Policy Default Refresh

Registered by Ghanshyam Mann on 2019-03-21

Ideally most operators should be able to run without modifying policy, as
such we need to have richer defaults.

When operators must modify the policy, or need to audit the defaults, they are
thinking about API operations what policy to change, so the policy should
always clearly relate to the API node the code.

To improve the Nova policies in term of self-service and rich defaults roles, we need multiple updates :
1. making the policy rules granular to add scope_type and new defaults roles - https://blueprints.launchpad.net/nova/+spec/granular-api-policy

2. scope - Adding the correct scope_type with global and project access

3. Defaults roles, keystone now has new defaults roles like reader, admin, member which can be applied with each scope_type.

More details in spec.

Blueprint information

Status:
Complete
Approver:
melanie witt
Priority:
Medium
Drafter:
Ghanshyam Mann
Direction:
Approved
Assignee:
Ghanshyam Mann
Definition:
Approved
Series goal:
Accepted for ussuri
Implementation:
Implemented
Milestone target:
milestone icon ussuri-3
Started by
melanie witt on 2019-07-11
Completed by
Balazs Gibizer on 2020-04-23

Related branches

Sprints

Whiteboard

Spec - https://review.openstack.org/#/c/547850

Gerrit topic: https://review.opendev.org/#/q/topic:bp/policy-default-refresh

Addressed by: https://review.opendev.org/547850
    Spec for API policy updates

Gerrit topic: https://review.opendev.org/#/q/topic:bp/policy-defaults-refresh

Gerrit topic: https://review.opendev.org/#/q/topic:policy

Addressed by: https://review.opendev.org/657697
    Better policy unit tests

Addressed by: https://review.opendev.org/657696
    Move default policy target

Addressed by: https://review.opendev.org/657698
    Add functional test for admin_actions

Addressed by: https://review.opendev.org/657823
    WIP: add scope check, see tests catch the change

Addressed by: https://review.opendev.org/645427
    WIP:Introduce scope_types in os-services

Addressed by: https://review.opendev.org/645452
    Add new default roles and mapping in policy base class

Addressed by: https://review.opendev.org/648480
    WIP: Add new default roles in os-services API policies

Addressed by: https://review.opendev.org/662968
    WIP:Introduce scope_types in servers API

Addressed by: https://review.opendev.org/662971
    WIP: Add new default roles in servers API policies

Addressed by: https://review.opendev.org/663095
    Ensure we pass a target in admin actions

Addressed by: https://review.opendev.org/669181
    Add test coverage of existing os-services policies

Addressed by: https://review.opendev.org/669196
    Fix followup comments of policy-defaults-refresh spec

Gerrit topic: https://review.opendev.org/#/q/topic:service-scope

Addressed by: https://review.opendev.org/669578
    Add test coverage of existing os-agents policies

Spec merged on 2019-07-02, approved for Train. -- melwitt 20190711

Addressed by: https://review.opendev.org/674038
    Pass RequestContext to oslo_policy

Gerrit topic: https://review.opendev.org/#/q/topic:service-system-scope

Addressed by: https://review.opendev.org/676670
    Add policy deprecation fixture and Suppress warnings in tests

Addressed by: https://review.opendev.org/676682
    Add new default roles in Admin Action API policies

Addressed by: https://review.opendev.org/676688
    Pass the target in os-services APIs policy

We're 1 week from feature freeze for Train and there are a lot of open changes left for this that haven't had a lot (or maybe any on some patches) core review and since this impacts policy which impacts upgrades, it has some risk so we're deferring to Ussuri. -- mriedem 20190905

Addressed by: https://review.opendev.org/686058
    Re-propose policy-defaults-refresh spec for Ussuri

Addressed by: https://review.opendev.org/700797
    Fix the suppress of policy deprecation warnings

Addressed by: https://review.opendev.org/701624
    Deprecate base rules in favor of new rules

Addressed by: https://review.opendev.org/701629
    Add test coverage of existing admin_password policies

Addressed by: https://review.opendev.org/701630
    Introduce scope_types in os-admin-password

Addressed by: https://review.opendev.org/701639
    Add new default roles in os-admin-password policies

Addressed by: https://review.opendev.org/701642
    Pass the actual target in os-admin-password policy

Addressed by: https://review.opendev.org/701644
    Add test coverage of existing os-agents policies

Addressed by: https://review.opendev.org/701645
    Introduce scope_types in os-agents policy

