[all][tc][policy] Progress report of consistent and secure default policies pop-up team

Ghanshyam Mann gmann at ghanshyammann.com
Fri Aug 28 16:35:55 UTC 2020

Hello Everyone,

This is a regular update on progress in  'Consistent and Secure Default Policies Popup Team'.
We will try to make it a monthly report form now onwards.

Progress so far:
* Popup team meet twice in a month and discuss and work on progress and pre-work to do.
- https://wiki.openstack.org/wiki/Consistent_and_Secure_Default_Policies_Popup_Team#Meeting

* Pre-work to provide a smooth migration path to the new policy
<here we will add any pre-work we need to do before more project start moving towards new policy>

** Migrate Default Policy Format from JSON to YAML
- This involves oslo side + each project side works.
- oslo side work to provide tool and utils method are merged (one patch is in gate).
- The new tool 'oslopolicy-convert-json-to-yaml' is available now to convert your existing JSON formatted
policy file to YAML formatted in a backward-compatible way. 
- I have started to do it in Nova (need to update the patch though) to give example work for other projects:
- all work is tracked here: https://review.opendev.org/#/q/topic:bp/policy-json-to-yaml+(status:open+OR+status:merged)

** Improving documentation about target resources (oslo.policy)
- https://bugs.launchpad.net/oslo.policy/+bug/1886857
- raildo pushed the patch which is under review: https://review.opendev.org/#/c/743318/

* Team Progress: (list of a team interested or have volunteer to work)

** Keystone (COMPLETED; use as a reference)

** Nova (COMPLETED; use as a reference)
- All APIs except deprecated APIs were done in the Ussuri cycle and deprecated APIs also done now.

** Cyborg (in-progress)
- Spec is merged, code under review.

** Barbican (not started)

** Neutron (not started)

** Cinder (not started)

** Manila (not started)

Why This Is Important 
(I have copied it from Colleen email which is nicely written)

Separating system, domain, and project-scope APIs and providing meaningful
default roles is critical to facilitating secure cloud deployments and to
fulfilling OpenStack's vision as a fully self-service infrastructure
provider[1]. Until all projects have completed this policy migration, the
"reader" role that exists in keystone is dangerously misleading, and the
`[oslo_policy]/enforce_scope` option has limited usefulness as long as projects
lack uniformity in how an administrator can use scoped APIs.

How You Can Help
- You can help by starting the work in your (or any other you would like to help) project and attend
popup team meeting in case of any question, review request etc.

Cloud operator:  
- Please help review the proposed policy rule changes to sanity-check the new scope and
role defaults.
- Migrate your JSON formatted policy file to YAML JSON formatted file can be problematic in
the various way as described here[2]. You can use 'oslopolicy-convert-json-to-yaml' tool [3] to
convert your existing JSON formatted policy file to YAML formatted in a backward-compatible way. 

[1] https://governance.openstack.org/tc/reference/technical-vision.html#self-service
[2] https://specs.openstack.org/openstack/oslo-specs/specs/victoria/policy-json-to-yaml.html#problem-description
[3] https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-convert-json-to-yaml.html 

-gmann & raildo

More information about the openstack-discuss mailing list