StarlingX

Add a Warning to Policy Enhanced Documentation

Bug #1953056 reported by Pedro Monteiro Azevedo de Moura Almeida on 2021-12-02

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	StarlingX	Fix Released	Low	Pedro Monteiro Azevedo de Moura Almeida

Bug Description

Brief Description
-----------------

There should be a warning on RBAC Enhanced Policies to let the user the overrides should be applied together, and using them separately may cause issues.

Severity
--------
Minor

Description
--------

The documentation about the RBAC Enhanced Policies (https://docs.starlingx.io/system_configuration/openstack/enhanced-rbac-policies.html) may not be clear enough to let the user know that they should not be applied separately, i.e some of the rules present in a policy from one service might depend on other services to work. For example, both the nova and cinder overrides must be applied in order to detach a volume from an instance, but a user may think that just the cinder is necessary because of the "volume:attachment_delete: rule:admin_or_projectmember_owner" rule present on cinder-override.yml.

https://docs.starlingx.io/system_configuration/openstack/enhanced-rbac-policies.html

--------

Perhaps it would make sense to do something like:

About this task

The standard OpenStack RBAC roles and policies can be enhanced by updating policy configuration in individual OpenStack Services’ Helm charts. StarlingX provides an optional set of updated policy configurations for Nova, Neutron, Glance, Cinder, Keystone and Horizon services that introduce two new roles (‘project_admin’ and ‘project_readonly’) and modify the capabilities of the default ‘member’ role. A high-level summary of the new roles’ capabilities and the modified ‘default’ role capabilities are in the following table; a detailed description is provided at end of page.
>> It's important that all the overrides files get applied, some of the rules present in a policy from one service might depend on other services to work (e.g. nova commands might depend on glance/cinder/neutron permissions). They should not be used separately." <<

See original description

Tags:

Pedro Monteiro Azevedo de Moura Almeida (pmonteir) on 2021-12-02

description:

updated

Pedro Monteiro Azevedo de Moura Almeida (pmonteir) on 2021-12-02

description:	updated
description:	updated

OpenStack Infra (hudson-openstack) on 2021-12-02

Changed in starlingx:
status:	New → In Progress

Ghada Khalil (gkhalil) on 2021-12-02

Changed in starlingx:
importance:	Undecided → Low

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-12-04: Fix merged to openstack-armada-app (master)

Reviewed: https://review.opendev.org/c/starlingx/openstack-armada-app/+/820038
Committed: https://opendev.org/starlingx/openstack-armada-app/commit/7b18c0ecbbd55835dd3225e0f46a8932627f0312
Submitter: "Zuul (22348)"
Branch: master

commit 7b18c0ecbbd55835dd3225e0f46a8932627f0312
Author: Pedro Almeida <email address hidden>
Date: Wed Dec 1 11:47:01 2021 -0300

Update on enhanced-policies README

    This is a small update to include a message to
    warn that these overrides should not be used
    separately.

    Also including the --reuse-values parameter.
    This makes sure that it keeps the current
    configuration, adding the new override values.

    Closes-Bug: #1953056
    Signed-off-by: Pedro Almeida <email address hidden>
    Change-Id: I0e3595d4bc9839a3e4246a206192018b927f2c5a

Changed in starlingx:
status:	In Progress → Fix Released

Ghada Khalil (gkhalil) on 2021-12-05

Changed in starlingx:
assignee:	nobody → Pedro Monteiro Azevedo de Moura Almeida (pmonteir)
tags:	added: stx.distro.openstack

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-01-19: Fix proposed to docs (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/docs/+/825352

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-01-24: Fix merged to docs (master)

Reviewed: https://review.opendev.org/c/starlingx/docs/+/825352
Committed: https://opendev.org/starlingx/docs/commit/ce396ebd4973d53eb4e8b240f6e2ba745c9704c4
Submitter: "Zuul (22348)"
Branch: master

commit ce396ebd4973d53eb4e8b240f6e2ba745c9704c4
Author: Elisamara Aoki Goncalves <email address hidden>
Date: Wed Jan 19 14:27:39 2022 -0300

Enhanced RBAC policies (pick)

Added explanatory note in section

Closes-Bug: 1953056

Signed-off-by: Elisamara Aoki Goncalves <email address hidden>
Change-Id: I61fbc6af9544bd963b105735c46c0bc6383cd152

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.