Open Stack

Hi magnum team

I would like to make short report regarding the progress and trigger
followup discussion

Right now, with patch series
https://review.opendev.org/c/openstack/magnum/+/874945
The patchset is a follow of tc goals: Consistent and Secure Default RBAC[1]

We have now:
* Implementation of Secure RBAC in project member and project reader for
most APIs. And also add project scope check for APIs which is not design to
run across multiple projects.
* Unit test and functional test ready and passed for above features.

The change of secure RBAC is currently default to false, so it will not
affect on current running environments. And we should enable it in the
following cycle. So what it does when not enable those configs are only
provided deprecation warning.

When enabled, we will requires project_reader role for perform any
non-admin GET requests and project_member role for any other non-admin
requests(PATCH, DELETE, POST, etc). And will also requires project scope
token to allow perform those APIs.

One of the patch we can discuss is to explicit set admin authorization to
APIs in https://review.opendev.org/c/openstack/magnum/+/875625
This IMO, is an idea change to make sure we don't break admin operations on
all APIs to avoid bugs like https://bugs.launchpad.net/neutron/+bug/1997089
, but if there are any other concerns, I would love to learn about it.

The patch sets are ready, I think as we already in new developing cycle,
would really like if anyone can help to review and landing them.
 Most of projects are already have these implementation in place, so now
would be a good time for magnum to catch up with that goal.


[1]
https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html

*Rico Lin*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openstack.org/pipermail/openstack-discuss/attachments/20230322/7fc74802/attachment.htm>