kolla-ansible

Ironic - lack of support for new RBAC policy

Bug #2051837 reported by Bartosz Bezak
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
kolla-ansible
Fix Released
High
Bartosz Bezak

Bug Description

Ironic enforced new RBAC policy by default - https://review.opendev.org/c/openstack/ironic/+/902009

Kolla Ansible doesn't support it yet - nova-compute-ironic service user is a service project scoped with admin role which can't see baremetal nodes provisioned by tenks in admin project - https://opendev.org/openstack/kolla-ansible/src/commit/f0b7bf33abb6faff506599c99863b823ca108ef5/ansible/roles/nova-cell/templates/nova.conf.j2#L83-L94

https://opendev.org/openstack/kolla-ansible/src/commit/f0b7bf33abb6faff506599c99863b823ca108ef5/ansible/roles/ironic/defaults/main.yml#L357-L365

Possible long term solution would be to add service role to ironic service user, however it is still in the works - https://review.opendev.org/c/openstack/ironic/+/907148

previous attempt to add service role:
https://review.opendev.org/c/openstack/kolla-ansible/+/815577

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to kolla-ansible (master)

Reviewed: https://review.opendev.org/c/openstack/kolla-ansible/+/906858
Committed: https://opendev.org/openstack/kolla-ansible/commit/d77372e86ab078711d48dbe2917714f338842ca5
Submitter: "Zuul (22348)"
Branch: master

commit d77372e86ab078711d48dbe2917714f338842ca5
Author: Bartosz Bezak <email address hidden>
Date: Fri Jan 26 16:46:14 2024 +0100

    Disable new defaults and scope for Ironic (RBAC)

    Ironic started enforcing new RBAC policies [1]. Kolla/Kayobe
    CI jobs are failing, as K-A doesn't have service role support.
    Moreover Ironic RBAC is not yet stable enough [2].
    Disable enforcing new policies until fix merges and Kolla
    Ansible service role support is added.

    [1] https://review.opendev.org/c/openstack/ironic/+/902009
    [2] https://review.opendev.org/c/openstack/ironic/+/907148

    Related-Bug: #2051837

    Change-Id: I424cff6ac96dfe0dd5dc58afca2b785f494c9f02

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to kolla-ansible (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/kolla-ansible/+/908580

Maksim Malchuk (mmalchuk)
Changed in kolla-ansible:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on kolla-ansible (master)

Change abandoned by "Bartosz Bezak <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/kolla-ansible/+/815577
Reason: Kolla community decided not to implement service role for all service users in one change. Rather then doing it selectively. As not all openstack projects implemented service role support yet.

Bartosz Bezak (bbezak)
Changed in kolla-ansible:
assignee: nobody → Bartosz Bezak (bbezak)
importance: Undecided → High
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to kolla-ansible (master)

Reviewed: https://review.opendev.org/c/openstack/kolla-ansible/+/908007
Committed: https://opendev.org/openstack/kolla-ansible/commit/121aa3d25852660827d8263fd8650f72f2e37d5f
Submitter: "Zuul (22348)"
Branch: master

commit 121aa3d25852660827d8263fd8650f72f2e37d5f
Author: Bartosz Bezak <email address hidden>
Date: Tue Feb 6 14:38:21 2024 +0100

    Ironic: enable elevated access for project scoped service role

    Ironic recently started to enforce new policies and scope [1].
    And Ironic is one of the sole openstack project which need
    system scope for some admin related api calls [2].
    However Ironic also started to allow project-scope behaviour
    for service role with setting
    ``rbac_service_role_elevated_access``[3] [4]. This change enables
    this setting to get similar behaviour of service role as other
    openstack projects.

