_projectadmin_owner
delete_metadef_tags: rule:admin_or_projectadmin_owner
download_image: ""
get_image: ""
get_image_location: ""
get_images: ""
get_member: ""
get_members: ""
get_metadef_namespace: ""
get_metadef_namespaces: ""
get_metadef_object: ""
get_metadef_objects: ""
get_metadef_properties: ""
get_metadef_property: ""
get_metadef_resource_type: ""
get_metadef_tag: ""
get_metadef_tags: ""
get_task: rule:admin_or_projectadmin_owner
get_tasks: rule:admin_or_projectadmin_owner
list_metadef_resource_types: ""
manage_image_cache: role:admin
modify_image: rule:admin_or_projectmember_owner
modify_member: rule:admin_or_projectmember_required
modify_metadef_namespace: rule:admin_or_projectadmin_owner
modify_metadef_object: rule:admin_or_projectadmin_owner
modify_metadef_property: rule:admin_or_projectadmin_owner
modify_metadef_tag: rule:admin_or_projectadmin_owner
modify_task: rule:admin_or_projectadmin_owner
publicize_image: rule:admin_or_projectadmin_required
reactivate: rule:admin_or_projectadmin_owner
remove_metadef_property: rule:admin_or_projectadmin_owner
remove_metadef_resource_type_association: rule:admin_or_projectadmin_owner
set_image_location: rule:admin_or_projectadmin_owner
tasks_api_access: role:admin
upload_image: rule:admin_or_projectmember_required

1147
enhanced-policies/horizon-policy-overrides.yml Normal file
View File

File diff suppressed because it is too large Load Diff

174
enhanced-policies/keystone-policy-overrides.yml Normal file
View File

@ -0,0 +1,174 @@
conf:
policy:
admin_or_owner: rule:admin_required or rule:owner
admin_or_token_subject: rule:admin_required or rule:token_subject
admin_required: role:admin or is_admin:1
default: rule:admin_required
identity:add_endpoint_group_to_project: rule:admin_required
identity:add_endpoint_to_project: rule:admin_required
identity:add_user_to_group: rule:admin_required
identity:authorize_request_token: rule:admin_required
identity:change_password: rule:admin_or_owner
identity:check_endpoint_in_project: rule:admin_required
identity:check_grant: rule:admin_required
identity:check_implied_role: rule:admin_required
identity:check_policy_association_for_endpoint: rule:admin_required
identity:check_policy_association_for_region_and_service: rule:admin_required
identity:check_policy_association_for_service: rule:admin_required
identity:check_token: rule:admin_or_token_subject
identity:check_user_in_group: rule:admin_required
identity:create_consumer: rule:admin_required
identity:create_credential: rule:admin_required
identity:create_domain: rule:admin_required
identity:create_domain_config: rule:admin_required
identity:create_domain_role: rule:admin_required
identity:create_endpoint: rule:admin_required
identity:create_endpoint_group: rule:admin_required
identity:create_grant: rule:admin_required
identity:create_group: rule:admin_required
identity:create_identity_provider: rule:admin_required
identity:create_implied_role: rule:admin_required
identity:create_mapping: rule:admin_required
identity:create_policy: rule:admin_required
identity:create_policy_association_for_endpoint: rule:admin_required
identity:create_policy_association_for_region_and_service: rule:admin_required
identity:create_policy_association_for_service: rule:admin_required
identity:create_project: rule:admin_required
identity:create_protocol: rule:admin_required
identity:create_region: rule:admin_required
identity:create_role: rule:admin_required
identity:create_service: rule:admin_required
identity:create_service_provider: rule:admin_required
identity:create_trust: user_id:%(trust.trustor_user_id)s
identity:create_user: rule:admin_required
identity:delete_access_token: rule:admin_required
identity:delete_consumer: rule:admin_required
identity:delete_credential: rule:admin_required
