Jump to: navigation, search

Difference between revisions of "Consistent and Secure Default Policies Popup Team"

(Leads)
 
(25 intermediate revisions by 4 users not shown)
Line 21: Line 21:
 
== Communication ==
 
== Communication ==
  
Use topic:policy-popup in Gerrit.
+
Use topic:secure-rbac in Gerrit.
  
 
Use subject tag [policy] for mailing list discussions.
 
Use subject tag [policy] for mailing list discussions.
Line 28: Line 28:
  
 
== Meeting ==
 
== Meeting ==
The Secure Default Policies popup team holds public biweekly meeting:
+
The Secure Default Policies popup team holds public biweekly meetings:
 
 
* Channel: #openstack-meeting
 
* Time: Thursday biweekly-even at 18:00 UTC.
 
* icall - http://eavesdrop.openstack.org/#Secure_Default_Policies_Popup-Team_Meeting
 
  
 +
* Time: Tuesday biweekly-even (22 Nov 2022,  6 Dec 2022 .... ) at 17:00 UTC.
 +
* https://meetings.opendev.org/#Secure_Default_Policies_Popup-Team_Meeting
 +
* Location: IRC OFTC network in the #openstack-meeting channel
 +
* Agenda: You can add the agenda topics in the below etherpad:
 +
** https://etherpad.opendev.org/p/rbac-goal-tracking#L151
 +
* Logs of past IRC meetings can be accessed at: https://meetings.opendev.org/meetings/policy_popup/
 
Everyone interested in the Secure Default Policies and planning to implement those in your project should attend!
 
Everyone interested in the Secure Default Policies and planning to implement those in your project should attend!
 
=== Agenda ===
 
 
https://etherpad.opendev.org/p/default-policy-meeting-agenda
 
  
 
== Leads ==
 
== Leads ==
  
# Raildo Mascena <rmascena@redhat.com> (raildo)
 
 
# Ghanshyam Mann <gmann@ghanshyammann.com> (gmann)
 
# Ghanshyam Mann <gmann@ghanshyammann.com> (gmann)
  
Line 48: Line 45:
  
 
* Barbican: Douglas Mendizábal (redrobot)
 
* Barbican: Douglas Mendizábal (redrobot)
 +
* Designate: Michael Johnson (johnsom)
 
* Nova: Ghanshyam Mann (gmann)
 
* Nova: Ghanshyam Mann (gmann)
* Neutron: Miguel Lavalle (mlavalle)
+
* Neutron: Slawek Kaplonski (slaweq)
 +
* Octavia: Michael Johnson (johnsom)
 
* Cinder: Brian Rosmaita (rosmaita)
 
* Cinder: Brian Rosmaita (rosmaita)
 
* Cyborg: Yumeng Bao (yumeng_bao@yahoo.com)
 
* Cyborg: Yumeng Bao (yumeng_bao@yahoo.com)
Line 57: Line 56:
  
 
* Mohammed Naser <mnaser@vexxhost.com>
 
* Mohammed Naser <mnaser@vexxhost.com>
* Douglas Mendizábal (IRC: redrobot) - Barbican - We're supere interested in getting this implemented for Barbican
+
* Douglas Mendizábal (IRC: dmendiza[m]) - Keystone & Barbican  
 
* Ade Lee (ade_lee) - barbican
 
* Ade Lee (ade_lee) - barbican
 
* Miguel Lavalle (mlavalle) - neutron
 
* Miguel Lavalle (mlavalle) - neutron
Line 67: Line 66:
 
* Ghanshyam Mann (gmann)
 
* Ghanshyam Mann (gmann)
 
* Vishakha Agarwal (vishakha)-  Keystone
 
* Vishakha Agarwal (vishakha)-  Keystone
 +
* Slawek Kaplonski (slaweq) - Neutron
  
== Pre-work for projects to provide a smooth migration plan to new policy ==
+
== Pre-work to provide a smooth migration path to the new policy ==
 
