Consistent and Secure RBAC Cleanup

Registered by Brian Rosmaita

The "Consistent and Secure RBAC" community goal is being revised (again) after receiving feedback from operators at the OpenStack summit . What this means for Cinder is that the work we did in Xena and Yoga mostly satisfies the goal. What remains is to do some cleanup:

- Revise the comment and strategy outlined in [0]. We won't be adding scope_types to any of the rules, and we won't be using any checkstrings that contain a "system_scope:XXX" specification

- Verify that the policies-in-code behave as follows:
  * the deprecated policies in effect when oslo.policy is configured with 'enforce_new_defaults=False' should give us the legacy "rule:admin" or "rule:admin_or_owner" permissions (thus, we need to be careful about removing policies deprecated in Xena). The legacy policies basically just recognize role:admin as giving admin powers, and check that the project_id of the requestor match the project_id associated with the resource to recognize an "owner" (i.e., no role checking involved)
  * when oslo.policy is configured with 'enforce_new_defaults=True', we should get the behavior specified for the 3 personas in the Xena/Yoga permission matrices (project-reader, project-member, and system-admin).

- Abandon the currently proposed policy matrix for Zed [1] and replace it with an updated version of the Yoga matrix (possibly restoring the legacy admin and legacy user columns from the Xena matrix, since that would give operators the entire picture of what you can expect based on your setting of enforce_new_defaults + whether you are using a appropriate version of keystone whose bootstrap process creates the expected roles and implied role relations + whether you have assigned users the appropriate roles)

- Add cinder-tempest-plugin support for testing policies.

What we will *not* be doing:
- support for the project-manager persona
- isolating service API calls and implementing some kind of service role (it's still not clear exactly what would satisfy this)

[0] https://opendev.org/openstack/cinder/src/commit/fae0e8dcb430bfe2d00b5360c56aa2e936f5f78c/cinder/policies/base.py#L193-L248
[1] https://review.opendev.org/c/openstack/cinder/+/835525

Blueprint information

Status:
Started
Approver:
None
Priority:
Undefined
Drafter:
Brian Rosmaita
Direction:
Needs approval
Assignee:
None
Definition:
New
Series goal:
Accepted for zed
Implementation:
Started
Milestone target:
None
Started by
Brian Rosmaita

Related branches

Sprints

Whiteboard

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.

Subscribers

No subscribers.