identity:delete_domain: rule:admin_required
identity:delete_domain_config: rule:admin_required
identity:delete_domain_role: rule:admin_required
identity:delete_endpoint: rule:admin_required
identity:delete_endpoint_group: rule:admin_required
identity:delete_group: rule:admin_required
identity:delete_identity_provider: rule:admin_required
identity:delete_implied_role: rule:admin_required
identity:delete_mapping: rule:admin_required
identity:delete_policy: rule:admin_required
identity:delete_policy_association_for_endpoint: rule:admin_required
identity:delete_policy_association_for_region_and_service: rule:admin_required
identity:delete_policy_association_for_service: rule:admin_required
identity:delete_project: rule:admin_required
identity:delete_protocol: rule:admin_required
identity:delete_region: rule:admin_required
identity:delete_role: rule:admin_required
identity:delete_service: rule:admin_required
identity:delete_service_provider: rule:admin_required
identity:delete_trust: ""
identity:delete_user: rule:admin_required
identity:ec2_create_credential: rule:admin_or_owner
identity:ec2_delete_credential: rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)
identity:ec2_get_credential: rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)
identity:ec2_list_credentials: rule:admin_or_owner
identity:get_access_token: rule:admin_required
identity:get_access_token_role: rule:admin_required
identity:get_auth_catalog: ""
identity:get_auth_domains: ""
identity:get_auth_projects: ""
identity:get_consumer: rule:admin_required
identity:get_credential: rule:admin_required
identity:get_domain: rule:admin_required or token.project.domain.id:%(target.domain.id)s
identity:get_domain_config: rule:admin_required
identity:get_domain_config_default: rule:admin_required
identity:get_domain_role: rule:admin_required
identity:get_endpoint: rule:admin_required
identity:get_endpoint_group: rule:admin_required
identity:get_endpoint_group_in_project: rule:admin_required
identity:get_group: rule:admin_required
identity:get_identity_providers: rule:admin_required
identity:get_implied_role: 'rule:admin_required '
identity:get_mapping: rule:admin_required
identity:get_policy: rule:admin_required
identity:get_policy_for_endpoint: rule:admin_required
identity:get_project: rule:admin_required or project_id:%(target.project.id)s
identity:get_protocol: rule:admin_required
identity:get_region: ""
identity:get_role: rule:admin_required
identity:get_role_for_trust: ""
identity:get_security_compliance_domain_config: ""
identity:get_service: rule:admin_required
identity:get_service_provider: rule:admin_required
identity:get_user: rule:admin_or_owner
identity:list_access_token_roles: rule:admin_required
identity:list_access_tokens: rule:admin_required
identity:list_consumers: rule:admin_required
identity:list_credentials: rule:admin_required
identity:list_domain_roles: rule:admin_required
identity:list_domains: rule:admin_required
identity:list_domains_for_user: ""
identity:list_endpoint_groups: rule:admin_required
identity:list_endpoint_groups_for_project: rule:admin_required
identity:list_endpoints: rule:admin_required
identity:list_endpoints_associated_with_endpoint_group: rule:admin_required
identity:list_endpoints_for_policy: rule:admin_required
identity:list_endpoints_for_project: rule:admin_required
identity:list_grants: rule:admin_required
identity:list_groups: rule:admin_required
identity:list_groups_for_user: rule:admin_or_owner
identity:list_identity_providers: rule:admin_required
identity:list_implied_roles: rule:admin_required
identity:list_mappings: rule:admin_required
identity:list_policies: rule:admin_required
identity:list_projects: rule:admin_required
identity:list_projects_associated_with_endpoint_group: rule:admin_required
identity:list_projects_for_endpoint: rule:admin_required