 
# Migrate Default Policy Format from JSON to YAML
 
#:* Reference links
 
#:** https://blueprints.launchpad.net/oslo.policy/+spec/policy-json-to-yaml
 
#:** https://specs.openstack.org/openstack/oslo-specs/specs/victoria/policy-json-to-yaml.html
 
#:** https://review.opendev.org/#/q/topic:bp/policy-json-to-yaml+(status:open+OR+status:merged)
 
#:* what projects need to do:
 
#:** 1st item in this [https://specs.openstack.org/openstack/oslo-specs/specs/victoria/policy-json-to-yaml.html#work-items Work Items list]
 
#:** Example of Nova: https://review.opendev.org/#/c/748059/
 
 
 
== Team Progress ==
 
 
 
=== Keystone (COMPLETED; use as a reference) ===
 
 
 
* Reference links
 
** http://specs.openstack.org/openstack/keystone-specs/specs/keystone/ongoing/policy-goals-and-roadmap.html
 
** https://bugs.launchpad.net/keystone/+bugs?field.status%3Alist=FIXRELEASED&field.tag=default-roles+system-scope&field.tags_combinator=ANY
 
** Keystone PTG Victoria: https://etherpad.opendev.org/p/victoria-ptg-keystone
 
 
 
=== Nova (COMPLETED; use as a reference) ===
 
 
 
* Reference links
 
** https://specs.openstack.org/openstack/nova-specs/specs/ussuri/approved/policy-defaults-refresh.html
 
** https://blueprints.launchpad.net/nova/+spec/policy-defaults-refresh-deprecated-apis
 
** Nova PTG Victoria: https://etherpad.opendev.org/p/nova-victoria-ptg
 
 
 
=== Cyborg (in-progress) ===
 
 
 
* Reference links
 
** https://wiki.openstack.org/wiki/Cyborg/Policy
 
** https://review.opendev.org/699099
 
** https://storyboard.openstack.org/#!/story/2007024
 
** https://review.opendev.org/#/q/topic:policy-popup+(status:open+OR+status:merged)
 
** P0: A full framework with basic policies and one API policy as an example(called device_profile policy): https://review.opendev.org/#/c/740542/
 
 
 
=== Barbican (not started) ===
 
 
 
* https://wiki.openstack.org/wiki/Barbican/Policy
 
* PTG Victoria discussion: https://etherpad.opendev.org/p/victoria-ptg-barbican
 
 
 
=== Neutron (not started) ===
 
 
 
* Reference links
 
** https://etherpad.opendev.org/p/neutron-victoria-ptg
 
 
 
=== Cinder (not started) ===
 
 
 
none yet
 
  
=== Manila (not started) ===
+
* Migrate Default Policy Format from JSON to YAML (All projects): COMPLETED
 +
** http://lists.openstack.org/pipermail/openstack-discuss/2021-June/023327.html
 +
** Reference links
 +
*** https://blueprints.launchpad.net/oslo.policy/+spec/policy-json-to-yaml
 +
*** https://specs.openstack.org/openstack/oslo-specs/specs/victoria/policy-json-to-yaml.html
 +
*** https://review.opendev.org/#/q/topic:bp/policy-json-to-yaml+(status:open+OR+status:merged)
 +
** what projects need to do:
 +
*** 1st item in this [https://specs.openstack.org/openstack/oslo-specs/specs/victoria/policy-json-to-yaml.html#work-items Work Items list]
 +
*** Example of Nova: https://review.opendev.org/#/c/748059/
  
* Reference links
+
* Improving documentation about target resources (oslo.policy)
* Manila PTG Victoria: https://etherpad.opendev.org/p/manila-todos
+
** https://bugs.launchpad.net/oslo.policy/+bug/1886857
 +
**https://review.opendev.org/#/c/743318/
  
