Policy Default Refresh
Ideally most operators should be able to run without modifying policy, as
such we need to have richer defaults.
When operators must modify the policy, or need to audit the defaults, they are
thinking about API operations what policy to change, so the policy should
always clearly relate to the API node the code.
To improve the Nova policies in term of self-service and rich defaults roles, we need multiple updates :
1. making the policy rules granular to add scope_type and new defaults roles - https:/
2. scope - Adding the correct scope_type with global and project access
3. Defaults roles, keystone now has new defaults roles like reader, admin, member which can be applied with each scope_type.
More details in spec.
Blueprint information
- Status:
- Complete
- Approver:
- melanie witt
- Priority:
- Medium
- Drafter:
- Ghanshyam Mann
- Direction:
- Approved
- Assignee:
- Ghanshyam Mann
- Definition:
- Approved
- Series goal:
- Accepted for ussuri
- Implementation:
- Implemented
- Milestone target:
- ussuri-3
- Started by
- melanie witt
- Completed by
- Balazs Gibizer
Related branches
Related bugs
Sprints
Whiteboard
Spec - https:/
Gerrit topic: https:/
Addressed by: https:/
Spec for API policy updates
Gerrit topic: https:/
Gerrit topic: https:/
Addressed by: https:/
Better policy unit tests
Addressed by: https:/
Move default policy target
Addressed by: https:/
Add functional test for admin_actions
Addressed by: https:/
WIP: add scope check, see tests catch the change
Addressed by: https:/
WIP:Introduce scope_types in os-services
Addressed by: https:/
Add new default roles and mapping in policy base class
Addressed by: https:/
WIP: Add new default roles in os-services API policies
Addressed by: https:/
WIP:Introduce scope_types in servers API
Addressed by: https:/
WIP: Add new default roles in servers API policies
Addressed by: https:/
Ensure we pass a target in admin actions
Addressed by: https:/
Add test coverage of existing os-services policies
Addressed by: https:/
Fix followup comments of policy-
Gerrit topic: https:/
Addressed by: https:/
Add test coverage of existing os-agents policies
Spec merged on 2019-07-02, approved for Train. -- melwitt 20190711
Addressed by: https:/
Pass RequestContext to oslo_policy
Gerrit topic: https:/
Addressed by: https:/
Add policy deprecation fixture and Suppress warnings in tests
Addressed by: https:/
Add new default roles in Admin Action API policies
Addressed by: https:/
Pass the target in os-services APIs policy
We're 1 week from feature freeze for Train and there are a lot of open changes left for this that haven't had a lot (or maybe any on some patches) core review and since this impacts policy which impacts upgrades, it has some risk so we're deferring to Ussuri. -- mriedem 20190905
Addressed by: https:/
Re-propose policy-
Addressed by: https:/
Fix the suppress of policy deprecation warnings
Addressed by: https:/
Deprecate base rules in favor of new rules
Addressed by: https:/
Add test coverage of existing admin_password policies
Addressed by: https:/
Introduce scope_types in os-admin-password
Addressed by: https:/
Add new default roles in os-admin-password policies
Addressed by: https:/
Pass the actual target in os-admin-password policy
Addressed by: https:/
Add test coverage of existing os-agents policies
Addressed by: https:/
Introduce scope_types in os-agents policy
Addressed by: https:/
Add new default roles in os-agents policies
Addressed by: https:/
Pass the actual target in os-agents policy
Addressed by: https:/
Add test coverage of existing os-aggregates policies
Addressed by: https:/
Introduce scope_types in os-aggregates policy
Addressed by: https:/
Add new default roles in os-aggregates policies
Addressed by: https:/
Pass the actual target in os-aggregates policy
Addressed by: https:/
Add test coverage of existing os-assisted_
Addressed by: https:/
Introduce scope_types in os-assisted_
Addressed by: https:/
Add new default roles in os-assisted_
Addressed by: https:/
Pass the actual target in os-assisted_
[efried 20200116] Marking definition:approved as the spec was merged in October.