Addressed by: https://review.opendev.org/701648
    Add new default roles in os-agents policies

Addressed by: https://review.opendev.org/701649
    Pass the actual target in os-agents policy

Addressed by: https://review.opendev.org/701651
    Add test coverage of existing os-aggregates policies

Addressed by: https://review.opendev.org/701652
    Introduce scope_types in os-aggregates policy

Addressed by: https://review.opendev.org/701654
    Add new default roles in os-aggregates policies

Addressed by: https://review.opendev.org/701656
    Pass the actual target in os-aggregates policy

Addressed by: https://review.opendev.org/701835
    Add test coverage of existing os-assisted_volume_snapshots policies

Addressed by: https://review.opendev.org/701837
    Introduce scope_types in os-assisted_volume_snapshots policy

Addressed by: https://review.opendev.org/701840
    Add new default roles in os-assisted_volume_snapshots policies

Addressed by: https://review.opendev.org/701841
    Pass the actual target in os-assisted_volume_snapshots policy

[efried 20200116] Marking definition:approved as the spec was merged in October.

Addressed by: https://review.opendev.org/705126
    Add test coverage of existing attach_interfaces policies

Addressed by: https://review.opendev.org/705127
    Remove old policy enforcement in attach_interfaces

Addressed by: https://review.opendev.org/705799
    Introduce scope_types in os-attach-interfaces

Addressed by: https://review.opendev.org/706470
    Add new default roles in os-instance-actions policies

Addressed by: https://review.opendev.org/706672
    Add new default roles in os-atttach-inerfaces policies

Addressed by: https://review.opendev.org/706682
    Add test coverage of existing availability-zone policies

Addressed by: https://review.opendev.org/706684
    Add new default roles in os-availability-zone policies

Addressed by: https://review.opendev.org/706686
    Add new default roles in os-availability-zone policies

Addressed by: https://review.opendev.org/706687
    Add test coverage of existing os-console-auth-tokens policies

Addressed by: https://review.opendev.org/706688
    Introduce scope_types in os-console-auth-tokens

Addressed by: https://review.opendev.org/706689
    Add new default roles in os-console-auth-tokens policies

Addressed by: https://review.opendev.org/706690
    Pass the actual target in os-console-auth-tokens policy

Addressed by: https://review.opendev.org/706691
    Pass the actual target in os-availability-zone policy

Addressed by: https://review.opendev.org/706724
    Add test coverage of existing console_output policies

Addressed by: https://review.opendev.org/706726
    Add test coverage of existing create_backup policies

Addressed by: https://review.opendev.org/707038
    Introduce scope_types in os-create-backup

Addressed by: https://review.opendev.org/707039
    Add new default roles in os-create-backup policies

Addressed by: https://review.opendev.org/707040
    Introduce scope_types in os-console-output

Addressed by: https://review.opendev.org/707041
    Add new default roles in os-console-output policies

Addressed by: https://review.opendev.org/707455
    Add test coverage of existing deferred_delete policies

Addressed by: https://review.opendev.org/707476
    Introduce scope_types in os-deferred_delete

Addressed by: https://review.opendev.org/707485
    Add new default roles in os-deferred_delete policies

Addressed by: https://review.opendev.org/707751
    Introduce scope_types in os-instance-action policy

Addressed by: https://review.opendev.org/707777
    Add test coverage of existing os-instance-actions policies

Addressed by: https://review.opendev.org/708230
    Add test coverage of existing evacuate policies

Addressed by: https://review.opendev.org/708235
    Introduce scope_types in os-evacuate

Addressed by: https://review.opendev.org/708237
    Add new default roles in os-evacuate policies

[efried 20200220] Agreed in the Nova meeting to Direction:Approve all Definition:Approved blueprints http://eavesdrop.openstack.org/meetings/nova/2020/nova.2020-02-20-14.00.log.html#l-131

Addressed by: https://review.opendev.org/709388
    Introduce scope_types in os-volumes-attachments policy

Addressed by: https://review.opendev.org/709929
    Add test coverage of existing os-volumes-attachments policies

Addressed by: https://review.opendev.org/709955
    Fix os-volumes-attachments policy to be admin_or_owner

Addressed by: https://review.opendev.org/710190
    Add new default roles in os-volumes-attachments policies

Addressed by: https://review.opendev.org/710411
    Remove fatal=False from os-instance-actions show API