identity:list_projects_for_user: ""
identity:list_protocols: rule:admin_required
identity:list_regions: ""
identity:list_revoke_events: rule:service_or_admin
identity:list_role_assignments: rule:admin_required
identity:list_role_assignments_for_tree: rule:admin_required
identity:list_role_inference_rules: rule:admin_required
identity:list_roles: rule:admin_required
identity:list_roles_for_trust: ""
identity:list_service_providers: rule:admin_required
identity:list_services: rule:admin_required
identity:list_trusts: ""
identity:list_user_projects: rule:admin_or_owner
identity:list_users: rule:admin_required
identity:list_users_in_group: rule:admin_required
identity:project_users_access: rule:project_mod_or_admin
identity:remove_endpoint_from_project: rule:admin_required
identity:remove_endpoint_group_from_project: rule:admin_required
identity:remove_user_from_group: rule:admin_required
identity:revocation_list: rule:service_or_admin
identity:revoke_grant: rule:admin_required
identity:revoke_token: rule:admin_or_token_subject
identity:update_consumer: rule:admin_required
identity:update_credential: rule:admin_required
identity:update_domain: rule:admin_required
identity:update_domain_config: rule:admin_required
identity:update_domain_role: rule:admin_required
identity:update_endpoint: rule:admin_required
identity:update_endpoint_group: rule:admin_required
identity:update_group: rule:admin_required
identity:update_identity_provider: rule:admin_required
identity:update_mapping: rule:admin_required
identity:update_policy: rule:admin_required
identity:update_project: rule:admin_required
identity:update_protocol: rule:admin_required
identity:update_region: rule:admin_required
identity:update_role: rule:admin_required
identity:update_service: rule:admin_required
identity:update_service_provider: rule:admin_required
identity:update_user: rule:admin_required
identity:validate_token: rule:service_admin_or_token_subject
identity:validate_token_head: rule:service_or_admin
owner: user_id:%(user_id)s
project_admin: role:project_admin
project_admin_only: rule:admin_required or rule:project_admin
project_mod: role:project_mod
project_mod_or_admin: rule:admin_required or rule:project_mod or rule:project_admin
service_admin_or_token_subject: rule:service_or_admin or rule:token_subject
service_or_admin: rule:admin_required or rule:service_role
service_role: role:service
token_subject: user_id:%(target.token.user_id)s

270
enhanced-policies/neutron-policy-overrides.yml Normal file
View File

@ -0,0 +1,270 @@
conf:
policy:
add_router_interface: rule:admin_or_projectadmin_owner
add_subports: rule:admin_or_projectadmin_owner
admin_only: rule:context_is_admin
admin_or_data_plane_int: rule:context_is_admin or role:data_plane_integrator
admin_or_generic_owner: rule:context_is_admin or rule:generic_owner
admin_or_network_owner: rule:context_is_admin or tenant_id:%(network:tenant_id)s
admin_or_ext_parent_owner: rule:context_is_admin or tenant_id:%(ext_parent:tenant_id)s
admin_or_owner: rule:context_is_admin or rule:owner
admin_or_projectadmin_generic_owner: rule:context_is_admin or rule:projectadmin_and_generic_owner
admin_or_projectadmin_network_owner: rule:context_is_admin or rule:projectadmin_and_network_owner
admin_or_projectadmin_ext_owner: rule:context_is_admin or rule:projectadmin_and_ext_owner
admin_or_projectadmin_owner: rule:context_is_admin or rule:projectadmin_and_owner
admin_or_projectadmin_required: rule:context_is_admin or rule:projectadmin_required
admin_or_projectmember_generic_owner: rule:context_is_admin or rule:projectmember_and_generic_owner
admin_or_projectmember_network_owner: rule:context_is_admin or rule:projectmember_and_network_owner
admin_or_projectmember_owner: rule:context_is_admin or rule:projectmember_and_owner
