Update enhanced RBAC policies for OpenStack@2023.1

After upgrading the OpenStack services to its 2023.1 (Antelope) release, the RBAC policies used for test also required several updates, mainly due to: * Deprecated policies * Policies that were split for more fine grained control * Policies that had its default rule modified * openstack-client errors that now include the 403 Forbidden when blocking a given user Also it was noticed that the project_read_only user was not able to list servers (servers:detail,servers:index and servers:show). This would cause several other failures, and we assume that this is a default behavior that changed from Ussuri to 2023.1. So the actual "projectreadonly_required" role key was added to be used for policies that should be allowed to the read_only user. Story: 2010715 Task: 49259 TEST PLAN: PASS - Apply new enhanced RBAC policies YAML files * system helm-override-update PASS - Proceed with the documentation steps for configuring users PASS - Ensure polices are working as expected (250 automated TCs) Change-Id: Ia6036b2be694c27f6cc7ca2fded40f32862eca85 Signed-off-by: Thales Elero Cervi <thaleselero.cervi@windriver.com>
2023-12-13 20:02:16 -03:00 · 2023-12-13 20:02:16 -03:00 · 5a8c1e5480
commit 5a8c1e5480
parent c593f29a84
3 changed files with 22 additions and 9 deletions
--- a/enhanced-policies/README.md
+++ b/enhanced-policies/README.md
@ -14,7 +14,7 @@ It's important that all the overrides files get applied, some of the rules prese
 Setting up the environment
 --------------------------

-Make sure you have access to the Openstack CLI, follow the instructions on [this doc.](https://docs.starlingx.io/deploy_install_guides/r5_release/openstack/access.html#id4)
+Make sure you have access to the Openstack CLI, follow the instructions on [this doc.](https://docs.starlingx.io/system_configuration/openstack/enhanced-rbac-policies.html)

 1. Transfer the policies to your cloud's controller:
    ```
@ -120,10 +120,10 @@ Please follow the instructions below to test the enhanced policies on your syste
    pytest tests/
    ```

-    On WindRiver Openstack:
+    On Custom envs (Openstack):
    ```
    export OS_CLOUD=openstack
-    pytest tests/ --env wro
+    pytest tests/ --env custom-o
    ```
   
