Policy Default Refresh

Registered by Ghanshyam Mann on 2019-03-21

Ideally most operators should be able to run without modifying policy, as
such we need to have richer defaults.

When operators must modify the policy, or need to audit the defaults, they are
thinking about API operations what policy to change, so the policy should
always clearly relate to the API node the code.

To improve the Nova policies in term of self-service and rich defaults roles, we need multiple updates :
1. making the policy rules granular to add scope_type and new defaults roles - https://blueprints.launchpad.net/nova/+spec/granular-api-policy

2. scope - Adding the correct scope_type with global and project access

3. Defaults roles, keystone now has new defaults roles like reader, admin, member which can be applied with each scope_type.

More details in spec.

Blueprint information

Status:
Not started
Approver:
None
Priority:
Undefined
Drafter:
Ghanshyam Mann
Direction:
Needs approval
Assignee:
Ghanshyam Mann
Definition:
New
Series goal:
None
Implementation:
Unknown
Milestone target:
None

Related branches

Sprints

Whiteboard

Spec - https://review.openstack.org/#/c/547850

Gerrit topic: https://review.opendev.org/#/q/topic:bp/policy-default-refresh

Addressed by: https://review.opendev.org/547850
    Spec for API policy updates

Gerrit topic: https://review.opendev.org/#/q/topic:bp/policy-defaults-refresh

Gerrit topic: https://review.opendev.org/#/q/topic:policy

Addressed by: https://review.opendev.org/657697
    Better policy unit tests

Addressed by: https://review.opendev.org/657696
    Move default policy target

Addressed by: https://review.opendev.org/657698
    Add functional test for admin_actions

Addressed by: https://review.opendev.org/657823
    WIP: add scope check, see tests catch the change

Addressed by: https://review.opendev.org/645427
    WIP:Introduce scope_types in os-services

Addressed by: https://review.opendev.org/645452
    Add new default roles and mapping in policy base class

Addressed by: https://review.opendev.org/648480
    WIP: Add new default roles in os-services API policies

Addressed by: https://review.opendev.org/662968
    WIP:Introduce scope_types in servers API

Addressed by: https://review.opendev.org/662971
    WIP: Add new default roles in servers API policies

Addressed by: https://review.opendev.org/663095
    Ensure we pass a target in admin actions

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.

Subscribers

No subscribers.