1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
|
================
Octavia Policies
================
.. warning::
JSON formatted policy file is deprecated since Octavia 8.0.0 (Wallaby).
This `oslopolicy-convert-json-to-yaml`__ tool will migrate your existing
JSON-formatted policy file to YAML in a backward-compatible way.
.. __: https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-convert-json-to-yaml.html
.. _Keystone Default Roles: https://docs.openstack.org/keystone/latest/admin/service-api-protection.html
Octavia Advanced Role Based Access Control (RBAC)
-------------------------------------------------
Octavia adopted the "Advanced Role Based Access Control (RBAC)" default
policies in the Pike release of OpenStack. This provides a fine-grained default
access control policy for the Octavia service.
The Octavia Advanced RBAC goes beyond the OpenStack legacy RBAC policies of
allowing "owners and admins" full access to all services. It also provides a
more fine-grained RBAC policy than the newer `Keystone Default Roles`_ .
The default policy is to not allow access unless the auth_strategy is 'noauth'.
Users must be a member of one of the following roles to have access to
the load-balancer API:
.. glossary::
role:load-balancer_observer
User has access to load-balancer read-only APIs.
role:load-balancer_global_observer
User has access to load-balancer read-only APIs including resources
owned by others.
role:load-balancer_member
User has access to load-balancer read and write APIs.
role:load-balancer_quota_admin
User is considered an admin for quota APIs only.
role:load-balancer_admin
User is considered an admin for all load-balancer APIs including
resources owned by others.
role:admin and system_scope:all
User is admin to all service APIs, including Octavia.
.. note::
'is_admin:True' is a policy rule that takes into account the
auth_strategy == noauth configuration setting.
It is equivalent to 'rule:context_is_admin or {auth_strategy == noauth}'
if that would be valid syntax.
These roles are in addition to the `Keystone Default Roles`_:
* role:reader
* role:member
In addition, the Octavia API supports Keystone scoped tokens. When enabled
in Oslo Policy, users will need to present a token scoped to either the
"system" or a specific "project". See the section `Upgrade Considerations`_
for more information.
See the section `Managing Octavia User Roles`_ for examples and advice on how
to apply these RBAC policies in production.
Legacy Admin or Owner Policy Override File
------------------------------------------
An alternate policy file has been provided in octavia/etc/policy called
admin_or_owner-policy.yaml that removes the load-balancer RBAC role
requirement. Please see the README.rst in that directory for more information.
This will drop the role requirements to allow access to all with the "admin"
role or if the user is a member of the project that created the resource. All
users have access to the Octavia API to create and manage load balancers
under their project.
OpenStack Default Roles Policy Override File
--------------------------------------------
An alternate policy file has been provided in octavia/etc/policy called
keystone_default_roles-policy.yaml that removes the load-balancer RBAC role
requirement. Please see the README.rst in that directory for more information.
This policy will honor the following `Keystone Default Roles`_ in the Octavia
API:
* Admin
* Project scoped - Reader
* Project scoped - Member
In addition, there is an alternate policy file that enables system scoped
tokens checking called keystone_default_roles_scoped-policy.yaml.
* System scoped - Admin
* System scoped - Reader
* Project scoped - Reader
* Project scoped - Member
Managing Octavia User Roles
---------------------------
User and group roles are managed through the Keystone (identity) project.
A role can be added to a user with the following command::
openstack role add --project <project name or id> --user <user name or id> <role>
An example where user "jane", in the "engineering" project, gets a new role
"load-balancer_member"::
openstack role add --project engineering --user jane load-balancer_member
Keystone Group Roles
~~~~~~~~~~~~~~~~~~~~
Roles can also be assigned to `Keystone groups
<https://docs.openstack.org/keystone/latest/admin/identity-concepts.html>`_.
This can simplify the management of user roles greatly.
For example, your cloud may have a "users" group defined in Keystone. This
group is set up to have all of the regular users of your cloud as a member.
If you want all of your users to have access to the load balancing service
Octavia, you could add the "load-balancer_member" role to the "users" group::
openstack role add --domain default --group users load-balancer_member
Upgrade Considerations
----------------------
Starting with the Wallaby release of Octavia, Keystone token scopes and
default roles can be enforced. By default, in the Wallaby release, `Oslo Policy
<https://docs.openstack.org/oslo.policy/latest>`_
will not be enforcing these new roles and scopes. However, at some point in the
future they may become the default. You may want to enable them now to be ready
for the later transition. This section will describe those settings.
The Oslo Policy project defines two configuration settings, among others, that
can be set in the Octavia configuration file to influence how policies are
handled in the Octavia API. Those two settings are `enforce_scope
<https://docs.openstack.org/oslo.policy/latest/configuration/index.html#oslo_policy.enforce_scope>`_ and `enforce_new_defaults
<https://docs.openstack.org/oslo.policy/latest/configuration/index.html#oslo_policy.enforce_new_defaults>`_.
[oslo_policy] enforce_scope
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Keystone has introduced the concept of `token scopes
<https://docs.openstack.org/keystone/latest/admin/tokens-overview.html#authorization-scopes>`_.
