Jump to: navigation, search

Difference between revisions of "Cyborg/Policy"

 
(14 intermediate revisions by the same user not shown)
Line 2: Line 2:
 
|-
 
|-
 
! colspan="2" |
 
! colspan="2" |
! colspan="3" | Project-scope
+
! colspan="3" | Project-scope(new policy)
! colspan="3" | System-scope
+
! colspan="3" | System-scope(new policy)
 
|-
 
|-
! Route !! Method !! reader !! member !! admin !! reader !! member !! admin || no auth || RBAC Name || Notes
+
! Route !! Method !! reader !! member !! admin !! reader !! member !! admin || no auth || legacy policy ||RBAC Name || Notes
 
|-
 
|-
| /    || GET ||  ||  ||  ||  ||  ||  || x || N/A || No restrictions on this route
+
| /    || GET ||  ||  ||  ||  ||  ||  || x || N/A|| N/A || No restrictions on this route
 
|-
 
|-
| /v2 || GET ||  ||  ||  ||  ||  ||  || x || N/A || No restrictions on this route
+
| /v2 || GET ||  ||  ||  ||  ||  ||  || x || N/A|| N/A || No restrictions on this route
 
|-
 
|-
| rowspan="2" | /v2/device_profiles || GET || x ||  ||  ||   ||  ||  ||   || cyborg:device_profile:get_all ||
+
| rowspan="2" | /v2/device_profiles || GET || x(system_admin_or_project_reader) ||  ||  || x  ||  ||  ||  || admin_or_owner|| cyborg:device_profile:get_all ||
 
|-
 
|-
| POST ||  ||  ||  ||  ||  || x ||  || cyborg:device_profile:create ||
+
| POST ||  ||  ||  ||  ||  || x ||  || admin|| cyborg:device_profile:create ||
 
|-
 
|-
| rowspan="2" | /v2/device_profiles/{device_profiles_uuid} || GET || x ||  ||  || x ||  ||  ||  || cyborg:device_profile:get_one ||  
+
| rowspan="2" | /v2/device_profiles/{device_profiles_uuid} || GET || x(system_admin_or_project_reader) ||  ||  || x ||  ||  ||  || admin_or_owner || cyborg:device_profile:get_one ||  
 
|-
 
|-
| DELETE ||  ||  ||  ||  ||  || x ||  || cyborg:device_profile:delete ||
+
| DELETE ||  ||  ||  ||  ||  || x ||  || admin_or_owner || cyborg:device_profile:delete ||
 
|-
 
|-
| /v2/device_profiles?value={device_profile_name1},{device_profile_name2} || DELETE ||  ||  ||  ||  ||  || x ||  || cyborg:device_profile:delete ||
+
| /v2/device_profiles?value={device_profile_name1},{device_profile_name2} || DELETE ||  ||  ||  ||  ||  || x ||  || admin_or_owner || cyborg:device_profile:delete ||
 
|-
 
|-
| rowspan="2" | /v2/accelerator_requests || GET || x ||  ||  ||  ||  ||  || || cyborg:arq:get_all ||
+
| rowspan="2" | /v2/accelerator_requests || GET || x(system_or_project_reader) ||  ||  || x ||  ||  ||  || admin_or_owner || cyborg:arq:get_all ||
 
|-
 
|-
| POST ||  || x ||  ||  ||  ||  || || cyborg:arq:create || current rule: any role is allowed to do post action.This is too permissive,instead it should be at least "role:member" with scope_type ["project"]  
+
| POST ||  || x(system_admin_or_project_owner) ||  ||  ||  || x ||  || any_user || cyborg:arq:create || current rule: any role is allowed to do post action.This is too permissive,instead it should be at least "role:member" with scope_type ["project"]  
 
|-
 
|-
| rowspan="2" | /v2/accelerator_requests/{arq_uuid} || GET || x ||  ||  ||  ||  ||  || || cyborg:arq:get_one ||  
+
| rowspan="2" | /v2/accelerator_requests/{arq_uuid} || GET || x(system_or_project_reader) ||  ||  || x ||  ||  ||  || admin_or_owner || cyborg:arq:get_one ||  
 
|-
 
|-
| PATCH ||  ||  || x(admin_or_owner) ||  ||  ||  ||  || cyborg:arq:update ||  
+
| PATCH ||  || x(system_admin_or_project_owner) ||  ||  ||  || x ||  || admin_or_owner || cyborg:arq:update ||  
 
|-
 
|-
| /v2/accelerator_requests?arqs={arq_uuid} || DELETE ||  ||  || x(admin_or_owner) ||  ||  ||  ||  || cyborg:arq:delete ||
+
| /v2/accelerator_requests?arqs={arq_uuid} || DELETE ||  || x(system_admin_or_project_owner) ||  ||  ||  || x ||  || admin_or_owner || cyborg:arq:delete ||
 