admin_or_projectmember_required: rule:context_is_admin or rule:projectmember_required
admin_or_qos_owner: rule:context_is_admin or tenant_id:%(qos:tenant_id)s
admin_owner_or_network_owner: rule:owner or rule:admin_or_network_owner
context_is_admin: role:admin
context_is_advsvc: role:advsvc
create_address_scope: rule:admin_or_projectadmin_required
create_address_scope:shared: rule:admin_or_projectadmin_required
create_dhcp-network: rule:admin_only
create_flavor: rule:admin_only
create_flavor_service_profile: rule:admin_only
create_floatingip: rule:admin_or_projectadmin_required
create_floatingip:floating_ip_address: rule:admin_or_projectadmin_required
create_floatingip_port_forwarding: rule:admin_or_projectadmin_required
create_l3-router: rule:admin_only
create_log: rule:admin_only
create_lsn: rule:admin_only
create_metering_label: rule:admin_only
create_metering_label_rule: rule:admin_only
create_network: rule:admin_or_projectadmin_required
create_network:is_default: rule:admin_only
create_network:provider:network_type: rule:admin_only
create_network:provider:physical_network: rule:admin_only
create_network:provider:segmentation_id: rule:admin_only
create_network:router:external: rule:admin_only
create_network:segments: rule:admin_only
create_network:shared: rule:admin_or_projectadmin_required
create_network:wrs-tm:qos: rule:admin_or_qos_owner
create_network_profile: rule:admin_only
create_policy: rule:admin_only
create_policy_bandwidth_limit_rule: rule:admin_only
create_policy_dscp_marking_rule: rule:admin_only
create_policy_minimum_bandwidth_rule: rule:admin_only
create_port: rule:admin_or_projectmember_required
create_port:allowed_address_pairs: rule:admin_or_network_owner
create_port:binding:host_id: rule:admin_only
create_port:binding:profile: rule:admin_only
create_port:device_owner: not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner
create_port:fixed_ips: rule:context_is_advsvc or rule:admin_or_network_owner
create_port:mac_address: rule:context_is_advsvc or rule:admin_or_network_owner
create_port:mac_learning_enabled: rule:context_is_advsvc or rule:admin_or_network_owner
create_port:port_security_enabled: rule:context_is_advsvc or rule:admin_or_network_owner
create_port:wrs-binding:mac_filtering: rule:admin_only
create_port:wrs-binding:mtu: rule:admin_only
create_port:wrs-tm:qos: rule:admin_or_qos_owner
create_providernet: rule:admin_only
create_providernet_range: rule:admin_only
create_qos: rule:admin_only
create_qos_queue: rule:admin_only
create_rbac_policy: rule:admin_or_projectadmin_required
create_rbac_policy:target_tenant: rule:restrict_wildcard
create_router: rule:admin_or_projectadmin_required
create_router:distributed: rule:admin_or_projectadmin_required
create_router:external_gateway_info:enable_snat: rule:admin_or_projectadmin_required
create_router:external_gateway_info:external_fixed_ips: rule:admin_or_projectadmin_required
create_router:ha: rule:admin_or_projectadmin_required
create_security_group: rule:admin_or_projectadmin_owner
create_security_group_rule: rule:admin_or_projectadmin_owner
create_segment: rule:admin_only
create_service_profile: rule:admin_only
create_subnet: rule:admin_or_projectadmin_network_owner
create_subnet:segment_id: rule:admin_only
create_subnet:service_types: rule:admin_only
create_subnet:wrs-provider:segmentation_id: rule:admin_only
create_subnetpool: rule:admin_or_projectadmin_required
create_subnetpool:is_default: rule:admin_only
create_subnetpool:shared: rule:admin_or_projectadmin_required
create_trunk: rule:admin_or_projectadmin_required
default: rule:admin_or_owner
delete_address_scope: rule:admin_or_projectadmin_owner
delete_agent: rule:admin_only
delete_dhcp-network: rule:admin_only
delete_flavor: rule:admin_only
delete_flavor_service_profile: rule:admin_only