Currently, Oslo Policy defaults to not enforce the scope validation of a
token for backward compatibility reasons.
The Octavia API supports enforcing the Keystone token scopes as of the Wallaby
release. If you are ready to start enforcing the Keystone token scope in the
Octavia API you can add the following setting to your Octavia API configuration
file::
[oslo_policy]
enforce_scope = True
Currently the primary effect of this setting is to allow a system scoped
admin token when performing administrative API calls to the Octavia API.
It will also allow system scoped reader tokens to have the equivalent of the
load-balancer_global_observer role.
The Octavia API already enforces the project scoping in Keystone tokens.
[oslo_policy] enforce_new_defaults
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The Octavia Wallaby release added support for `Keystone Default Roles`_ in
the default policies. The previous Octavia Advanced RBAC policies have now
been deprecated in favor of the new policies requiring one of the new
`Keystone Default Roles`_.
Currently, Oslo Policy defaults to using the deprecated policies that do not
require the new `Keystone Default Roles`_ for backward compatibility.
The Octavia API supports requiring these new `Keystone Default Roles`_ as of
the Wallaby release. If you are ready to start requiring these roles you can
enable the new policies by adding the following setting to your Octavia API
configuration file::
[oslo_policy]
enforce_new_defaults = True
When the new default policies are enabled in the Octavia API, users with the
load-balancer_observer role will also require the Keystone default role of
"role:reader". Users with the load-balancer_member role will also require
the Keystone default role of "role:member".
Sample File Generation
----------------------
To generate a sample policy.yaml file from the Octavia defaults, run the
oslo policy generation script::
oslopolicy-sample-generator
--config-file etc/policy/octavia-policy-generator.conf
--output-file policy.yaml.sample
Merged File Generation
----------------------
This will output a policy file which includes all registered policy defaults
and all policies configured with a policy file. This file shows the effective
policy in use by the project::
oslopolicy-policy-generator
--config-file etc/policy/octavia-policy-generator.conf
This tool uses the output_file path from the config-file.
List Redundant Configurations
-----------------------------
This will output a list of matches for policy rules that are defined in a
configuration file where the rule does not differ from a registered default
rule. These are rules that can be removed from the policy file with no change
in effective policy::
oslopolicy-list-redundant
--config-file etc/policy/octavia-policy-generator.conf
Default Octavia Policies - API Effective Rules
----------------------------------------------
This section will list the RBAC rules the Octavia API will use followed by a
list of the roles that will be allowed access.
Without `enforce_scope
<https://docs.openstack.org/oslo.policy/latest/configuration/index.html#oslo_policy.enforce_scope>`_ and `enforce_new_defaults
<https://docs.openstack.org/oslo.policy/latest/configuration/index.html#oslo_policy.enforce_new_defaults>`_:
* load-balancer:read
* load-balancer_admin
* load-balancer_global_observer
* load-balancer_member and <project member>
* load-balancer_observer and <project member>
* role:admin
* load-balancer:read-global
* load-balancer_admin
* load-balancer_global_observer
* role:admin
* load-balancer:write
* load-balancer_admin
* load-balancer_member and <project member>
* role:admin
* load-balancer:read-quota
* load-balancer_admin
* load-balancer_global_observer
* load-balancer_member and <project member>
* load-balancer_observer and <project member>
* load-balancer_quota_admin
* role:admin
* load-balancer:read-quota-global
* load-balancer_admin
* load-balancer_global_observer
* load-balancer_quota_admin
* role:admin
* load-balancer:write-quota
* load-balancer_admin
* load-balancer_quota_admin
* role:admin
With `enforce_scope
<https://docs.openstack.org/oslo.policy/latest/configuration/index.html#oslo_policy.enforce_scope>`_ and `enforce_new_defaults
<https://docs.openstack.org/oslo.policy/latest/configuration/index.html#oslo_policy.enforce_new_defaults>`_:
* load-balancer:read
* load-balancer_admin
* load-balancer_global_observer
* load-balancer_member and <project member> and role:member
* load-balancer_observer and <project member> and role:reader
* role:admin and system_scope:all
* role:reader and system_scope:all
* load-balancer:read-global
* load-balancer_admin
* load-balancer_global_observer
* role:admin and system_scope:all
* role:reader and system_scope:all
* load-balancer:write
* load-balancer_admin
* load-balancer_member and <project member> and role:member
* role:admin and system_scope:all
* load-balancer:read-quota
* load-balancer_admin
* load-balancer_global_observer
* load-balancer_member and <project member> and role:member
* load-balancer_observer and <project member> and role:reader
* load-balancer_quota_admin
* role:admin and system_scope:all
* role:reader and system_scope:all
* load-balancer:read-quota-global
* load-balancer_admin
* load-balancer_global_observer
* load-balancer_quota_admin
* role:admin and system_scope:all
* role:reader and system_scope:all
* load-balancer:write-quota
* load-balancer_admin
* load-balancer_quota_admin
* role:admin and system_scope:all
Default Octavia Policies - Generated From The Octavia Code
----------------------------------------------------------
.. literalinclude:: _static/octavia.policy.yaml.sample
|
