Secure RBAC work

Mohammed Naser mnaser at vexxhost.com
Wed Dec 9 20:53:08 UTC 2020


Hi Lance,

This is amazing work.  I think this has been one of the biggest pain
points in OpenStack and this initiative is great.

Super excited to flip this switch on our public/private clouds
soon(tm) as the progress happens.

Thank you and I hope the projects take a chance at reviewing those changes.

Regards,
Mohammed

On Wed, Dec 9, 2020 at 3:08 PM Lance Bragstad <lbragstad at gmail.com> wrote:
>
> Hey everyone,
>
>
> I wanted to take an opportunity to clarify some work we have been doing upstream, specifically modifying the default policies across projects.
>
>
> These changes are the next phase of an initiative that’s been underway since Queens to fix some long-standing security concerns in OpenStack [0]. For context, we have been gradually improving policy enforcement for years. We started by improving policy formats, registering default policies into code [1], providing better documentation for policy writers, implementing necessary identity concepts in keystone [2], developing support for those concepts in libraries [3][4][5][6][7][8], and consuming all of those changes to provide secure default policies in a way operators can consume and roll out to their users [9][10].
>
>
> All of this work is in line with some high-level documentation we started writing about three years ago [11][12][13].
>
>
> There are a handful of services that have implemented the goals that define secure RBAC by default, but a community-wide goal is still out-of-reach. To help with that, the community formed a pop-up team with a focused objective and disbanding criteria [14].
>
>
> The work we currently have in progress [15] is an attempt to start applying what we have learned from existing implementations to other projects. The hope is that we can complete the work for even more projects in Wallaby. Most deployers looking for this functionality won't be able to use it effectively until all services in their deployment support it.
>
>
> I hope this helps clarify or explain the patches being proposed.
>
>
> As always, I'm happy to elaborate on specific concerns if folks have them.
>
>
> Thanks,
>
>
> Lance
>
>
> [0] https://bugs.launchpad.net/keystone/+bug/968696/
>
> [1] https://governance.openstack.org/tc/goals/selected/queens/policy-in-code.html
>
> [2] https://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html
>
> [3] https://review.opendev.org/c/openstack/keystoneauth/+/529665
>
> [4] https://review.opendev.org/c/openstack/python-keystoneclient/+/524415
>
> [5] https://review.opendev.org/c/openstack/oslo.context/+/530509
>
> [6] https://review.opendev.org/c/openstack/keystonemiddleware/+/564072
>
> [7] https://review.opendev.org/c/openstack/oslo.policy/+/578995
>
> [8] https://review.opendev.org/q/topic:%22system-scope%22+(status:open%20OR%20status:merged)
>
> [9] https://review.opendev.org/q/status:merged+topic:bp/policy-defaults-refresh+branch:master
>
> [10] https://review.opendev.org/q/topic:%22implement-default-roles%22+(status:open%20OR%20status:merged)
>
> [11] https://specs.openstack.org/openstack/keystone-specs/specs/keystone/ongoing/policy-goals-and-roadmap.html
>
> [12] https://docs.openstack.org/keystone/latest/admin/service-api-protection.html
>
> [13] https://docs.openstack.org/keystone/latest/contributor/services.html#authorization-scopes
>
> [14] https://governance.openstack.org/tc/reference/popup-teams.html#secure-default-policies
>
> [15] https://review.opendev.org/q/topic:%2522secure-rbac%2522+status:open



-- 
Mohammed Naser
VEXXHOST, Inc.



More information about the openstack-discuss mailing list