    [1] https://review.opendev.org/c/openstack/ironic/+/902009
    [2] https://opendev.org/openstack/governance/src/commit/e2a47de10a689a78c31765fd1b020f17c0d3109c/goals/selected/consistent-and-secure-rbac.rst?display=source#L261
    [3] https://review.opendev.org/c/openstack/ironic/+/907148
    [4] https://opendev.org/openstack/ironic/src/commit/8ec56066223301230ac0ed0f0c471a10d366b474/releasenotes/notes/service-project-service-role-fix-e4d1a8c23856926a.yaml

    Related-Bug: #2051837

    Change-Id: If8d7cf1663145d0398a2e936486e2b316d4df5e0

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.opendev.org/c/openstack/kolla-ansible/+/908580
Committed: https://opendev.org/openstack/kolla-ansible/commit/600e912400ab8b52ca422f007f63da9d4fcc0a69
Submitter: "Zuul (22348)"
Branch: master

commit 600e912400ab8b52ca422f007f63da9d4fcc0a69
Author: Bartosz Bezak <email address hidden>
Date: Fri Feb 9 15:00:24 2024 +0100

    Add service role to ironic service users

    Add the service role to ironic service users. Ironic recently enforced
    new policy validation as part of the RBAC efforts. [1][2]
    Service user support was also added to Ironic. [3]
    Admin role needs to stay as not all services added service role support. [4][5]

    [1] https://review.opendev.org/c/openstack/ironic/+/902009
    [2] https://opendev.org/openstack/governance/src/commit/e2a47de10a689a78c31765fd1b020f17c0d3109c/goals/selected/consistent-and-secure-rbac.rst#phase-2
    [3] https://review.opendev.org/c/openstack/ironic/+/907148
    [4] https://review.opendev.org/q/topic:bp%252Fpolicy-service-role-default
    [5] https://review.opendev.org/q/topic:%22New-Location-Apis%22

    Related-Bug: #2051837
    Change-Id: I048402c2247188cf57f35437f557f84ac25d4ff2

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.opendev.org/c/openstack/kolla-ansible/+/908168
Committed: https://opendev.org/openstack/kolla-ansible/commit/6e835ae758f0a2e8c87ab0bc22d578168395e424
Submitter: "Zuul (22348)"
Branch: master

commit 6e835ae758f0a2e8c87ab0bc22d578168395e424
Author: Bartosz Bezak <email address hidden>
Date: Tue Feb 6 17:40:04 2024 +0100

    Template system scoped admin-openrc and clouds.yml files

    Ironic enabled secure RBAC with system scoped enforcement [1].

    Some API calls, for instance 'baremetal:driver:get' needs system
    scope role by design [2], even with elevated access project scope
    service role [3].

    [1] https://review.opendev.org/c/openstack/ironic/+/902009
    [2] https://opendev.org/openstack/ironic/src/commit/8ec56066223301230ac0ed0f0c471a10d366b474/ironic/common/policy.py#L1349-L1357
    [3] https://review.opendev.org/c/openstack/kolla-ansible/+/908007

    Related-Bug: #2051837

    Change-Id: Id6313d7dd343b82d4c9ccf7bf429d340ea0e93d1

Changed in kolla-ansible:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (master)

Reviewed: https://review.opendev.org/c/openstack/kolla-ansible/+/907274
Committed: https://opendev.org/openstack/kolla-ansible/commit/c51fbfdd8b39d944868c12eb03715250b1c29b2f
Submitter: "Zuul (22348)"
Branch: master

commit c51fbfdd8b39d944868c12eb03715250b1c29b2f
Author: Bartosz Bezak <email address hidden>
Date: Fri Feb 2 08:22:20 2024 +0000

    Revert "Disable new defaults and scope for Ironic (RBAC)"

    This reverts commit d77372e86ab078711d48dbe2917714f338842ca5.

    Reason for revert: service role support has been fixed in Ironic [1]
    and added to Kolla-Ansible.

    [1] https://review.opendev.org/c/openstack/ironic/+/907148

    Closes-Bug: #2051837

    Change-Id: I49664e3a353f54e0d51f454c552a78846ba64101

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.