Addressed by: https://review.opendev.org/693828
    Add PATCH volume attachments api to os-volume_attachments

Addressed by: https://review.opendev.org/711194
    Add new policy to PATCH update volume API

Addressed by: https://review.opendev.org/706179
    Add SYSTEM_READER role to servers actions API

Addressed by: https://review.opendev.org/710813
    Add a tests to check when legacy access is removed

Addressed by: https://review.opendev.org/711791
    Granular GET os-instance-actions API policies

Addressed by: https://review.opendev.org/711794
    nit: Fix NOTE error of fatal=False

Addressed by: https://review.opendev.org/711734
    [Trivial] Fix code comment of admin password tests

Addressed by: https://review.opendev.org/710965
    Add functional tests for PATCH volume attachments API

Addressed by: https://review.opendev.org/712515
    Cleanup test for system reader and reader_or_owner rules

Gerrit topic: https://review.opendev.org/#/q/topic:bp/destroy-instance-with-datavolume

Gerrit topic: https://review.opendev.org/#/q/topic:bp/action-event-fault-details

Addressed by: https://review.opendev.org/713556
    Add test coverage of existing flavor_access policies

Gerrit topic: https://review.opendev.org/#/q/topic:bug/1867840

Addressed by: https://review.opendev.org/713559
    Introduce scope_types in os-flavor-access

Addressed by: https://review.opendev.org/713697
    Add new default roles in os-flavor-access policies

Addressed by: https://review.opendev.org/714560
    [Trivial] fixing some nits in instance actions policy tests

Addressed by: https://review.opendev.org/714814
    Add test coverage of existing flavor_manage policies

Addressed by: https://review.opendev.org/714818
    Introduce scope_types in os-flavor-manage

Addressed by: https://review.opendev.org/714819
    Add new default roles in os-flavor_manage policies

Addressed by: https://review.opendev.org/714822
    Pass the actual target in os-flavor-manage policy

Addressed by: https://review.opendev.org/715029
    Add test coverage of existing hypervisors policies

Addressed by: https://review.opendev.org/715036
    Introduce scope_types in os-hypervisors

Addressed by: https://review.opendev.org/715071
    Add new default roles in os-hypervisors policies

Addressed by: https://review.opendev.org/715074
    Pass the actual target in os-hypervisors policy

Addressed by: https://review.opendev.org/715080
    Add test coverage of existing instance usage log policies

Addressed by: https://review.opendev.org/715082
    Introduce scope_types in os-instance-usage-audit-log

Addressed by: https://review.opendev.org/715085
    Add new default roles in os-instance-usage-audit-log policies

Addressed by: https://review.opendev.org/715089
    Pass the actual target in os-instance-usage-audit-log policy

Addressed by: https://review.opendev.org/715477
    Add test coverage of existing ips policies

Addressed by: https://review.opendev.org/715529
    Introduce scope_types in os-ips

Addressed by: https://review.opendev.org/715545
    Add new default roles in os-ips policies

Addressed by: https://review.opendev.org/715674
    Add test coverage of existing limits policies

Addressed by: https://review.opendev.org/715678
    Combine the limits policies in single place

Addressed by: https://review.opendev.org/715680
    Introduce scope_types in limits policy

Addressed by: https://review.opendev.org/715760
    Add new default roles in limits policies

Addressed by: https://review.opendev.org/715761
    Pass the actual target in limits policy

Addressed by: https://review.opendev.org/715672
    Correct limits policy check_str

Addressed by: https://review.opendev.org/716003
    Add new default roles in os-hypervisors policies

Addressed by: https://review.opendev.org/716057
    Add test coverage of existing lock server policies

Gerrit topic: https://review.opendev.org/#/q/topic:bug/1869791

Addressed by: https://review.opendev.org/716071
    Fix unlock server policy to be admin_or_owner

Addressed by: https://review.opendev.org/716114
    Introduce scope_types in lock server policy

Addressed by: https://review.opendev.org/716122
    Add new default roles in lock server policies

Addressed by: https://review.opendev.org/716128
    Add test coverage of existing migrate server policies

Addressed by: https://review.opendev.org/716130
    Introduce scope_types in migrate server

Addressed by: https://review.opendev.org/716132
    Add new default roles in migrate server policies

Addressed by: https://review.opendev.org/716134
    Pass the actual target in migrate server policy

Addressed by: https://review.opendev.org/716136
    Add test coverage of existing migrations policies

