-
Notifications
You must be signed in to change notification settings - Fork 24
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Draft: Roles Standard #590
base: main
Are you sure you want to change the base?
Conversation
Signed-off-by: Markus Hentsch <[email protected]>
Signed-off-by: Markus Hentsch <[email protected]>
Signed-off-by: Markus Hentsch <[email protected]>
Does it makes sense not to only link the domain-manager role standard but also to list the domain-manager role inside this standard? |
Signed-off-by: Markus Hentsch <[email protected]>
Signed-off-by: Markus Hentsch <[email protected]>
Signed-off-by: Markus Hentsch <[email protected]>
Signed-off-by: Markus Hentsch <[email protected]>
Signed-off-by: Markus Hentsch <[email protected]>
It is listed as "manager" under the core roles. It isn't called domain-manager anymore, see https://docs.scs.community/standards/scs-0302-v1-domain-manager-role/#change-the-naming-of-the-domain-manager-role-to-align-with-upstream |
Signed-off-by: Markus Hentsch <[email protected]>
To improve user experience and make the encryption features easily accessible, this standard should adjust the Key Manager API policies to extend permissions referencing the Barbican-specific "creator" role by the "member" role. | ||
This offers users easy access to the Key Manager API and aligns the permission set with the future rework (as per `enforce_new_defaults`), because it will later replace the "creator" role by the "member" role entirely. | ||
|
||
The "creator" role will be kept for compatibility reasons concerning service integration. | ||
For example, the block storage service Cinder usually has a technical user in Keystone possessing the "creator" role in the "service" project. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
FTR, I considered replacing the "creator" role by "member" entirely. However, I decided against it for the following reasons:
- both DevStack and RedHat setups1 seem to assign the "creator" role to a "cinder" user in the "service" project, which is registered in Cinder's
[keystone_authtoken]
config section - mandating to switch Cinder's service user to "member" role here could open up permissions in other services' APIs potentially which otherwise wouldn't react to the "creator" role (which is Barbican-specific)
- without
enforce_scope
(which this standard cannot use), the scoping would not protect us here
- without
However, I'm not exactly sure in which workflow Cinder needs its own Barbican-enabled role, i.e. what the reasoning for this is. Usually, the user's auth token is passed around during requests so it would simply take the role permissions from there. However, it is most likely there for a reason, so I'm leaving it in because I don't know the context and don't want to break things.
Footnotes
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess Cinder will need it in case of a deletion of an encrypted volume (to delete the key) or to create a backup or snapshot (to copy the key). Maybe there is an edge case, where e.g. a backup is not triggered by someone from the project (hence no chance to aquire the key) or a deletion of a key is done so late, that the user conetxt is already omitted, so cinder does not have the token of the user anymore.
Signed-off-by: Markus Hentsch <[email protected]>
Signed-off-by: Markus Hentsch <[email protected]>
FTR, I have now moved the role from core roles to service-specific roles after some more research. For the rationale see the new 'Classification of the "manager" role' section under the Design Considerations. |
Signed-off-by: Markus Hentsch <[email protected]>
Signed-off-by: Markus Hentsch <[email protected]>
Signed-off-by: Markus Hentsch <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall this is a very unfortunate time to write a role standard.
So maybe we should discuss this in a bigger group, if we somehow can make it easier for you. (E.g. kick heat from the supported list?)
To improve user experience and make the encryption features easily accessible, this standard should adjust the Key Manager API policies to extend permissions referencing the Barbican-specific "creator" role by the "member" role. | ||
This offers users easy access to the Key Manager API and aligns the permission set with the future rework (as per `enforce_new_defaults`), because it will later replace the "creator" role by the "member" role entirely. | ||
|
||
The "creator" role will be kept for compatibility reasons concerning service integration. | ||
For example, the block storage service Cinder usually has a technical user in Keystone possessing the "creator" role in the "service" project. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess Cinder will need it in case of a deletion of an encrypted volume (to delete the key) or to create a backup or snapshot (to copy the key). Maybe there is an edge case, where e.g. a backup is not triggered by someone from the project (hence no chance to aquire the key) or a deletion of a key is done so late, that the user conetxt is already omitted, so cinder does not have the token of the user anymore.
Signed-off-by: Markus Hentsch <[email protected]>
Signed-off-by: Markus Hentsch <[email protected]>
Signed-off-by: Markus Hentsch <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this is going into a good direction.
|
||
#### API Policies | ||
|
||
TODO: what does the CSP need to adhere to when it comes to API policy configuration? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe this is more kind of an implementation note?
Because policy adjustments might occur more often than a change of the role model itself.
And the policy I am thinking about is the network rbac - which might be changed in the external network standard to only allow admin role to use it: #572
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is the last part I need to figure out for the standard: what to put here.
We will definitely need to make sure that CSPs apply the special policy templates offered by Octavia1 so that the LBaaS API will be aligned with the reader, member, admin model.
Other than that, we're pretty much in line with the in-code defaults now that we can use Secure RBAC. I need to double check but I think there won't be much more needed to be added here in terms of strict guidelines.
Footnotes
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added Octavia there now plus some general do's and dont's. It's pretty brief and I don't think it justifies an implementation note split currently.
And the policy I am thinking about is the network rbac - which might be changed in the external network standard to only allow admin role to use it: #572
@josephineSei I'm wondering whether this should be part of the corresponding network standard or this role standard. I think it's more a detail of how the networking stuff works and is to be used, not a general role model or scoping thing. So I'm leaning more towards addressing this in the network standards if there is a network standard that would fit.
Signed-off-by: Markus Hentsch <[email protected]>
Signed-off-by: Markus Hentsch <[email protected]>
Signed-off-by: Markus Hentsch <[email protected]>
Signed-off-by: Markus Hentsch <[email protected]>
Signed-off-by: Markus Hentsch <[email protected]>
**Description:** SCS standard that lists mandatory and supported OpenStack APIs for SCS clouds. | ||
This list is decisive for the standard on roles as all applicable services need to be taken into consideration. | ||
|
||
**Link:** TBD <!-- https://github.com/SovereignCloudStack/standards/pull/587 --> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Needs to be replaced by a genuine link once #587 is merged.
... it is part of the SCS Key Manager standard now. Signed-off-by: Markus Hentsch <[email protected]>
Signed-off-by: Markus Hentsch <[email protected]>
FTR, I removed the part about the role adjustment for Barbican and linked the corresponding implementation notes of the Key Manager standard in the related documents section instead, since this is part of that standard now. |
Signed-off-by: Markus Hentsch <[email protected]>
FTR, I think this PR will need to stay in draft state as long as upstream has remaining incompatibilities with This standard must be able to rely fully on the newer SRBAC model (reader, member, admin) without any service-specific exceptions, in my opinion. |
Adds a standard to define all RBAC roles and permissions in the SCS IaaS layer.
Resolves SovereignCloudStack/issues#396
Supersedes #378