From b269c140a7bfdd0f877b57e87442d5c6115f654a Mon Sep 17 00:00:00 2001 From: Goutham Pacha Ravi Date: Tue, 16 Apr 2024 17:13:08 -0700 Subject: [PATCH] RBAC: Enable "new" defaults and scope checks Enable new defaults and scope checks by default As discussed in PTG, we need to test the new RBAC and accordingly enable the new defaults and scope check by default. Change-Id: I02a2b7e9296e3034d7c20656a12cbdb2cb7a3182 Signed-off-by: Goutham Pacha Ravi --- manila/policy.py | 5 ++++ manila/tests/api/v2/test_share_snapshots.py | 3 +++ ...enable-enforce-scope-c2d57db049741896.yaml | 24 +++++++++++++++++++ requirements.txt | 2 +- 4 files changed, 33 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/enable-enforce-scope-c2d57db049741896.yaml diff --git a/manila/policy.py b/manila/policy.py index 16c90a7435..a551404f1f 100644 --- a/manila/policy.py +++ b/manila/policy.py @@ -37,6 +37,11 @@ _ENFORCER = None # https://github.com/openstack/oslo.policy/blob/a626ad12fe5a3abd49d70e3e5b95589d279ab578/oslo_policy/opts.py#L49 DEFAULT_POLICY_FILE = 'policy.yaml' opts.set_defaults(CONF, DEFAULT_POLICY_FILE) +opts.set_defaults( + cfg.CONF, + DEFAULT_POLICY_FILE, + enforce_scope=True, + enforce_new_defaults=True) def reset(): diff --git a/manila/tests/api/v2/test_share_snapshots.py b/manila/tests/api/v2/test_share_snapshots.py index b2ee957a57..c37d601c95 100644 --- a/manila/tests/api/v2/test_share_snapshots.py +++ b/manila/tests/api/v2/test_share_snapshots.py @@ -66,6 +66,9 @@ class ShareSnapshotAPITest(test.TestCase): stubs.stub_snapshot_get) self.mock_object(share_api.API, 'snapshot_update', stubs.stub_snapshot_update) + self.mock_object( + policy, 'check_policy', mock.Mock(return_value=True) + ) self.snp_example = { 'share_id': 100, 'size': 12, diff --git a/releasenotes/notes/enable-enforce-scope-c2d57db049741896.yaml b/releasenotes/notes/enable-enforce-scope-c2d57db049741896.yaml new file mode 100644 index 0000000000..0051546ec5 --- /dev/null +++ b/releasenotes/notes/enable-enforce-scope-c2d57db049741896.yaml @@ -0,0 +1,24 @@ +--- +upgrade: + - | + The service now requires a user's "scope" to be defined with the OpenStack + Identity service (Keystone) by the virtue of default Role Based Access + Control (RBAC). This is being done in addition to changing the + RBAC rules for GET requests to permit users possessing the "reader" role. + The Default value of config options ``[oslo_policy] enforce_scope`` and + ``[oslo_policy] oslo_policy.enforce_new_defaults`` has now changed + to ``True``. This means that, if you are using system scoped tokens to + access Manila's API, requests will fail with HTTP 403. Users must + obtain a project scoped token to interact with the Manila API. You + may also provide users with "reader" role where appropriate if they + intend to make read-only API requests to Manila. If you would like to + disable these changes, modify ``manila.conf`` file to set:: + + [oslo_policy] + enforce_new_defaults=False + enforce_scope=False + + However, be aware that you may not be able to disable these options in + the future. Please see `OpenStack's Consistent and Secure Default RBAC + goal `_ for more details \ No newline at end of file diff --git a/requirements.txt b/requirements.txt index 8c7844a508..731fdd422d 100644 --- a/requirements.txt +++ b/requirements.txt @@ -21,7 +21,7 @@ oslo.i18n>=5.0.1 # Apache-2.0 oslo.log>=4.4.0 # Apache-2.0 oslo.messaging>=14.1.0 # Apache-2.0 oslo.middleware>=4.1.1 # Apache-2.0 -oslo.policy>=3.7.0 # Apache-2.0 +oslo.policy>=3.11.0 # Apache-2.0 oslo.privsep>=2.4.0 # Apache-2.0 oslo.reports>=2.2.0 # Apache-2.0 oslo.rootwrap>=6.2.0 # Apache-2.0