[rbac][nova][cinder] Canned roles for service users / inter-service communication (e.g. event submission)

Christian Rohmann christian.rohmann at inovex.de
Thu Jun 9 09:11:46 UTC 2022


Hey openstack-discuss,

I posted to the ML quite a while ago about an issue of resized (Cinder) 
volumes not being propagated to the (Nova) instance.
See 
http://lists.openstack.org/pipermail/openstack-discuss/2021-February/020476.html.

The issue there was Cinder being not allowed to send the 
"volume-extended" event (or any event for that matter via the Nova API 
just using the user token.
For this a configurable additional "privileged user" was added to the 
config quite a while back with 
https://opendev.org/openstack/cinder/commit/04003d7c513ed4dd5129cbd5ad1af14a5b200677.

While the functionality then works I suppose there should be canned and 
maintained RBAC roles for such kind of inter service to service 
communications, e.g. to emit events to others. Otherwise deployments 
likely will use admin privileged users ignoring the least privilege 
principle and creating an large attack surface.

And there are quite few of those relations even with the most commonly 
used services.
Cinder -> nova, nova-> cincer, nova->ironic, .... nova-> neutron, ....

Are such canned RBAC rules for "special" inter service users on the 
backlog somewhere? Or am I totally misconceiving the issue here?

I know there is 
https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#isolate-system-specific-api-policies 
and also the question for feedback at 
https://etherpad.opendev.org/p/rbac-operator-feedback, but that all 
seems to focus on the impact of roles used by humans / users and not 
about service roles at all.


Regards

Christian




More information about the openstack-discuss mailing list