Ironic

[RFE] Policy Improvements

Bug #1526752 reported by Vladyslav Drok
4
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ironic
Fix Released
Wishlist
aeva black

Bug Description

As a cloud operator I want to be able to control the kind of access that users have to Ironic's API and resources. Current Ironic behavior assumes operator is "an admin" or "not an admin", and accordingly "have access" or "no access". So if a company needs to represent a departmental hierarchy there aren't any way to do this. It would be nice to have this feature in Ironic.

See original description
Tags: rfe-approved
Vladyslav Drok (vdrok)
description: updated
Changed in ironic:
status: New → Confirmed
importance: Undecided → Wishlist
tags: added: rfe
Revision history for this message
Vladyslav Drok (vdrok) wrote :

Copy of whiteboard:

Gerrit topic: https://review.openstack.org/#q,topic:bp/policy-improvements,n,z

Addressed by: https://review.openstack.org/221778
    Policy improvements

Changed in ironic:
assignee: nobody → Anton Arefiev (aarefiev)
Jim Rollenhagen (jim-rollenhagen)
Changed in ironic:
assignee: Anton Arefiev (aarefiev) → nobody
Revision history for this message
Jim Rollenhagen (jim-rollenhagen) wrote :

We should totally leverage http://specs.openstack.org/openstack/oslo-specs/specs/newton/policy-in-code.html for this.

Revision history for this message
Jay Faulkner (jason-oldos) wrote :

I should have a fresh spec up about this in the next week.

Changed in ironic:
assignee: nobody → Jay Faulkner (jason-oldos)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to ironic-specs (master)

Fix proposed to branch: master
Review: https://review.openstack.org/327437

Changed in ironic:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to ironic-specs (master)

Reviewed: https://review.openstack.org/327437
Committed: https://git.openstack.org/cgit/openstack/ironic-specs/commit/?id=e436e3f692faec0dbfa5fec997aba81853a60cce
Submitter: Jenkins
Branch: master

commit e436e3f692faec0dbfa5fec997aba81853a60cce
Author: Jay Faulkner <email address hidden>
Date: Wed Jun 8 17:28:46 2016 -0700

    Implement Keystone Policy Support

    Specification for keystone policy support in ironic.

    Change-Id: I2efdfd99f553c6f448d3e4ab0fc16a260345ec87
    Partial-bug: 1526752

aeva black (tenbrae)
Changed in ironic:
assignee: Jay Faulkner (jason-oldos) → Devananda van der Veen (devananda)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to ironic (master)

Fix proposed to branch: master
Review: https://review.openstack.org/345076

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/345556

OpenStack Infra (hudson-openstack)
Changed in ironic:
assignee: Devananda van der Veen (devananda) → Jim Rollenhagen (jim-rollenhagen)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to ironic (master)

Reviewed: https://review.openstack.org/325599
Committed: https://git.openstack.org/cgit/openstack/ironic/commit/?id=c7da7a69250fcffb6841d36710770608d603bb6a
Submitter: Jenkins
Branch: master

commit c7da7a69250fcffb6841d36710770608d603bb6a
Author: Devananda van der Veen <email address hidden>
Date: Fri Jun 3 15:43:12 2016 -0700

    Add keystone policy support to Ironic

    Implements more fine-grained policy support within our API service,
    following the oslo policy-in-code spec, while maintaining compatibility
    with the previous default policy.json file. An empty policy.json file is
    included, along with a sample file listig all supported policy settings
    and their default values.

    A new tox target "genpolicy" has been added to ease automation of
    sample policy file generation.

    All calls to policy.enforce() have been replaced with with
    policy.authorize() to avoid silent failures when a rule is undefined,
    because enforce() does not raise() if the target rule does not exist.

      NOTE: policy.enforce() is not removed by this patch, but a deprecation
      warning will be logged if it this method is invoked.

    Updates unit test coverage for the new authorize() method, as well as
    more general unit test updates for some of the new rules.

    Partial-bug: #1526752
    Change-Id: Ie4398f840601d027e2fe209c17d854421687c7b7

OpenStack Infra (hudson-openstack)
Changed in ironic:
assignee: Jim Rollenhagen (jim-rollenhagen) → Devananda van der Veen (devananda)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/345556
Committed: https://git.openstack.org/cgit/openstack/ironic/commit/?id=a5c26972b28018083e0a76c0dbc41d738ca84fff
Submitter: Jenkins
Branch: master

commit a5c26972b28018083e0a76c0dbc41d738ca84fff
Author: Devananda van der Veen <email address hidden>
Date: Thu Jul 21 09:18:12 2016 -0700

    Update documentation for keystone policy support

    This change adds information about keystone policy support in the
    following places:

    * api-ref: add notes to the Nodes reference, indicating that
      password and configdrive contents may be hidden in responses
    * deploy security guide: add a section about limiting API access
      by using the new policies and roles
    * deploy install guide: add instructions for creating the necessary
      Roles with the Identity service
    * dev quickstart guide: use devstack "demo" user throughout the guide,
      and add a note about why. Incidentally, switch to using "openstack"
      client instead of "ironic" and "nova" clients.

    Partial-bug: #1526752
    Change-Id: I392cabbf04badabd8ae7bb00a914b0a06db3d421

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/326768
Committed: https://git.openstack.org/cgit/openstack/ironic/commit/?id=dc0dad97737dcd0dadd1a56eb094cd76207229f0
Submitter: Jenkins
Branch: master

commit dc0dad97737dcd0dadd1a56eb094cd76207229f0
Author: Devananda van der Veen <email address hidden>
Date: Tue Jun 7 17:22:20 2016 -0700

    Mask instance secrets in API responses

    This change adds a new policy setting, "show_instance_secrets", whose
    behavior mirrors that of the existing "show_passwords" policy setting.

    Whereas "show_passwords" has historically blocked all sensitive
    information from the node's driver_info field, the new setting blocks
    all sensitive information from the node's instance_info field, including
    image_url.

    The name of the old setting, "show_passwords", is not being changed at
    this time because such a change is not backwards-compatible. Instead,
    the documentation string for this setting has been changed to clarify
    what it does. Note that the behavior has not actually changed.

    Note that this change moves the policy.check("show_password") call from
    the Pecan hook into the API's Nodes() class, where the
    policy.check("show_instance_secrets") is also added. This makes the code
    a little cleaner and more maintainable, especially if we want to add any
    more checks like this in the future.

    As a result of this cleanup, the ironic-specific
    RequestContext.show_password property is removed.

    Partial-bug: #1530972
    Partial-bug: #1526752
    Related-bug: #1613903

    Change-Id: I48493c53971cdab3b9122897e51322e19ce2f600

Revision history for this message
Jim Rollenhagen (jim-rollenhagen) wrote :

Heh, this was completed in Newton.

tags: added: rfe-approved
removed: rfe
Changed in ironic:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on ironic (master)

Change abandoned by Devananda van der Veen (<email address hidden>) on branch: master
Review: https://review.openstack.org/345076

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Related blueprints

Remote bug watches

Bug watches keep track of this bug in other bug trackers.