[policy][rbac] RBAC 2023.2 Bobcat cycle vPTG discussions summary

Ghanshyam Mann gmann at ghanshyammann.com
Tue Apr 4 18:19:36 UTC 2023

Hello Everyone,

We discussed the RBAC goal on Tuesday. I am summarizing the discussion here.

Goal document: https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html
Tracking: https://etherpad.opendev.org/p/rbac-goal-tracking

Current progress:

Phase-1 (project personas and drop system scope):
Projects completed:
* Nova
* Neutron
* Glance
* Manila
* Ironic (no change needed)
* Octavia
* Placement
* Service that completed Phase 1 in Zed and enabled scope and new defaults by default (enforce_scope=True & enforce_new_defaults=True by default):
** Nova
** Glance

Projects in progress:
* Cinder (almost completed. not using system scope, but have not added scope=['project'] to the default rules (currently, no scope is specified)
* Magnum
** https://review.opendev.org/c/openstack/magnum/+/874945
* Tacker
** https://review.opendev.org/q/topic:bp%252Fimplement-project-personas

Pending work (for phase-2|3):
* Keystone implements a new default role called manager:
** https://review.opendev.org/c/openstack/keystone/+/822601
* Keystone implements a new default role called service:
** https://review.opendev.org/c/openstack/keystone/+/863420

Phase-2 (service role):
* Keystone:
** bootstrap support for servicerole:
*** https://review.opendev.org/c/openstack/keystone/+/863420
** bootstrap support for manager role:
*** https://review.opendev.org/c/openstack/keystone/+/822601
** https://review.opendev.org/c/openstack/nova/+/864594

Other discussion:

*Service role
We discussed the service role and how the policy will add the service role. It is correct to
add service as well as user role as default if that API is supposed to be called by the service
as well as the user role. For example, if Manila is talking to Nova, Cinder, or Neutron via APIs,
it needs to use a service role to interact, and Nova, Cinder, and Neutron can update such API
rules to allow for service roles also.

* Update the goal timeline for removing deprecated rules as per the SLURP release. 
** Need at least 1 SLURP release between enabling the new default and removal.
** Action: gmann to update this in the goal document.

** Manila has a lot of tests and running on the stable release
** Tempest and devstack ready to implement the test
** The current job with nova, cinder, neutron, glance with the scope and new default enable
*** https://zuul.openstack.org/builds?job_name=tempest-full-enforce-scope-new-defaults&skip=0
* Tempest now has a project reader/member same project_id

* Related sessions:
** Tacker
*** Title: Secure RBAC: Implement support of project-personas in Tacker [Continue from Antelope release] (manpreetk)
*** Etherpad:  https://etherpad.opendev.org/p/tacker-bobcat-ptg#L136
** Glance
*** Title: Secure RBAC
*** Etherpad: https://etherpad.opendev.org/p/glance-bobcat-ptg#L53
** Neutron
*** Title: (slaweq) Secure RBAC - phase 2 description and review of the existing API calls
*** Etherpad: https://etherpad.opendev.org/p/neutron-bobcat-ptg#L358

<feel free to add here if I missed any related sessions>

I will continue holding the biweekly meeting to discuss progress and any query on RBAC.
- https://wiki.openstack.org/wiki/Consistent_and_Secure_Default_Policies_Popup_Team#Meeting


More information about the openstack-discuss mailing list