[all][privsep] Migrate from oslo.rootwrap to oslo.privsep

Iury Gregory iurygregory at gmail.com
Thu Mar 19 15:50:34 UTC 2020


Hi Rodolfo,

Thanks for raising this topic. I like the idea and I can work in the ironic
part.

Em qui., 19 de mar. de 2020 às 16:47, Rodolfo Alonso <ralonsoh at redhat.com>
escreveu:

> Hello all:
>
> With this mail I would like to propose the goal to move away from
> oslo.rootwrap and migrate to
> oslo.privsep. The last one offers a superior security model, faster and
> more secure. During the last
> cycles and since privsep was released, the Community has encouraged the
> usage of privsep and the
> deprecation of any existing code still using rootwrap.
>
> For any developer willing to collaborate, there are plenty of code
> examples, as I’ll provide later,
> implementing and using privsep for new methods and migrations.
>
> If this goal is approved, I'll open a Story (
> https://storyboard.openstack.org/) and any developer
> will be able to add a task for each patch or set of them related. This
> would be the tracker for this
> common effort.
>
>
> PROJECTS TO MIGRATE.
> --------------------
> Projects that are still using rootwrap:
> http://codesearch.openstack.org/?q=rootwrap&i=nope&files=.*.py&repos=
> neutron
> os-brick
> designate
> cinder
> ironic-inspector
> neutron-vpnaas
> nova
> solum
> glance_store
> ironic
> zun
> magnum
> manila
> networking-bagpipe
> sahara
> ceilometer
> cinderlib
> freezer
> ironic-lib
> monasca-agent
> tacker
> tripleo-common
>
>
> USAGE DOCUMENTATION ABOUT PRIVSEP.
> ----------------------------------
> How to create a privsep context, assign privileges and use it as a
> decorator:
> https://docs.openstack.org/oslo.privsep/latest/user/index.html
>
>
> HOW TO MIGRATE FROM ROOTWRAP TO PRIVSEP.
> ----------------------------------------
> From the same link provided previously, in the section “Converting from
> rootwrap to privsep”:
>
> https://docs.openstack.org/oslo.privsep/latest/user/index.html#converting-from-rootwrap-to-privsep
>
> oslo.privsep provides a class, PrivContext, that can be used to create a
> decorator function. The
> instance created is a context of execution and has defined a list of
> capabilities, matching the
> Linux capabilities. The privsep context decorator should contain the
> minimum needed capabilities to
> execute the decorated function.
>
> For example:
>
>    default = priv_context.PrivContext(
>       __name__,
>       cfg_section='privsep',
>       pypath=__name__ + '.default',
>       capabilities=[caps.CAP_SYS_ADMIN,
>                     caps.CAP_NET_ADMIN,
>                     caps.CAP_DAC_OVERRIDE,
>                     caps.CAP_DAC_READ_SEARCH,
>                     caps.CAP_SYS_PTRACE],
>    )
>
>
> The function “entrypoint” of this instance can be used as a decorator for
> another function:
>
>    @privileged.default.entrypoint
>    def delete_interface(ifname, namespace, **kwargs):
>        _run_iproute_link("del", ifname, namespace, **kwargs)
>
>
> As commented in the given link, a straight 1:1 filter:function replacement
> generally results in
> functions that are still too broad for good security. It is better to
> replace each chmod rootwrap
> call with a narrow privsep function that will limit it to specific files.
>
>
> MIGRATION EXAMPLES.
> -------------------
> Nova:
>
> https://review.opendev.org/#/q/project:openstack/nova+branch:master+topic:my-own-personal-alternative-universe
> Neutron:
>
> https://review.opendev.org/#/q/status:merged+project:openstack/neutron+branch:master+topic:bug/1492714
> os-vif
> <https://review.opendev.org/#/q/status:merged+project:openstack/neutron+branch:master+topic:bug/1492714os-vif>:
> https://review.opendev.org/#/c/287725/
>
>
> Thank you and regards.
>
>
>
>

-- 


*Att[]'sIury Gregory Melo Ferreira *
*MSc in Computer Science at UFCG*
*Part of the puppet-manager-core team in OpenStack*
*Software Engineer at Red Hat Czech*
*Social*: https://www.linkedin.com/in/iurygregory
*E-mail:  iurygregory at gmail.com <iurygregory at gmail.com>*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20200319/619ddf58/attachment.html>


More information about the openstack-discuss mailing list