Policy Default Refresh-2

Registered by Ghanshyam Mann

We moved the nova API policies to new defaults and scope types in https://blueprints.launchpad.net/nova/+spec/policy-defaults-refresh in the Ussuri cycle. But they were not easily consumable by the operators/users and the migration plan from old to new policies was not even working. A good example of the issue is the boot server on a specific host where host info is available to system users only and server boot can be done by project only. We thought of a lot of ways to solve this, for example: allowing the system users to create a server for any project by passing the project id in the request or in the header, allowing the project to see the host info.

Based on the initial discussions of how system-scope would be used, we decided
to allow operators to interact with project-owned resources using system-scoped
tokens. In summary, we mixed up the system and project scope in the APIs.

To solve these issues and make the new policy more useable in a better way, we discussed the new design a lot during the Yoga PTG - https://etherpad.opendev.org/p/policy-popup-yoga-ptg. We agreed on the new design and making system users not to allow any project-level things.

Complete direction can be seen in - https://review.opendev.org/c/openstack/governance/+/815158

In nova, we will audit all the policies and make sure everything is as per the new direction defined in the community-wide goal.

Nova policy Audit: https://wiki.openstack.org/wiki/Nova/rbac (TODO- once the audit is finished, add the versioned link of wiki page)

Blueprint information

Status:
Not started
Approver:
Sylvain Bauza
Priority:
Undefined
Drafter:
Ghanshyam Mann
Direction:
Approved
Assignee:
Ghanshyam Mann
Definition:
Approved
Series goal:
Accepted for yoga
Implementation:
Unknown
Milestone target:
None

Related branches

Sprints

Whiteboard

[20211130 bauzas] Approved during today's nova meeting as a specless BP

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.

Subscribers

No subscribers.