Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft: Roles Standard #590

Draft
wants to merge 26 commits into
base: main
Choose a base branch
from
Draft

Draft: Roles Standard #590

wants to merge 26 commits into from

Conversation

markus-hentsch
Copy link
Contributor

Adds a standard to define all RBAC roles and permissions in the SCS IaaS layer.

Resolves SovereignCloudStack/issues#396

Supersedes #378

@berendt
Copy link
Contributor

berendt commented May 15, 2024

Does it makes sense not to only link the domain-manager role standard but also to list the domain-manager role inside this standard?

@markus-hentsch
Copy link
Contributor Author

Does it makes sense not to only link the domain-manager role standard but also to list the domain-manager role inside this standard?

It is listed as "manager" under the core roles. It isn't called domain-manager anymore, see https://docs.scs.community/standards/scs-0302-v1-domain-manager-role/#change-the-naming-of-the-domain-manager-role-to-align-with-upstream

Signed-off-by: Markus Hentsch <[email protected]>
Comment on lines 107 to 111
To improve user experience and make the encryption features easily accessible, this standard should adjust the Key Manager API policies to extend permissions referencing the Barbican-specific "creator" role by the "member" role.
This offers users easy access to the Key Manager API and aligns the permission set with the future rework (as per `enforce_new_defaults`), because it will later replace the "creator" role by the "member" role entirely.

The "creator" role will be kept for compatibility reasons concerning service integration.
For example, the block storage service Cinder usually has a technical user in Keystone possessing the "creator" role in the "service" project.
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FTR, I considered replacing the "creator" role by "member" entirely. However, I decided against it for the following reasons:

  • both DevStack and RedHat setups1 seem to assign the "creator" role to a "cinder" user in the "service" project, which is registered in Cinder's [keystone_authtoken] config section
  • mandating to switch Cinder's service user to "member" role here could open up permissions in other services' APIs potentially which otherwise wouldn't react to the "creator" role (which is Barbican-specific)
    • without enforce_scope (which this standard cannot use), the scoping would not protect us here

However, I'm not exactly sure in which workflow Cinder needs its own Barbican-enabled role, i.e. what the reasoning for this is. Usually, the user's auth token is passed around during requests so it would simply take the role permissions from there. However, it is most likely there for a reason, so I'm leaving it in because I don't know the context and don't want to break things.

Footnotes

  1. https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/13/html/manage_secrets_with_openstack_key_manager/encrypting_cinder_volumes#overview_of_the_migration_steps

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess Cinder will need it in case of a deletion of an encrypted volume (to delete the key) or to create a backup or snapshot (to copy the key). Maybe there is an edge case, where e.g. a backup is not triggered by someone from the project (hence no chance to aquire the key) or a deletion of a key is done so late, that the user conetxt is already omitted, so cinder does not have the token of the user anymore.

@markus-hentsch
Copy link
Contributor Author

markus-hentsch commented May 17, 2024

Does it makes sense not to only link the domain-manager role standard but also to list the domain-manager role inside this standard?

It is listed as "manager" under the core roles. It isn't called domain-manager anymore, see https://docs.scs.community/standards/scs-0302-v1-domain-manager-role/#change-the-naming-of-the-domain-manager-role-to-align-with-upstream

FTR, I have now moved the role from core roles to service-specific roles after some more research. For the rationale see the new 'Classification of the "manager" role' section under the Design Considerations.

Copy link
Contributor

@josephineSei josephineSei left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall this is a very unfortunate time to write a role standard.

So maybe we should discuss this in a bigger group, if we somehow can make it easier for you. (E.g. kick heat from the supported list?)

Standards/scs-03XX-v1-standard-roles.md Outdated Show resolved Hide resolved
Standards/scs-03XX-v1-standard-roles.md Outdated Show resolved Hide resolved
Comment on lines 107 to 111
To improve user experience and make the encryption features easily accessible, this standard should adjust the Key Manager API policies to extend permissions referencing the Barbican-specific "creator" role by the "member" role.
This offers users easy access to the Key Manager API and aligns the permission set with the future rework (as per `enforce_new_defaults`), because it will later replace the "creator" role by the "member" role entirely.

The "creator" role will be kept for compatibility reasons concerning service integration.
For example, the block storage service Cinder usually has a technical user in Keystone possessing the "creator" role in the "service" project.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess Cinder will need it in case of a deletion of an encrypted volume (to delete the key) or to create a backup or snapshot (to copy the key). Maybe there is an edge case, where e.g. a backup is not triggered by someone from the project (hence no chance to aquire the key) or a deletion of a key is done so late, that the user conetxt is already omitted, so cinder does not have the token of the user anymore.

Standards/scs-03XX-v1-standard-roles.md Outdated Show resolved Hide resolved
Standards/scs-03XX-v1-standard-roles.md Outdated Show resolved Hide resolved
Standards/scs-03XX-v1-standard-roles.md Outdated Show resolved Hide resolved
Copy link
Contributor

@josephineSei josephineSei left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is going into a good direction.


#### API Policies

TODO: what does the CSP need to adhere to when it comes to API policy configuration?
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe this is more kind of an implementation note?
Because policy adjustments might occur more often than a change of the role model itself.

And the policy I am thinking about is the network rbac - which might be changed in the external network standard to only allow admin role to use it: #572

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the last part I need to figure out for the standard: what to put here.

We will definitely need to make sure that CSPs apply the special policy templates offered by Octavia1 so that the LBaaS API will be aligned with the reader, member, admin model.

Other than that, we're pretty much in line with the in-code defaults now that we can use Secure RBAC. I need to double check but I think there won't be much more needed to be added here in terms of strict guidelines.

Footnotes

  1. https://docs.openstack.org/octavia/2024.1/configuration/policy.html#openstack-default-roles-policy-override-file

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added Octavia there now plus some general do's and dont's. It's pretty brief and I don't think it justifies an implementation note split currently.

And the policy I am thinking about is the network rbac - which might be changed in the external network standard to only allow admin role to use it: #572

@josephineSei I'm wondering whether this should be part of the corresponding network standard or this role standard. I think it's more a detail of how the networking stuff works and is to be used, not a general role model or scoping thing. So I'm leaning more towards addressing this in the network standards if there is a network standard that would fit.

**Description:** SCS standard that lists mandatory and supported OpenStack APIs for SCS clouds.
This list is decisive for the standard on roles as all applicable services need to be taken into consideration.

**Link:** TBD <!-- https://github.com/SovereignCloudStack/standards/pull/587 -->
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Needs to be replaced by a genuine link once #587 is merged.

... it is part of the SCS Key Manager standard now.

Signed-off-by: Markus Hentsch <[email protected]>
@markus-hentsch
Copy link
Contributor Author

FTR, I removed the part about the role adjustment for Barbican and linked the corresponding implementation notes of the Key Manager standard in the related documents section instead, since this is part of that standard now.

@markus-hentsch
Copy link
Contributor Author

FTR, I think this PR will need to stay in draft state as long as upstream has remaining incompatibilities with enforce_new_defaults in any of the SCS-mandatory/supported services (esp. Cinder and Barbican), see SovereignCloudStack/issues#396 (comment)

This standard must be able to rely fully on the newer SRBAC model (reader, member, admin) without any service-specific exceptions, in my opinion.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
SCS-VP10 Related to tender lot SCS-VP10
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Define list of useful SCS-standardized roles in OpenStack
4 participants