oslopolicy-policy-generator: what is the namespace to use to get Mgnum policy?
Hi, I'd like to see the default Magnum (Oslo) policy used with Magnum. With other services, I use oslopolicy-policy-generator and use the service name as the namespace but for Magnum, "--namespace magnum" returns an error saying that there is no "magnum" namespace. Does anybody know what is the namespace to use with Magnum? Or how to display the currently active policy, preferably in YAML format? Thanks in advance. Cheers, Michel
---- On Wed, 05 Jun 2024 10:06:34 -0700 Michel Jouvin wrote ---
Hi,
I'd like to see the default Magnum (Oslo) policy used with Magnum. With other services, I use oslopolicy-policy-generator and use the service name as the namespace but for Magnum, "--namespace magnum" returns an error saying that there is no "magnum" namespace.
Does anybody know what is the namespace to use with Magnum? Or how to display the currently active policy, preferably in YAML format?
Thanks for reporting it. This is a bug in Magnum, I have reported it in LP[1] and proposed the fix (tested that and it worked). Basically, Magnum is missing the entry point for solo policy enforcer and oslo.policy generator tool is not able to recognize the magnum namespace. Below is the fix which can be backported to old branches also: - https://review.opendev.org/c/openstack/magnum/+/921408 [1] https://bugs.launchpad.net/magnum/+bug/2068519 -gmann
Thanks in advance. Cheers,
Michel
Hi, Thanks for quick follow-up and for the fix I'll test it tomorrow! Michel Sent from my mobile Le 5 juin 2024 20:53:40 Ghanshyam Mann <gmann@ghanshyammann.com> a écrit :
---- On Wed, 05 Jun 2024 10:06:34 -0700 Michel Jouvin wrote ---
Hi,
I'd like to see the default Magnum (Oslo) policy used with Magnum. With other services, I use oslopolicy-policy-generator and use the service name as the namespace but for Magnum, "--namespace magnum" returns an error saying that there is no "magnum" namespace.
Does anybody know what is the namespace to use with Magnum? Or how to display the currently active policy, preferably in YAML format?
Thanks for reporting it. This is a bug in Magnum, I have reported it in LP[1] and proposed the fix (tested that and it worked).
Basically, Magnum is missing the entry point for solo policy enforcer and oslo.policy generator tool is not able to recognize the magnum namespace. Below is the fix which can be backported to old branches also:
- https://review.opendev.org/c/openstack/magnum/+/921408
[1] https://bugs.launchpad.net/magnum/+bug/2068519
-gmann
Thanks in advance. Cheers,
Michel
I confirm it works well on Antelope. Thanks! Michel Le 05/06/2024 à 21:46, Michel Jouvin a écrit :
Hi,
Thanks for quick follow-up and for the fix I'll test it tomorrow!
Michel Sent from my mobile
Le 5 juin 2024 20:53:40 Ghanshyam Mann <gmann@ghanshyammann.com> a écrit :
---- On Wed, 05 Jun 2024 10:06:34 -0700 Michel Jouvin wrote ---
Hi,
I'd like to see the default Magnum (Oslo) policy used with Magnum. With other services, I use oslopolicy-policy-generator and use the service name as the namespace but for Magnum, "--namespace magnum" returns an error saying that there is no "magnum" namespace.
Does anybody know what is the namespace to use with Magnum? Or how to display the currently active policy, preferably in YAML format?
Thanks for reporting it. This is a bug in Magnum, I have reported it in LP[1] and proposed the fix (tested that and it worked).
Basically, Magnum is missing the entry point for solo policy enforcer and oslo.policy generator tool is not able to recognize the magnum namespace. Below is the fix which can be backported to old branches also:
- https://review.opendev.org/c/openstack/magnum/+/921408
[1] https://bugs.launchpad.net/magnum/+bug/2068519
-gmann
Thanks in advance. Cheers,
Michel
---- On Wed, 05 Jun 2024 14:37:50 -0700 Michel Jouvin wrote ---
I confirm it works well on Antelope. Thanks!
perfect, once it merged on master, I will backport it to stable branches including Antelope. -gmann
Michel
Le 05/06/2024 à 21:46, Michel Jouvin a écrit : Hi, Thanks for quick follow-up and for the fix I'll test it tomorrow! Michel Sent from my mobile Le 5 juin 2024 20:53:40 Ghanshyam Mann a écrit : ---- On Wed, 05 Jun 2024 10:06:34 -0700 Michel Jouvin wrote --- Hi, I'd like to see the default Magnum (Oslo) policy used with Magnum. With other services, I use oslopolicy-policy-generator and use the service name as the namespace but for Magnum, "--namespace magnum" returns an error saying that there is no "magnum" namespace. Does anybody know what is the namespace to use with Magnum? Or how to display the currently active policy, preferably in YAML format? Thanks for reporting it. This is a bug in Magnum, I have reported it in LP[1] and proposed the fix (tested that and it worked). Basically, Magnum is missing the entry point for solo policy enforcer and oslo.policy generator tool is not able to recognize the magnum namespace. Below is the fix which can be backported to old branches also: - https://review.opendev.org/c/openstack/magnum/+/921408
[1] https://bugs.launchpad.net/magnum/+bug/2068519 -gmann
Thanks in advance. Cheers, Michel
Hi, As I said the fix works in Yoga and Antelope in the sense that it allows to run successfully "oslopolicy-policy-generator --namespace magnum" but I am not completely convinced the output is really the policy used... It looks as an old style policy: I said this because it makes no use of any role:reader or role:member and I found it surprising when all the other services do. Looking at what was done in get_enforcer for other services like Neutron, I saw it was passing the command line options received (after some massaging) to cfg.CONF(). Neutron mentions the trick as coming from Nova. Not sure if it is has any impact but it also works, I let you decide! BTW, if you want to apply the fix on an existing installation without rebuilding Magnum, the setup.cfg change must be applied (translation is easy) to the entry_points.txt in magnum-xxx-egg-info/ folder under python site-packages. Best regards, Michel Le 06/06/2024 à 18:23, Ghanshyam Mann a écrit :
---- On Wed, 05 Jun 2024 14:37:50 -0700 Michel Jouvin wrote ---
I confirm it works well on Antelope. Thanks!
