openstack/governance
Code Issues Proposed changes
Files
922699aadeb7ca04a1a999a876c1e7288858f62b
governance/goals/selected/yoga/consistent-and-secure-rbac.rst
Ghanshyam Mann 922699aade Select secure RBAC community-wide goal for Yoga cycle 
Change-Id: Ic365d05bdccaa9d9ea76a2314084eb34fa79f5ed
2021-08-06 11:20:10 -05:00

4.4 KiB
Raw Blame History

Consistent and Secure Default RBAC

Existing policy defaults suffer from three major faults:

  1. The admin-ness problem: use of policy rules like 'is_admin' or hard-coded is-admin checks results in the admin-anywhere-admin-everywhere problem and drastically inhibits true multi-tenancy since by default customers cannot have admin rights on their own projects or domains.
  2. Insecure custom roles: many policy rules simply use "" as the rule, which means there is no rule: anyone can perform that action. This means creation of a custom role (say, "nova-autoscaler" requires editing every policy file across every service to block users with such a rule from performing actions unrelated to their role
  3. Related to #2, no support for read-only roles: keystone now has a "reader" role that comes out of the box when keystone is bootstrapped, but it currently has very little value because of the use of empty rules in service policies: users with the "reader" role can still perform write actions on services if the policy rule for such an action is empty.

To solve the above issues, Keystone comes with member, admin and reader roles. OpenStack Services should use these default roles

Keystone also implemented the new concept Scope Type to define which users are global administrators.

Keystone, Nova and many other projects have migrated their default policies to:

  1. Use oslo.policy's scope_types attribute, which allows the policy engine to understand "system scope" and distinguish between an admin role assignment on a project versus an admin role assignment on the entire system.
  2. Ensure all rules use one of the default roles (admin, member, and reader), which both ensure support for a read-only role and prevent custom roles from accidental over-permissiveness.

Completed pre-work related to this goal:

  • From Rocky to Train cycle, Keystone implemented and migrated their policies to new defaults and scope_type
  • In the ussuri cycle, Nova migrated their policies to new RBAC
  • In the ussuri cycle, we created the policy popup team to trigger this work for more projects.
  • In the victoria cycle, we completed the oslo policy framework to migrate default policy format from JSON to YAML
  • In the wallaby cycle, we completed the community-wide goal of migrating the policy format from JSON to YAML for all the OpenStack services
  • In the wallaby and xena cycle, many projects completed or started the new RBAC work.
Refer to the policy pop-up team wiki page for the details:

https://wiki.openstack.org/wiki/Consistent_and_Secure_Default_Policies_Popup_Team

Champion

  1. Lance Bragstad <lbragstad@redhat.com> (lbragstad)
  2. Ghanshyam Mann <gmann@ghanshyammann.com> (gmann)

Gerrit Topic

To facilitate tracking, commits related to this goal should use the gerrit topic:

secure-rbac

Completion Criteria

  1. Migrate the API policies to new defaults. But keep legacy policies rule supported as deprecated rules.
  2. Add scope_type to the policies. By default, scope checks will be disabled.
  3. Test coverage for the legacy and new RBAC.

References

Current State / Anticipated Impact

Around nine projects have completed the work, and five are in progress.