 If things go awry...
@ -146,4 +146,4 @@ Role Permission Details
 |---|:---|:---|:---|:---|:---|
 |member|All operations that legacy role '_member_' can do|1 - Can get list and detail of instances<br>2 - Can create instance/Can open console of instances<br>3 -  Can access log of instance<br>4 - Can manage keypairs of his/her own|1 - Can only create/update/delete port<br>2 - Can get list and detail of resources: subnetpool, address scope, networks, subnets, etc.|1,can create and update image, upload image content<br>|1 - Can create volume<br>2 - Can create volume from image<br>3 - Can create volume snapshot<br>4 - Can create volume-backup|
 |project_admin|all operations that legacy role '_member_' can do;|all operations that legacy role '_member_' can do<br>|1 - All operations that legacy role '_member_' can do<br>2 - Can create/update/delete 'shared' subnetpool<br>3 - Can create/update/delete address scope<br>4 - Can create/update/delete shared network<br>|1 - All operations that legacy role '_member_' can do<br>2 - Can publicize_image<br>|1 - All operations that legacy role '_member_' can do|
-|project_readonly|all operations that legacy role '_member_' can do<br>|1 - Can only get list and detail of instances<br>2 - Can manage key-pairs of his/her own|1 - Can only get list and detail of resources: subnetpool, address scopes, networks, subnets,etc.|1 - Can only get list and detail of images|1 - Can only get list and detail of volumes, backups, snapshots|
+|project_readonly|all operations that legacy role '_member_' can do<br>|1 - Can only get list and detail of instances<br>2 - Can manage key-pairs of his/her own|1 - Can only get list and detail of resources: subnetpool, address scopes, networks, subnets,etc.|1 - Can only get list and detail of images|1 - Can only get list and detail of volumes, backups, snapshots|
--- a/enhanced-policies/glance-policy-overrides.yml
+++ b/enhanced-policies/glance-policy-overrides.yml
@ -55,7 +55,6 @@ conf:
        modify_metadef_object: rule:admin_or_projectadmin_owner
        modify_metadef_property: rule:admin_or_projectadmin_owner
        modify_metadef_tag: rule:admin_or_projectadmin_owner
-        modify_task: rule:admin_or_projectadmin_owner
        publicize_image: rule:admin_or_projectadmin_required
        reactivate: rule:admin_or_projectadmin_owner
        remove_metadef_property: rule:admin_or_projectadmin_owner
--- a/enhanced-policies/nova-policy-overrides.yml
+++ b/enhanced-policies/nova-policy-overrides.yml
@ -4,6 +4,7 @@ conf:
        admin_or_projectadmin_required: rule:context_is_admin or rule:projectadmin_required
        admin_or_projectmember_owner: rule:context_is_admin or rule:projectmember_and_owner
        admin_or_projectmember_required: rule:context_is_admin or rule:projectmember_required
+        admin_or_projectreadonly_required: rule:context_is_admin or rule:projectreadonly_required
        context_is_admin: role:admin
        os_compute_api:os-admin-password: rule:admin_or_projectadmin_owner
        os_compute_api:os-attach-interfaces:create: rule:admin_or_projectadmin_owner
@ -12,17 +13,25 @@ conf:
        os_compute_api:os-consoles:create: rule:admin_or_projectmember_owner
        os_compute_api:os-consoles:delete: rule:admin_or_projectmember_owner
        os_compute_api:os-create-backup: rule:admin_or_projectadmin_owner
-        os_compute_api:os-deferred-delete: rule:admin_or_projectadmin_owner
+        os_compute_api:os-deferred-delete:force: rule:admin_or_projectadmin_owner
+        os_compute_api:os-deferred-delete:restore: rule:admin_or_projectadmin_owner
        os_compute_api:os-lock-server:lock: rule:admin_or_projectadmin_owner
        os_compute_api:os-lock-server:unlock: rule:admin_or_projectadmin_owner
        os_compute_api:os-pause-server:pause: rule:admin_or_projectadmin_owner
        os_compute_api:os-pause-server:unpause: rule:admin_or_projectadmin_owner
        os_compute_api:os-remote-consoles: rule:admin_or_projectmember_owner
-        os_compute_api:os-rescue: rule:admin_or_projectadmin_owner
-        os_compute_api:os-security-groups: rule:admin_or_projectadmin_owner
+        os_compute_api:os-security-groups:add: rule:admin_or_projectadmin_owner
+        os_compute_api:os-security-groups:create: rule:admin_or_projectadmin_owner
+        os_compute_api:os-security-groups:delete: rule:admin_or_projectadmin_owner
+        os_compute_api:os-security-groups:get: rule:admin_or_projectadmin_owner
+        os_compute_api:os-security-groups:list: rule:admin_or_projectadmin_owner
+        os_compute_api:os-security-groups:remove: rule:admin_or_projectadmin_owner
+        os_compute_api:os-security-groups:show: rule:admin_or_projectadmin_owner
+        os_compute_api:os-security-groups:update: rule:admin_or_projectadmin_owner
        os_compute_api:os-server-groups:create: rule:admin_or_projectadmin_owner
        os_compute_api:os-server-groups:delete: rule:admin_or_projectadmin_owner
-        os_compute_api:os-server-password: rule:admin_or_projectadmin_owner
+        os_compute_api:os-server-password:clear: rule:admin_or_projectadmin_owner
+        os_compute_api:os-server-password:show: rule:admin_or_projectadmin_owner
        os_compute_api:os-server-tags:delete: rule:admin_or_projectadmin_owner
        os_compute_api:os-server-tags:delete_all: rule:admin_or_projectadmin_owner
        os_compute_api:os-server-tags:update: rule:admin_or_projectadmin_owner
@ -31,6 +40,7 @@ conf:
        os_compute_api:os-shelve:unshelve: rule:admin_or_projectadmin_owner
        os_compute_api:os-suspend-server:resume: rule:admin_or_projectadmin_owner
        os_compute_api:os-suspend-server:suspend: rule:admin_or_projectadmin_owner
+        os_compute_api:os-unrescue: rule:admin_or_projectadmin_owner
        os_compute_api:os-volumes-attachments:create: rule:admin_or_projectmember_owner
        os_compute_api:os-volumes-attachments:delete: rule:admin_or_projectmember_owner
        os_compute_api:os-volumes-attachments:update: rule:admin_or_projectadmin_required
@ -42,10 +52,13 @@ conf:
        os_compute_api:servers:create: rule:admin_or_projectmember_owner
        os_compute_api:servers:create_image: rule:admin_or_projectadmin_owner
        os_compute_api:servers:delete: rule:admin_or_projectadmin_owner
+        os_compute_api:servers:detail: rule:admin_or_projectreadonly_required
+        os_compute_api:servers:index: rule:admin_or_projectreadonly_required
        os_compute_api:servers:reboot: rule:admin_or_projectadmin_owner
        os_compute_api:servers:rebuild: rule:admin_or_projectadmin_owner
        os_compute_api:servers:resize: rule:admin_or_projectadmin_owner
        os_compute_api:servers:revert_resize: rule:admin_or_projectadmin_owner
+        os_compute_api:servers:show: rule:admin_or_projectreadonly_required
        os_compute_api:servers:start: rule:admin_or_projectadmin_owner
        os_compute_api:servers:stop: rule:admin_or_projectadmin_owner
        os_compute_api:servers:trigger_crash_dump: rule:admin_or_projectadmin_owner
@ -55,4 +68,5 @@ conf:
        projectadmin_required: role:project_admin
        projectmember_and_owner: rule:projectmember_required and rule:owner
        projectmember_required: role:project_admin or role:member
+        projectreadonly_required: role:project_admin or role:member or role:project_readonly