delete_floatingip: rule:admin_or_projectadmin_owner
delete_floatingip_port_forwarding: rule:admin_or_projectadmin_ext_owner
delete_l3-router: rule:admin_only
delete_log: rule:admin_only
delete_metering_label: rule:admin_only
delete_metering_label_rule: rule:admin_only
delete_network: rule:admin_or_projectadmin_owner
delete_network_profile: rule:admin_only
delete_policy: rule:admin_only
delete_policy_bandwidth_limit_rule: rule:admin_only
delete_policy_dscp_marking_rule: rule:admin_only
delete_policy_minimum_bandwidth_rule: rule:admin_only
delete_port: rule:context_is_advsvc or rule:admin_or_projectmember_generic_owner
delete_providernet: rule:admin_only
delete_providernet_range: rule:admin_only
delete_qos: rule:admin_only
delete_rbac_policy: rule:admin_or_projectadmin_owner
delete_router: rule:admin_or_projectadmin_owner
delete_security_group: rule:admin_or_projectadmin_owner
delete_security_group_rule: rule:admin_or_projectadmin_owner
delete_segment: rule:admin_only
delete_service_profile: rule:admin_only
delete_subnet: rule:admin_or_projectadmin_network_owner
delete_subnetpool: rule:admin_or_projectadmin_owner
delete_trunk: rule:admin_or_projectadmin_owner
external: field:networks:router:external=True
ext_parent_owner: tenant_id:%(ext_parent:tenant_id)s
generic_owner: rule:owner or rule:network_owner
get_address_scope: rule:admin_or_owner or rule:shared_address_scopes
get_agent: rule:admin_only
get_agent-loadbalancers: rule:admin_only
get_auto_allocated_topology: rule:admin_or_owner
get_dhcp-agents: rule:admin_only
get_dhcp-networks: rule:admin_only
get_flavor: rule:regular_user
get_flavor_service_profile: rule:regular_user
get_flavors: rule:regular_user
get_floatingip: rule:admin_or_owner
get_floatingip_port_forwarding: rule:admin_or_ext_parent_owner or rule:context_is_advsvc
get_l3-agents: rule:admin_only
get_l3-routers: rule:admin_only
get_loadbalancer-agent: rule:admin_only
get_loadbalancer-hosting-agent: rule:admin_only
get_loadbalancer-pools: rule:admin_only
get_log: rule:admin_only
get_loggable_resources: rule:admin_only
get_logs: rule:admin_only
get_lsn: rule:admin_only
get_metering_label: rule:admin_only
get_metering_label_rule: rule:admin_only
get_network: rule:admin_or_owner or rule:shared or rule:external or rule:context_is_advsvc
get_network:provider:network_type: rule:admin_only
get_network:provider:physical_network: rule:admin_only
get_network:provider:segmentation_id: rule:admin_only
get_network:queue_id: rule:admin_only
get_network:router:external: rule:regular_user
get_network:segments: rule:admin_only
get_network:wrs-tm:qos: rule:admin_or_qos_owner
get_network_ip_availabilities: rule:admin_or_projectadmin_owner
get_network_ip_availability: rule:admin_or_projectadmin_owner
get_network_profile: ""
get_network_profiles: ""
get_policy: rule:regular_user
get_policy_bandwidth_limit_rule: rule:regular_user
get_policy_dscp_marking_rule: rule:regular_user
get_policy_minimum_bandwidth_rule: rule:regular_user
get_policy_profile: ""
get_policy_profiles: ""
get_port: rule:context_is_advsvc or rule:admin_owner_or_network_owner
get_port:binding:host_id: rule:admin_only
get_port:binding:profile: rule:admin_only
get_port:binding:vif_details: rule:admin_only
get_port:binding:vif_type: rule:admin_only
get_port:queue_id: rule:admin_only
get_providernet: rule:admin_only
get_providernet-bindings: rule:admin_only
get_providernet_range: rule:admin_only
get_providernet_ranges: rule:admin_only
get_providernet_types: rule:admin_only
get_providernets: rule:admin_only
get_qos: rule:admin_or_owner
get_qos_queue: rule:admin_only
get_rbac_policy: rule:admin_or_owner
get_router: rule:admin_or_owner
get_router:distributed: rule:admin_or_projectadmin_required
get_router:ha: rule:admin_or_projectadmin_required