Addressed by: https://review.opendev.org/716141
    Introduce scope_types in list migrations

Addressed by: https://review.opendev.org/716145
    Add new default roles in migrations policies

Addressed by: https://review.opendev.org/716147
    Pass the actual target in migrations policy

Addressed by: https://review.opendev.org/716161
    Add test coverage of existing pause server policies

Gerrit topic: https://review.opendev.org/#/q/topic:bug/1869841

Addressed by: https://review.opendev.org/716165
    Fix unpause server policy to be admin_or_owner

Addressed by: https://review.opendev.org/716187
    Introduce scope_types in pause server policy

Addressed by: https://review.opendev.org/716191
    Add new default roles in pause server policies

Addressed by: https://review.opendev.org/716428
    Pass the actual target in unlock override policy

Addressed by: https://review.opendev.org/716482
    Add test coverage of existing remote console policies

Addressed by: https://review.opendev.org/716483
    Introduce scope_types in remote consoles policy

Addressed by: https://review.opendev.org/716484
    Add new default roles in remote console policies

Addressed by: https://review.opendev.org/716486
    Add test coverage of existing rescue policies

Addressed by: https://review.opendev.org/716488
    Introduce scope_types in rescue server policy

Addressed by: https://review.opendev.org/716496
    Add new default roles in rescue server policies

Addressed by: https://review.opendev.org/716779
    Add test coverage of existing security groups policies

Addressed by: https://review.opendev.org/716786
    Introduce scope_types in security groups policy

Addressed by: https://review.opendev.org/716793
    Add new default roles in security group policies

Addressed by: https://review.opendev.org/716797
    Add new default roles in security group policies

Addressed by: https://review.opendev.org/716800
    Add test coverage of existing server diagnostics policies

Addressed by: https://review.opendev.org/716803
    Introduce scope_types in server diagnostics

Addressed by: https://review.opendev.org/716805
    Add new default roles in server diagnostics policies

Addressed by: https://review.opendev.org/716810
    Pass the actual target in server diagnostics policy

Addressed by: https://review.opendev.org/716782
    Correct security groups policy check_str

Addressed by: https://review.opendev.org/717155
    Add test coverage of existing server external events policies

Addressed by: https://review.opendev.org/717167
    Introduce scope_types in server external events

Addressed by: https://review.opendev.org/717168
    Add new default roles in server external events policies

Addressed by: https://review.opendev.org/717169
    Pass the actual target in server external events policy

Addressed by: https://review.opendev.org/717173
    Add test coverage of existing server group policies

Addressed by: https://review.opendev.org/717174
    Introduce scope_types in server group policy

Addressed by: https://review.opendev.org/717175
    Add new default roles in server group policies

Addressed by: https://review.opendev.org/717176
    Pass the actual target in server group policy

Addressed by: https://review.opendev.org/717182
    Add test coverage of existing server metadata policies

Gerrit topic: https://review.opendev.org/#/q/topic:bug/1870484

Addressed by: https://review.opendev.org/717189
    Fix server metadata policy to be admin_or_owner

Addressed by: https://review.opendev.org/717204
    Add test coverage of existing server password policies

Gerrit topic: https://review.opendev.org/#/q/topic:bug/1870488

Addressed by: https://review.opendev.org/717212
    Fix server password policy to be admin_or_owner

Addressed by: https://review.opendev.org/717215
    Introduce scope_types in server password

Addressed by: https://review.opendev.org/717255
    Add new default roles in server metadata policies

Addressed by: https://review.opendev.org/717415
    Introduce scope_types in server password policy

Addressed by: https://review.opendev.org/717417
    Add new default roles in server password policies

Addressed by: https://review.opendev.org/717425
    Add test coverage of existing server tags policies

Addressed by: https://review.opendev.org/717524
    Add test coverage of existing server topology policies

Addressed by: https://review.opendev.org/717531
    Add test coverage of existing server migrations policies

Addressed by: https://review.opendev.org/717539
    Add test coverage of existing shelve policies

Addressed by: https://review.opendev.org/717546
    Add test coverage of existing simple tenant usage policies

Addressed by: https://review.opendev.org/717554
    Add test coverage of existing suspend server policies

Gerrit topic: https://review.opendev.org/#/q/topic:bug/1870883

Addressed by: https://review.opendev.org/717561
    Fix resume server policy to be admin_or_owner

