[Tacker][SRBAC] Update regarding implementation of project personas in Tacker
Hi Ogawa san and Tacker team,
This mailer is regarding the SRBAC implementation happening in Tacker.
In the Tacker release 2023.1 virtual PTG [1], it was decided by the Tacker community to partially implement the project personas (project-reader role) in the current release. And in upcoming releases, we will implement the remaining project-member role.
To address the above requirement, I have prepared a specification [2] and pushed the same in Gerrit for community review.
Ghanshyam san reviewed the specification and shared TC's opinion and suggestion to implement both the project-reader and project-member roles. The complete persona implementation will depreciate the 'owner' rule, and help in restricting any other role to accessing project-based resources. Additionally, intact legacy admin (current admin), works in the same way so that we do not break things and introduce the project personas which should be additional things to be available for operators to adopt.
Current Status: Incorporated the new requirement and uploaded a new patch set to address the review comment.
Note: The Tacker spec freeze date is 28th Dec 2022, there might be some delay in merging the specification in shared timelines.
[1] https://etherpad.opendev.org/p/tacker-antelope-ptg#L186 [2] https://review.opendev.org/c/openstack/tacker-specs/+/866956
Thanks & Regards, Manpreet Kaur
---- On Sun, 25 Dec 2022 21:07:04 -0800 manpreet kaur wrote ---
Hi Ogawa san and Tacker team, This mailer is regarding the SRBAC implementation happening in Tacker. In the Tacker release 2023.1 virtual PTG [1], it was decided by the Tacker community to partially implement the project personas (project-reader role) in the current release. And in upcoming releases, we will implement the remaining project-member role.
To address the above requirement, I have prepared a specification [2] and pushed the same in Gerrit for community review.
Ghanshyam san reviewed the specification and shared TC's opinion and suggestion to implement both the project-reader and project-member roles. The complete persona implementation will depreciate the 'owner' rule, and help in restricting any other role to accessing project-based resources.
Yeah, this was a problem in many projects where 'owner' rules were checking only prtoject_id and not the 'member' role. Due to that any role in the project (foo, reader etc) can behave as the 'owner' of the project and perform all the operations within the project scope. This behaviour was actually a bug in our policy. To make the project reader work as expected, we need to fix the existing 'owner' rule to add a 'member' role along with project_id so that 'owner' (project_members) will be different than project_reader.
We have fixed it in nova, neutron and many other projects in same way.
Additionally, intact legacy admin (current admin), works in the same way so that we do not break things and introduce the project personas which should be additional things to be available for operators to adopt.
+1, this was the case which came up during RBAC feedback from operators and NFV users. To make sure we do not break the NFV deployment, we are keeping legacy admin behavior/permission the same as it is today.
-gmann
Current Status: Incorporated the new requirement and uploaded a new patch set to address the review comment.
Note: The Tacker spec freeze date is 28th Dec 2022, there might be some delay in merging the specification in shared timelines.
[1] https://etherpad.opendev.org/p/tacker-antelope-ptg#L186%5B2%5D%C2%A0https://...
Thanks & Regards,Manpreet Kaur
Hi Manpreet-san,
Thanks for your notice. I've started to review and understood this change is considered backward compatibility from suggestions on the etherpad. Although it's LGTM, I'd like to ask if Yuta has any comment for the proposal because he has also propose a policy management feature in this release.
For the deadline, let us discuss again to reschedule it if we cannot merge the deadline.
Thanks, Yasufumi
On 2022/12/26 14:07, manpreet kaur wrote:
Hi Ogawa san and Tacker team,
This mailer is regarding the SRBAC implementation happening in Tacker.
In the Tacker release 2023.1 virtual PTG [1], it was decided by the Tacker community to partially implement the project personas (project-reader role) in the current release. And in upcoming releases, we will implement the remaining project-member role.
To address the above requirement, I have prepared a specification [2] and pushed the same in Gerrit for community review.
Ghanshyam san reviewed the specification and shared TC's opinion and suggestion to implement both the project-reader and project-member roles. The complete persona implementation will depreciate the 'owner' rule, and help in restricting any other role to accessing project-based resources. Additionally, intact legacy admin (current admin), works in the same way so that we do not break things and introduce the project personas which should be additional things to be available for operators to adopt.
Current Status: Incorporated the new requirement and uploaded a new patch set to address the review comment.
Note: The Tacker spec freeze date is 28th Dec 2022, there might be some delay in merging the specification in shared timelines.
[1] https://etherpad.opendev.org/p/tacker-antelope-ptg#L186 https://etherpad.opendev.org/p/tacker-antelope-ptg#L186 [2] https://review.opendev.org/c/openstack/tacker-specs/+/866956 https://review.opendev.org/c/openstack/tacker-specs/+/866956
Thanks & Regards, Manpreet Kaur
Hi Ogawa san,
Thanks for accepting the new RBAC proposal, please find the latest patch-set 7 [1] as the final version. Would try to merge the specification within the proposed timelines.
@Ghanshyam san, Thanks for adding clarity to the proposed changes and for a quick review.
[1] https://review.opendev.org/c/openstack/tacker-specs/+/866956
Best Regards, Manpreet Kaur
On Wed, Dec 28, 2022 at 1:12 AM Yasufumi Ogawa yasufum.o@gmail.com wrote:
Hi Manpreet-san,
Thanks for your notice. I've started to review and understood this change is considered backward compatibility from suggestions on the etherpad. Although it's LGTM, I'd like to ask if Yuta has any comment for the proposal because he has also propose a policy management feature in this release.
For the deadline, let us discuss again to reschedule it if we cannot merge the deadline.
Thanks, Yasufumi
On 2022/12/26 14:07, manpreet kaur wrote:
Hi Ogawa san and Tacker team,
This mailer is regarding the SRBAC implementation happening in Tacker.
In the Tacker release 2023.1 virtual PTG [1], it was decided by the Tacker community to partially implement the project personas (project-reader role) in the current release. And in upcoming releases, we will implement the remaining project-member role.
To address the above requirement, I have prepared a specification [2] and pushed the same in Gerrit for community review.
Ghanshyam san reviewed the specification and shared TC's opinion and suggestion to implement both the project-reader and project-member roles. The complete persona implementation will depreciate the 'owner' rule, and help in restricting any other role to accessing project-based
resources.
Additionally, intact legacy admin (current admin), works in the same way so that we do not break things and introduce the project personas which should be additional things to be available for operators to adopt.
Current Status: Incorporated the new requirement and uploaded a new patch set to address the review comment.
Note: The Tacker spec freeze date is 28th Dec 2022, there might be some delay in merging the specification in shared timelines.
[1] https://etherpad.opendev.org/p/tacker-antelope-ptg#L186 https://etherpad.opendev.org/p/tacker-antelope-ptg#L186 [2] https://review.opendev.org/c/openstack/tacker-specs/+/866956 https://review.opendev.org/c/openstack/tacker-specs/+/866956
Thanks & Regards, Manpreet Kaur
participants (3)
-
Ghanshyam Mann
-
manpreet kaur
-
Yasufumi Ogawa