[policy][rbac] RBAC 2023.2 Bobcat cycle vPTG discussions summary
Ghanshyam Mann
gmann at ghanshyammann.com
Tue Apr 4 18:19:36 UTC 2023
Hello Everyone,
We discussed the RBAC goal on Tuesday. I am summarizing the discussion here.
Goal document: https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html
Tracking: https://etherpad.opendev.org/p/rbac-goal-tracking
Current progress:
=============
Phase-1 (project personas and drop system scope):
------------------------------------------------------------
Projects completed:
* Nova
* Neutron
* Glance
* Manila
* Ironic (no change needed)
* Octavia
* Placement
* Service that completed Phase 1 in Zed and enabled scope and new defaults by default (enforce_scope=True & enforce_new_defaults=True by default):
** Nova
** Glance
Projects in progress:
* Cinder (almost completed. not using system scope, but have not added scope=['project'] to the default rules (currently, no scope is specified)
* Magnum
** https://review.opendev.org/c/openstack/magnum/+/874945
* Tacker
** https://review.opendev.org/q/topic:bp%252Fimplement-project-personas
Pending work (for phase-2|3):
* Keystone implements a new default role called manager:
** https://review.opendev.org/c/openstack/keystone/+/822601
* Keystone implements a new default role called service:
** https://review.opendev.org/c/openstack/keystone/+/863420
Phase-2 (service role):
--------------------------
In-progress:
* Keystone:
** bootstrap support for servicerole:
*** https://review.opendev.org/c/openstack/keystone/+/863420
** bootstrap support for manager role:
*** https://review.opendev.org/c/openstack/keystone/+/822601
*Nova
** https://review.opendev.org/c/openstack/nova/+/864594
Other discussion:
=============
*Service role
We discussed the service role and how the policy will add the service role. It is correct to
add service as well as user role as default if that API is supposed to be called by the service
as well as the user role. For example, if Manila is talking to Nova, Cinder, or Neutron via APIs,
it needs to use a service role to interact, and Nova, Cinder, and Neutron can update such API
rules to allow for service roles also.
* Update the goal timeline for removing deprecated rules as per the SLURP release.
** Need at least 1 SLURP release between enabling the new default and removal.
** Action: gmann to update this in the goal document.
*Testing:
** Manila has a lot of tests and running on the stable release
** Tempest and devstack ready to implement the test
** The current job with nova, cinder, neutron, glance with the scope and new default enable
*** https://zuul.openstack.org/builds?job_name=tempest-full-enforce-scope-new-defaults&skip=0
* Tempest now has a project reader/member same project_id
* Related sessions:
** Tacker
*** Title: Secure RBAC: Implement support of project-personas in Tacker [Continue from Antelope release] (manpreetk)
*** Etherpad: https://etherpad.opendev.org/p/tacker-bobcat-ptg#L136
** Glance
*** Title: Secure RBAC
*** Etherpad: https://etherpad.opendev.org/p/glance-bobcat-ptg#L53
** Neutron
*** Title: (slaweq) Secure RBAC - phase 2 description and review of the existing API calls
*** Etherpad: https://etherpad.opendev.org/p/neutron-bobcat-ptg#L358
<feel free to add here if I missed any related sessions>
I will continue holding the biweekly meeting to discuss progress and any query on RBAC.
- https://wiki.openstack.org/wiki/Consistent_and_Secure_Default_Policies_Popup_Team#Meeting
-gmann
More information about the openstack-discuss
mailing list