Addressed by: https:/
Add test coverage of existing attach_interfaces policies
Addressed by: https:/
Remove old policy enforcement in attach_interfaces
Addressed by: https:/
Introduce scope_types in os-attach-
Addressed by: https:/
Add new default roles in os-instance-actions policies
Addressed by: https:/
Add new default roles in os-atttach-
Addressed by: https:/
Add test coverage of existing availability-zone policies
Addressed by: https:/
Add new default roles in os-availability
Addressed by: https:/
Add new default roles in os-availability
Addressed by: https:/
Add test coverage of existing os-console-
Addressed by: https:/
Introduce scope_types in os-console-
Addressed by: https:/
Add new default roles in os-console-
Addressed by: https:/
Pass the actual target in os-console-
Addressed by: https:/
Pass the actual target in os-availability
Addressed by: https:/
Add test coverage of existing console_output policies
Addressed by: https:/
Add test coverage of existing create_backup policies
Addressed by: https:/
Introduce scope_types in os-create-backup
Addressed by: https:/
Add new default roles in os-create-backup policies
Addressed by: https:/
Introduce scope_types in os-console-output
Addressed by: https:/
Add new default roles in os-console-output policies
Addressed by: https:/
Add test coverage of existing deferred_delete policies
Addressed by: https:/
Introduce scope_types in os-deferred_delete
Addressed by: https:/
Add new default roles in os-deferred_delete policies
Addressed by: https:/
Introduce scope_types in os-instance-action policy
Addressed by: https:/
Add test coverage of existing os-instance-actions policies
Addressed by: https:/
Add test coverage of existing evacuate policies
Addressed by: https:/
Introduce scope_types in os-evacuate
Addressed by: https:/
Add new default roles in os-evacuate policies
[efried 20200220] Agreed in the Nova meeting to Direction:Approve all Definition:Approved blueprints http://
Addressed by: https:/
Introduce scope_types in os-volumes-
Addressed by: https:/
Add test coverage of existing os-volumes-
Addressed by: https:/
Fix os-volumes-
Addressed by: https:/
Add new default roles in os-volumes-
Addressed by: https:/
Remove fatal=False from os-instance-actions show API
Addressed by: https:/
Add PATCH volume attachments api to os-volume_
Addressed by: https:/
Add new policy to PATCH update volume API
Addressed by: https:/
Add SYSTEM_READER role to servers actions API
Addressed by: https:/
Add a tests to check when legacy access is removed
Addressed by: https:/
Granular GET os-instance-actions API policies
Addressed by: https:/
nit: Fix NOTE error of fatal=False
Addressed by: https:/
[Trivial] Fix code comment of admin password tests
Addressed by: https:/
Add functional tests for PATCH volume attachments API
Addressed by: https:/
Cleanup test for system reader and reader_or_owner rules
Gerrit topic: https:/
Gerrit topic: https:/
Addressed by: https:/
Add test coverage of existing flavor_access policies
Gerrit topic: https:/
Addressed by: https:/
Introduce scope_types in os-flavor-access
Addressed by: https:/
Add new default roles in os-flavor-access policies
Addressed by: https:/
[Trivial] fixing some nits in instance actions policy tests
Addressed by: https:/
Add test coverage of existing flavor_manage policies
Addressed by: https:/
Introduce scope_types in os-flavor-manage
Addressed by: https:/
Add new default roles in os-flavor_manage policies
Addressed by: https:/
Pass the actual target in os-flavor-manage policy
Addressed by: https:/
Add test coverage of existing hypervisors policies
Addressed by: https:/
Introduce scope_types in os-hypervisors
Addressed by: https:/
Add new default roles in os-hypervisors policies
Addressed by: https:/
Pass the actual target in os-hypervisors policy
Addressed by: https:/
Add test coverage of existing instance usage log policies
Addressed by: https:/
Introduce scope_types in os-instance-
Addressed by: https:/
Add new default roles in os-instance-
Addressed by: https:/
Pass the actual target in os-instance-
Addressed by: https:/
Add test coverage of existing ips policies
Addressed by: https:/
Introduce scope_types in os-ips
Addressed by: https:/
Add new default roles in os-ips policies
Addressed by: https:/
Add test coverage of existing limits policies
Addressed by: https:/
Combine the limits policies in single place
Addressed by: https:/
Introduce scope_types in limits policy
Addressed by: https:/
Add new default roles in limits policies
Addressed by: https:/
Pass the actual target in limits policy
Addressed by: https:/
Correct limits policy check_str
Addressed by: https:/
Add new default roles in os-hypervisors policies
Addressed by: https:/
Add test coverage of existing lock server policies
Gerrit topic: https:/
Addressed by: https:/
Fix unlock server policy to be admin_or_owner
Addressed by: https:/
Introduce scope_types in lock server policy
Addressed by: https:/
Add new default roles in lock server policies
Addressed by: https:/
Add test coverage of existing migrate server policies
Addressed by: https:/
Introduce scope_types in migrate server
Addressed by: https:/
Add new default roles in migrate server policies
Addressed by: https:/
Pass the actual target in migrate server policy
Addressed by: https:/
Add test coverage of existing migrations policies
Addressed by: https:/
Introduce scope_types in list migrations
Addressed by: https:/
Add new default roles in migrations policies
Addressed by: https:/
Pass the actual target in migrations policy
Addressed by: https:/
Add test coverage of existing pause server policies
Gerrit topic: https:/
Addressed by: https:/
Fix unpause server policy to be admin_or_owner
Addressed by: https:/
Introduce scope_types in pause server policy
Addressed by: https:/
Add new default roles in pause server policies
Addressed by: https:/
Pass the actual target in unlock override policy
Addressed by: https:/
Add test coverage of existing remote console policies
Addressed by: https:/