get_router:wrs-net:host: rule:admin_only
get_routers:wrs-net:host: rule:admin_only
get_rule_type: rule:regular_user
get_security_group: rule:admin_or_owner
get_security_group_rule: rule:admin_or_owner
get_security_group_rules: rule:admin_or_owner
get_security_groups: rule:admin_or_owner
get_segment: rule:admin_only
get_service_profile: rule:admin_only
get_service_profiles: rule:admin_only
get_service_provider: rule:regular_user
get_subnet: rule:admin_or_owner or rule:shared
get_subnet:segment_id: rule:admin_only
get_subnet:wrs-provider:network_type: rule:admin_only
get_subnet:wrs-provider:physical_network: rule:admin_only
get_subnet:wrs-provider:segmentation_id: rule:admin_only
get_subnetpool: rule:admin_or_owner or rule:shared_subnetpools
get_subports: ""
get_trunk: rule:admin_or_owner
network_device: 'field:port:device_owner=~^network:'
network_owner: tenant_id:%(network:tenant_id)s
owner: tenant_id:%(tenant_id)s
projectadmin_and_ext_owner: rule:projectadmin_required and rule:ext_parent_owner
projectadmin_and_generic_owner: rule:projectadmin_required and rule:generic_owner
projectadmin_and_network_owner: rule:projectadmin_required and rule:network_owner
projectadmin_and_owner: rule:projectadmin_required and rule:owner
projectadmin_required: role:project_admin
projectmember_and_generic_owner: rule:projectmember_required and rule:generic_owner
projectmember_and_network_owner: rule:projectmember_required and rule:network_owner
projectmember_and_owner: rule:projectmember_required and rule:owner
projectmember_required: role:project_admin or role:member
regular_user: ""
remove_router_interface: rule:admin_or_projectadmin_owner
remove_subports: rule:admin_or_projectadmin_owner
restrict_wildcard: (not field:rbac_policy:target_tenant=*) or rule:admin_only
shared: field:networks:shared=True
shared_address_scopes: field:address_scopes:shared=True
shared_subnetpools: field:subnetpools:shared=True
update_address_scope: rule:admin_or_projectadmin_owner
update_address_scope:shared: rule:admin_or_projectadmin_owner
update_agent: rule:admin_only
update_flavor: rule:admin_only
update_floatingip: rule:admin_or_projectadmin_owner
update_log: rule:admin_only
update_network: rule:admin_or_projectadmin_owner
update_network:provider:network_type: rule:admin_only
update_network:provider:physical_network: rule:admin_only
update_network:provider:segmentation_id: rule:admin_only
update_network:router:external: rule:admin_only
update_network:segments: rule:admin_only
update_network:shared: rule:admin_or_projectadmin_required
update_network:wrs-tm:qos: rule:admin_or_qos_owner
update_network_profile: rule:admin_only
update_policy: rule:admin_only
update_policy_bandwidth_limit_rule: rule:admin_only
update_policy_dscp_marking_rule: rule:admin_only
update_policy_minimum_bandwidth_rule: rule:admin_only
update_policy_profiles: rule:admin_only
update_port: rule:admin_or_projectmember_owner or rule:context_is_advsvc
update_port:allowed_address_pairs: rule:admin_or_network_owner
update_port:binding:host_id: rule:admin_only
update_port:binding:profile: rule:admin_only
update_port:data_plane_status: rule:admin_or_data_plane_int
update_port:device_owner: not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner
update_port:fixed_ips: rule:context_is_advsvc or rule:admin_or_network_owner
update_port:mac_address: rule:admin_only or rule:context_is_advsvc
update_port:mac_learning_enabled: rule:context_is_advsvc or rule:admin_or_network_owner
update_port:port_security_enabled: rule:context_is_advsvc or rule:admin_or_network_owner
update_port:wrs-binding:mac_filtering: rule:admin_only
update_port:wrs-binding:mtu: rule:admin_only
update_port:wrs-tm:qos: rule:admin_or_qos_owner
update_floatingip_port_forwarding: rule:admin_or_projectadmin_ext_owner
update_providernet: rule:admin_only