perfect, once it merged on master, I will backport it to stable branches including Antelope.
-gmann
Michel
Le 05/06/2024 à 21:46, Michel Jouvin a écrit : Hi, Thanks for quick follow-up and for the fix I'll test it tomorrow! Michel Sent from my mobile Le 5 juin 2024 20:53:40 Ghanshyam Mann a écrit : ---- On Wed, 05 Jun 2024 10:06:34 -0700 Michel Jouvin wrote --- Hi, I'd like to see the default Magnum (Oslo) policy used with Magnum. With other services, I use oslopolicy-policy-generator and use the service name as the namespace but for Magnum, "--namespace magnum" returns an error saying that there is no "magnum" namespace. Does anybody know what is the namespace to use with Magnum? Or how to display the currently active policy, preferably in YAML format? Thanks for reporting it. This is a bug in Magnum, I have reported it in LP[1] and proposed the fix (tested that and it worked). Basically, Magnum is missing the entry point for solo policy enforcer and oslo.policy generator tool is not able to recognize the magnum namespace. Below is the fix which can be backported to old branches also: - https://review.opendev.org/c/openstack/magnum/+/921408
[1] https://bugs.launchpad.net/magnum/+bug/2068519 -gmann
Thanks in advance. Cheers, Michel
---- On Thu, 06 Jun 2024 09:47:43 -0700 Michel Jouvin wrote ---
Hi,
As I said the fix works in Yoga and Antelope in the sense that it allows to run successfully "oslopolicy-policy-generator --namespace magnum" but I am not completely convinced the output is really the policy used... It looks as an old style policy: I said this because it makes no use of any role:reader or role:member and I found it surprising when all the other services do.
You are not able to see the new RBAC in Yoga or Antelope because Magnum does not have those in those releases. RBAC's new defaults were implemented in Magnum Bobcat[1][2]. There is no reader or new defaults before Bobcat Magnum. That is why Antelope or Yoga generates the policy that it was there. I ran the tool on Magnum master and it does generate the policy file with reader & member role, so it is working fine: - https://paste.openstack.org/show/bNrwWHPeVvCDL2dUWbwR/ [1] https://docs.openstack.org/releasenotes/magnum/2023.2.html#upgrade-notes [2] https://github.com/openstack/magnum/blob/stable/2023.2/magnum/common/policie... -gmann
Looking at what was done in get_enforcer for other services like Neutron, I saw it was passing the command line options received (after some massaging) to cfg.CONF(). Neutron mentions the trick as coming from Nova. Not sure if it is has any impact but it also works, I let you decide!
BTW, if you want to apply the fix on an existing installation without rebuilding Magnum, the setup.cfg change must be applied (translation is easy) to the entry_points.txt in magnum-xxx-egg-info/ folder under python site-packages.
We have the code change also in this fix, not just setup.cfg that is why it needs to rebuild the Magnum. Fix is merged on Master and backports are in progress - https://review.opendev.org/q/Iff94f7dea491b0ea465b17cd60c37423224f9ffa -gmann
Best regards,
Michel
Le 06/06/2024 à 18:23, Ghanshyam Mann a écrit :
---- On Wed, 05 Jun 2024 14:37:50 -0700 Michel Jouvin wrote ---
I confirm it works well on Antelope. Thanks!
perfect, once it merged on master, I will backport it to stable branches including Antelope.
-gmann
Michel
Le 05/06/2024 à 21:46, Michel Jouvin a écrit : Hi, Thanks for quick follow-up and for the fix I'll test it tomorrow! Michel Sent from my mobile Le 5 juin 2024 20:53:40 Ghanshyam Mann a écrit : ---- On Wed, 05 Jun 2024 10:06:34 -0700 Michel Jouvin wrote --- Hi, I'd like to see the default Magnum (Oslo) policy used with Magnum. With other services, I use oslopolicy-policy-generator and use the service name as the namespace but for Magnum, "--namespace magnum" returns an error saying that there is no "magnum" namespace. Does anybody know what is the namespace to use with Magnum? Or how to display the currently active policy, preferably in YAML format? Thanks for reporting it. This is a bug in Magnum, I have reported it in LP[1] and proposed the fix (tested that and it worked). Basically, Magnum is missing the entry point for solo policy enforcer and oslo.policy generator tool is not able to recognize the magnum namespace. Below is the fix which can be backported to old branches also: - https://review.opendev.org/c/openstack/magnum/+/921408
[1] https://bugs.launchpad.net/magnum/+bug/2068519 -gmann
Thanks in advance. Cheers, Michel
participants (2)
-
Ghanshyam Mann
-
Michel Jouvin