|-
 
|-
| /v2/accelerator_requests?instance={instance_uuid} || DELETE ||  ||  || x(admin_or_owner) ||  ||  ||  ||  || cyborg:arq:delete ||
+
| /v2/accelerator_requests?instance={instance_uuid} || DELETE ||  || x(system_admin_or_project_owner) ||  ||  ||  || x ||  || admin_or_owner || cyborg:arq:delete ||
 
|-
 
|-
| rowspan="3" | /v2/devices || GET || x ||  ||  || x ||  ||  ||  || cyborg:device:get_all ||
+
| rowspan="3" | /v2/devices || GET || ||  ||  || x ||  ||  ||  || any_user || cyborg:device:get_all ||
 
|-
 
|-
| GET || x ||  ||  || x ||  ||  ||  || cyborg:device:get_one ||
+
| GET || ||  ||  || x ||  ||  ||  || any_user || cyborg:device:get_one ||
 
|-
 
|-
| PATCH ||  ||  ||  ||  ||  || x ||  || cyborg:device:update || Update the firmware or shell image (FPGA bitstream) for the specified device
+
| PATCH ||  ||  ||  ||  ||  || x ||  || N/A|| cyborg:device:update || Disable or Enable the specified device
 
|-
 
|-
| /v2/deployables/{uuid} || PATCH ||  ||  || x ||  ||  ||  ||  || cyborg:deployable:update || Update the FPGA bitstream for the specified deployable.
+
| /v2/deployables/{uuid} || PATCH ||  ||  || x ||  ||  ||  ||  || N/A|| cyborg:deployable:update || Update the shell image/FPGA bitstream to custom user logic for the specified deployable.
 
|-
 
|-
 
|}
 
|}

Latest revision as of 10:22, 21 September 2020

Project-scope(new policy) System-scope(new policy)
Route Method reader member admin reader member admin no auth legacy policy RBAC Name Notes
/ GET x N/A N/A No restrictions on this route
/v2 GET x N/A N/A No restrictions on this route
/v2/device_profiles GET x(system_admin_or_project_reader) x admin_or_owner cyborg:device_profile:get_all
POST x admin cyborg:device_profile:create
/v2/device_profiles/{device_profiles_uuid} GET x(system_admin_or_project_reader) x admin_or_owner cyborg:device_profile:get_one
DELETE x admin_or_owner cyborg:device_profile:delete
/v2/device_profiles?value={device_profile_name1},{device_profile_name2} DELETE x admin_or_owner cyborg:device_profile:delete
/v2/accelerator_requests GET x(system_or_project_reader) x admin_or_owner cyborg:arq:get_all
POST x(system_admin_or_project_owner) x any_user cyborg:arq:create current rule: any role is allowed to do post action.This is too permissive,instead it should be at least "role:member" with scope_type ["project"]
/v2/accelerator_requests/{arq_uuid} GET x(system_or_project_reader) x admin_or_owner cyborg:arq:get_one
PATCH x(system_admin_or_project_owner) x admin_or_owner cyborg:arq:update
/v2/accelerator_requests?arqs={arq_uuid} DELETE x(system_admin_or_project_owner) x admin_or_owner cyborg:arq:delete
/v2/accelerator_requests?instance={instance_uuid} DELETE x(system_admin_or_project_owner) x admin_or_owner cyborg:arq:delete
/v2/devices GET x any_user cyborg:device:get_all
GET x any_user cyborg:device:get_one
PATCH x N/A cyborg:device:update Disable or Enable the specified device
/v2/deployables/{uuid} PATCH x N/A cyborg:deployable:update Update the shell image/FPGA bitstream to custom user logic for the specified deployable.

Reference:

Questions (tied to RBAC Name):

  • cyborg:arq:create
    • (Yumeng) current rule: any role is allowed to do post action. This is too permissive, instead, it should be at least "role:member" with scope_type ["project"]
  • cyborg:device:get_all
  • cyborg:device:update
    • (Yumeng) Is it necessary to allow a system-scope user to read and update one device? For example, when one device is shared by different projects, we should allow a role at a system-scope level to access this device, right?
      • (Yumeng) yes, we agreed on the weekly meeting that a device is a system-level resource, so sys_admin is required for device: update.

http://eavesdrop.openstack.org/meetings/openstack_cyborg/2020/openstack_cyborg.2020-02-06-03.01.log.html#l-143

  • cyborg:deployable:update
    • (Yumeng) ditto for deployable update
      • (Yumeng) we agreed that deployable: update requires project_admin.

http://eavesdrop.openstack.org/meetings/openstack_cyborg/2020/openstack_cyborg.2020-02-06-03.01.log.html#l-143