update_providernet_range: rule:admin_only
update_qos: rule:admin_only
update_rbac_policy: rule:admin_or_projectadmin_owner
update_rbac_policy:target_tenant: rule:restrict_wildcard and rule:admin_or_owner
update_router: rule:admin_or_projectadmin_owner
update_router:distributed: rule:admin_or_projectadmin_required
update_router:external_gateway_info: rule:admin_or_projectadmin_owner
update_router:external_gateway_info:enable_snat: rule:admin_or_projectadmin_required
update_router:external_gateway_info:external_fixed_ips: rule:admin_or_projectadmin_required
update_router:external_gateway_info:network_id: rule:admin_or_projectadmin_owner
update_router:ha: rule:admin_or_projectadmin_required
update_security_group: rule:admin_or_projectadmin_owner
update_segment: rule:admin_only
update_service_profile: rule:admin_only
update_subnet: rule:admin_or_projectadmin_network_owner
update_subnet:service_types: rule:admin_only
update_subnet:wrs-provider:segmentation_id: rule:admin_only
update_subnetpool: rule:admin_or_projectadmin_owner
update_subnetpool:is_default: rule:admin_only
update_trunk: rule:admin_or_projectadmin_owner

58
enhanced-policies/nova-policy-overrides.yml Normal file
View File

@ -0,0 +1,58 @@
conf:
policy:
admin_or_projectadmin_owner: rule:context_is_admin or rule:projectadmin_and_owner
admin_or_projectadmin_required: rule:context_is_admin or rule:projectadmin_required
admin_or_projectmember_owner: rule:context_is_admin or rule:projectmember_and_owner
admin_or_projectmember_required: rule:context_is_admin or rule:projectmember_required
context_is_admin: role:admin
os_compute_api:os-admin-password: rule:admin_or_projectadmin_owner
os_compute_api:os-attach-interfaces:create: rule:admin_or_projectadmin_owner
os_compute_api:os-attach-interfaces:delete: rule:admin_or_projectadmin_owner
os_compute_api:os-console-output: rule:admin_or_projectmember_owner
os_compute_api:os-consoles:create: rule:admin_or_projectmember_owner
os_compute_api:os-consoles:delete: rule:admin_or_projectmember_owner
os_compute_api:os-create-backup: rule:admin_or_projectadmin_owner
os_compute_api:os-deferred-delete: rule:admin_or_projectadmin_owner
os_compute_api:os-lock-server:lock: rule:admin_or_projectadmin_owner
os_compute_api:os-lock-server:unlock: rule:admin_or_projectadmin_owner
os_compute_api:os-pause-server:pause: rule:admin_or_projectadmin_owner
os_compute_api:os-pause-server:unpause: rule:admin_or_projectadmin_owner
os_compute_api:os-remote-consoles: rule:admin_or_projectmember_owner
os_compute_api:os-rescue: rule:admin_or_projectadmin_owner
os_compute_api:os-security-groups: rule:admin_or_projectadmin_owner
os_compute_api:os-server-groups:create: rule:admin_or_projectadmin_owner
os_compute_api:os-server-groups:delete: rule:admin_or_projectadmin_owner
os_compute_api:os-server-password: rule:admin_or_projectadmin_owner
os_compute_api:os-server-tags:delete: rule:admin_or_projectadmin_owner
os_compute_api:os-server-tags:delete_all: rule:admin_or_projectadmin_owner
os_compute_api:os-server-tags:update: rule:admin_or_projectadmin_owner
os_compute_api:os-server-tags:update_all: rule:admin_or_projectadmin_owner
os_compute_api:os-shelve:shelve: rule:admin_or_projectadmin_owner
os_compute_api:os-shelve:unshelve: rule:admin_or_projectadmin_owner
os_compute_api:os-suspend-server:resume: rule:admin_or_projectadmin_owner
os_compute_api:os-suspend-server:suspend: rule:admin_or_projectadmin_owner
os_compute_api:os-volumes-attachments:create: rule:admin_or_projectmember_owner
os_compute_api:os-volumes-attachments:delete: rule:admin_or_projectmember_owner
os_compute_api:os-volumes-attachments:update: rule:admin_or_projectadmin_required
os_compute_api:server-metadata:create: rule:admin_or_projectadmin_owner
os_compute_api:server-metadata:delete: rule:admin_or_projectadmin_owner