Introduce scope_types in remote consoles policy
Addressed by: https:/
Add new default roles in remote console policies
Addressed by: https:/
Add test coverage of existing rescue policies
Addressed by: https:/
Introduce scope_types in rescue server policy
Addressed by: https:/
Add new default roles in rescue server policies
Addressed by: https:/
Add test coverage of existing security groups policies
Addressed by: https:/
Introduce scope_types in security groups policy
Addressed by: https:/
Add new default roles in security group policies
Addressed by: https:/
Add new default roles in security group policies
Addressed by: https:/
Add test coverage of existing server diagnostics policies
Addressed by: https:/
Introduce scope_types in server diagnostics
Addressed by: https:/
Add new default roles in server diagnostics policies
Addressed by: https:/
Pass the actual target in server diagnostics policy
Addressed by: https:/
Correct security groups policy check_str
Addressed by: https:/
Add test coverage of existing server external events policies
Addressed by: https:/
Introduce scope_types in server external events
Addressed by: https:/
Add new default roles in server external events policies
Addressed by: https:/
Pass the actual target in server external events policy
Addressed by: https:/
Add test coverage of existing server group policies
Addressed by: https:/
Introduce scope_types in server group policy
Addressed by: https:/
Add new default roles in server group policies
Addressed by: https:/
Pass the actual target in server group policy
Addressed by: https:/
Add test coverage of existing server metadata policies
Gerrit topic: https:/
Addressed by: https:/
Fix server metadata policy to be admin_or_owner
Addressed by: https:/
Add test coverage of existing server password policies
Gerrit topic: https:/
Addressed by: https:/
Fix server password policy to be admin_or_owner
Addressed by: https:/
Introduce scope_types in server password
Addressed by: https:/
Add new default roles in server metadata policies
Addressed by: https:/
Introduce scope_types in server password policy
Addressed by: https:/
Add new default roles in server password policies
Addressed by: https:/
Add test coverage of existing server tags policies
Addressed by: https:/
Add test coverage of existing server topology policies
Addressed by: https:/
Add test coverage of existing server migrations policies
Addressed by: https:/
Add test coverage of existing shelve policies
Addressed by: https:/
Add test coverage of existing simple tenant usage policies
Addressed by: https:/
Add test coverage of existing suspend server policies
Gerrit topic: https:/
Addressed by: https:/
Fix resume server policy to be admin_or_owner
Gerrit topic: https:/
Addressed by: https:/
Correct server shelve policy check_str
Addressed by: https:/
Introduce scope_types in shelve server
Addressed by: https:/
Add new default roles in shelve server policies
Addressed by: https:/
Introduce scope_types in suspend server
Addressed by: https:/
Add new default roles in suspend server policies
Addressed by: https:/
Introduce scope_types in server topology
Addressed by: https:/
Add new default roles in server topology policies
Addressed by: https:/
Introduce scope_types in simple tenant usage
Addressed by: https:/
Add new default roles in tenant tenant usage policies
Addressed by: https:/
Introduce scope_types in server migration
Addressed by: https:/
Add new default roles in server migration policies
Addressed by: https:/
Pass the actual target in server migration policy
Addressed by: https:/
Fix new context comparison workaround in base tests class
Gerrit topic: https:/
Addressed by: https:/
Disable warning for policies changing default check_str
Gerrit topic: https:/
Addressed by: https:/
Fix server tags policy to be admin_or_owner
Addressed by: https:/
Introduce scope_types in server tags policy
Addressed by: https:/
Add new default roles in server tags policies
Addressed by: https:/
Correct server topology policy check_str
Addressed by: https:/
Add test coverage of existing server policies
Addressed by: https:/
Fix servers policy for admin_or_owner
Gerrit topic: https:/
Addressed by: https:/
Add test coverage of existing keypairs policies
Addressed by: https:/
Introduce scope_types in keypairs
Addressed by: https:/
Add new default roles in keypairs policies
Addressed by: https:/
Pass the actual target in keypairs policy
Addressed by: https:/
Add test coverage of existing quota class policies
Addressed by: https:/
Introduce scope_types in quota class Policies
Addressed by: https:/
Add new default roles in quota class policies
Addressed by: https:/
Add test coverage of existing quota sets policies
Addressed by: https:/
Introduce scope_types in quota set Policies
Addressed by: https:/
Add new default roles in quota sets policies
Addressed by: https:/
Add test coverage of existing flavor extra spec policies
Addressed by: https:/
Introduce scope_types in flavor extra spec policy
Addressed by: https:/
Add new default roles in flavor extra specs policies
Addressed by: https:/
Pass the actual target in flavor extra specs policy
Addressed by: https:/
Pass the actual target in flavor access policy
Addressed by: https:/
Add test coverage of existing server attributes policies
Addressed by: https:/
Introduce scope_types in servers attributes Policies
Addressed by: https:/
Add new default roles in servers attributes policies
Addressed by: https:/
Pass the actual target in quota class policy
Addressed by: https:/
Add test coverage of existing remaining servers policies
Addressed by: https:/
Introduce scope_types in remaining servers Policies
Addressed by: https:/
Add new default roles in remaining servers policies
Addressed by: https:/
Fix follow up comments on policy work
Addressed by: https:/
Fix server actions to be system and project scoped
Addressed by: https:/
Add doc for policy new defaults
Addressed by: https:/
Fix the followup comment of policy doc
[gibi 20200423] implemented in Ussuri