== Reviews ==
+
== Community Wide Goal & Current progress ==
  
https://review.opendev.org/#/q/is:open+topic:policy-popup
+
* Goal Doc: https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html
 +
* Tracking & Current Progress: https://etherpad.opendev.org/p/rbac-goal-tracking
 +
* Gerrit Topic: https://review.opendev.org/q/topic:%2522secure-rbac%2522+status:open
  
 
== References ==
 
== References ==

Latest revision as of 01:08, 14 March 2023

Problem Description

Existing policy defaults suffer from three major faults:

  1. the admin-ness problem: use of policy rules like 'is_admin' or hard-coded is-admin checks results in the admin-anywhere-admin-everywhere problem and drastically inhibits true multi-tenancy since by default customers cannot have admin rights on their own projects or domains
  2. insecure custom roles: many policy rules simply use "" as the rule, which means there is no rule: anyone can perform that action. This means creation of a custom role (say, "nova-autoscaler" requires editing every policy file across every service to block users with such a rule from performing actions unrelated to their role
  3. related to #2, no support for read-only roles: keystone now has a "reader" role that comes out of the box when keystone is bootstrapped, but it currently has very little value because of the use of empty rules in service policies: users with the "reader" role can still perform write actions on services if the policy rule for such an action is empty.

Team Goal

The keystone project has migrated all of its default policies to 1) use oslo.policy's scope_types attribute, which allows the policy engine to understand "system scope" and distinguish between an admin role assignment on a project versus an admin role assignment on the entire system, 2) ensure all rules use one of the default roles (admin, member, and reader) which both ensures support for a read-only role and prevents custom roles from accidental over-permissiveness. Although the problems being solved are slightly different, the keystone team found it was easiest to migrate everything at once. The rest of the OpenStack services can use this migration as a template for securing their own policies.

Popup Team Completion Criteria

This team will be disbanded after:

  1. The majority of the projects listed below have completed their policy migrations
  2. A document is published detailing any pitfalls, lessons learned, and best practices that other teams should be aware of
  3. A community goal is proposed and accepted by the TC

Communication

Use topic:secure-rbac in Gerrit.

Use subject tag [policy] for mailing list discussions.

Use #openstack-dev for synchronous discussions.

Meeting

The Secure Default Policies popup team holds public biweekly meetings:

Everyone interested in the Secure Default Policies and planning to implement those in your project should attend!

Leads

  1. Ghanshyam Mann <gmann@ghanshyammann.com> (gmann)

Liaisons

  • Barbican: Douglas Mendizábal (redrobot)
  • Designate: Michael Johnson (johnsom)
  • Nova: Ghanshyam Mann (gmann)
  • Neutron: Slawek Kaplonski (slaweq)
  • Octavia: Michael Johnson (johnsom)
  • Cinder: Brian Rosmaita (rosmaita)
  • Cyborg: Yumeng Bao (yumeng_bao@yahoo.com)
  • Manila: Goutham Pacha Ravi (gouthamr)

Members

  • Mohammed Naser <mnaser@vexxhost.com>
  • Douglas Mendizábal (IRC: dmendiza[m]) - Keystone & Barbican
  • Ade Lee (ade_lee) - barbican
  • Miguel Lavalle (mlavalle) - neutron
  • Chandan Kumar (chandankumar/raukadah)<chkumar@redhat.com> - Help on Tempest and Patrole side
  • Akihiro Motoki (amotoki) - horizon (horizon needs to support the new mechanism of policy definitions. It is different from server side support, so the team needs to explore its own way)
  • Tobias Rydberg (tobberydberg)
  • Erik McCormick <emccormick@cirrusseven.com> (emccormick)
  • Tergel Munkhbat tergel@fibo.cloud
  • Ghanshyam Mann (gmann)
  • Vishakha Agarwal (vishakha)-  Keystone
  • Slawek Kaplonski (slaweq) - Neutron

Pre-work to provide a smooth migration path to the new policy

Community Wide Goal & Current progress

References