os_compute_api:server-metadata:update: rule:admin_or_projectadmin_owner
os_compute_api:server-metadata:update_all: rule:admin_or_projectadmin_owner
os_compute_api:servers:confirm_resize: rule:admin_or_projectadmin_owner
os_compute_api:servers:create: rule:admin_or_projectmember_owner
os_compute_api:servers:create_image: rule:admin_or_projectadmin_owner
os_compute_api:servers:delete: rule:admin_or_projectadmin_owner
os_compute_api:servers:reboot: rule:admin_or_projectadmin_owner
os_compute_api:servers:rebuild: rule:admin_or_projectadmin_owner
os_compute_api:servers:resize: rule:admin_or_projectadmin_owner
os_compute_api:servers:revert_resize: rule:admin_or_projectadmin_owner
os_compute_api:servers:start: rule:admin_or_projectadmin_owner
os_compute_api:servers:stop: rule:admin_or_projectadmin_owner
os_compute_api:servers:trigger_crash_dump: rule:admin_or_projectadmin_owner
os_compute_api:servers:update: rule:admin_or_projectadmin_owner
owner: project_id:%(project_id)s
projectadmin_and_owner: rule:projectadmin_required and rule:owner
projectadmin_required: role:project_admin
projectmember_and_owner: rule:projectmember_required and rule:owner
projectmember_required: role:project_admin or role:member

74
enhanced-policies/tests/run-cleanup-all.sh Normal file
View File

@ -0,0 +1,74 @@
#
# This script cleans up any remaining resource created by RBAC test scenarios
#
# Usage example:
# bash run-cleanup-all.sh
#
printf "WARNING: This script might DELETE some existing configuration if not \
used carefully, do you want to continue? \
('yes' to continue, anything else to cancel): "
read CONFIRMATION
if [[ ${CONFIRMATION^^} != 'YES' ]]; then
echo "Script execution cancelled."
exit 0
fi
printf "Cleaning up test resources...\n"
if [[ -z "${OS_CLOUD}" ]]; then
echo "\$OS_CLOUD needs to be set before running this script"
exit
else
echo "Running cleanup script using OS_CLOUD=$OS_CLOUD"
fi
echo "removing security groups"
openstack security group list | grep "sg" | \
awk '{ system("openstack security group delete " $2) }'
echo "removing floating ips"
FIPS=$(openstack floating ip list | grep -vE "ID|---" | awk '{ print $2 }')
for FIP in $FIPS; do
FIP_PFS=$(openstack floating ip port forwarding list $FIP |\
grep -vE "ID|---" | awk '{ print $2 }')
for FIP_PF in $FIP_PFS; do
openstack floating ip port forwarding delete $FIP $FIP_PF
done
openstack floating ip delete $FIP
done
echo "removing routers"
ROUTERS=$(openstack router list | grep "vr" | awk '{ print $2 }')
for ROUTER in $ROUTERS; do
SUBNET=$(openstack router show $ROUTER | grep interfaces_info | \
awk '{ print $5 }' | sed 's/[",]//g')
openstack router remove subnet $ROUTER $SUBNET
openstack router delete $ROUTER
done
echo "removing servers"
openstack server list --all-projects | grep -E "vm[12]" | \
awk '{ system("openstack server delete " $2 " --wait") }'
echo "removing trunks"
openstack network trunk list | grep -E "trunk" | \
awk '{ system("openstack network trunk delete " $2) }'
echo "removing ports"
openstack port list | grep -E "port[12]" | \
awk '{ system("openstack port delete " $2) }'
echo "removing subnets"
openstack subnet list | grep -E "[^-]subnet[12]" | \
awk '{ system("openstack subnet delete " $2) }'
echo "removing networks"
openstack network list | grep -E "network[12]|extnet[12]" | \
awk '{ system("openstack network delete " $2) }'
echo "removing subnet pools"
openstack subnet pool list | grep "subnetpool" | \
awk '{ system("openstack subnet pool delete " $2) }'
echo "removing address scopes"
openstack address scope list | grep "addrscope" | \
awk '{ system("openstack address scope delete " $2) }'
openstack user delete user11 user12 user13 user21 user22 user23
openstack project delete project1 project2
openstack image delete cirros
printf "Cleanup finished.\n"