Gerrit topic: https://review.opendev.org/#/q/topic:policy-defaults-refresh

Addressed by: https://review.opendev.org/717542
    Correct server shelve policy check_str

Addressed by: https://review.opendev.org/717571
    Introduce scope_types in shelve server

Addressed by: https://review.opendev.org/717581
    Add new default roles in shelve server policies

Addressed by: https://review.opendev.org/717582
    Introduce scope_types in suspend server

Addressed by: https://review.opendev.org/717583
    Add new default roles in suspend server policies

Addressed by: https://review.opendev.org/717584
    Introduce scope_types in server topology

Addressed by: https://review.opendev.org/717585
    Add new default roles in server topology policies

Addressed by: https://review.opendev.org/717586
    Introduce scope_types in simple tenant usage

Addressed by: https://review.opendev.org/717587
    Add new default roles in tenant tenant usage policies

Addressed by: https://review.opendev.org/717588
    Introduce scope_types in server migration

Addressed by: https://review.opendev.org/717590
    Add new default roles in server migration policies

Addressed by: https://review.opendev.org/717591
    Pass the actual target in server migration policy

Addressed by: https://review.opendev.org/717825
    Fix new context comparison workaround in base tests class

Gerrit topic: https://review.opendev.org/#/q/topic:bp/work

Addressed by: https://review.opendev.org/717884
    Disable warning for policies changing default check_str

Gerrit topic: https://review.opendev.org/#/q/topic:bug/1871287

Addressed by: https://review.opendev.org/717947
    Fix server tags policy to be admin_or_owner

Addressed by: https://review.opendev.org/717948
    Introduce scope_types in server tags policy

Addressed by: https://review.opendev.org/717954
    Add new default roles in server tags policies

Addressed by: https://review.opendev.org/717525
    Correct server topology policy check_str

Addressed by: https://review.opendev.org/718348
    Add test coverage of existing server policies

Addressed by: https://review.opendev.org/718501
    Fix servers policy for admin_or_owner

Gerrit topic: https://review.opendev.org/#/q/topic:bug/1871665

Addressed by: https://review.opendev.org/718604
    Add test coverage of existing keypairs policies

Addressed by: https://review.opendev.org/718609
    Introduce scope_types in keypairs

Addressed by: https://review.opendev.org/718619
    Add new default roles in keypairs policies

Addressed by: https://review.opendev.org/718621
    Pass the actual target in keypairs policy

Addressed by: https://review.opendev.org/719095
    Add test coverage of existing quota class policies

Addressed by: https://review.opendev.org/719096
    Introduce scope_types in quota class Policies

Addressed by: https://review.opendev.org/719100
    Add new default roles in quota class policies

Addressed by: https://review.opendev.org/719128
    Add test coverage of existing quota sets policies

Addressed by: https://review.opendev.org/719317
    Introduce scope_types in quota set Policies

Addressed by: https://review.opendev.org/719361
    Add new default roles in quota sets policies

Addressed by: https://review.opendev.org/719372
    Add test coverage of existing flavor extra spec policies

Addressed by: https://review.opendev.org/719375
    Introduce scope_types in flavor extra spec policy

Addressed by: https://review.opendev.org/719381
    Add new default roles in flavor extra specs policies

Addressed by: https://review.opendev.org/719603
    Pass the actual target in flavor extra specs policy

Addressed by: https://review.opendev.org/719607
    Pass the actual target in flavor access policy

Addressed by: https://review.opendev.org/719726
    Add test coverage of existing server attributes policies

Addressed by: https://review.opendev.org/719729
    Introduce scope_types in servers attributes Policies

Addressed by: https://review.opendev.org/719730
    Add new default roles in servers attributes policies

Addressed by: https://review.opendev.org/720042
    Pass the actual target in quota class policy

Addressed by: https://review.opendev.org/720104
    Add test coverage of existing remaining servers policies

Addressed by: https://review.opendev.org/720106
    Introduce scope_types in remaining servers Policies

Addressed by: https://review.opendev.org/720116
    Add new default roles in remaining servers policies

Addressed by: https://review.opendev.org/717835
    Fix follow up comments on policy work

Addressed by: https://review.opendev.org/720123
    Fix server actions to be system and project scoped

Addressed by: https://review.opendev.org/720129
    Add doc for policy new defaults

Addressed by: https://review.opendev.org/721322
    Fix the followup comment of policy doc

[gibi 20200423] implemented in Ussuri

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.

Subscribers

No subscribers.