add document for cyborg new policy
This patch added the document for new policy of cyborg inculding: * cyborg policy concepts * configuration guide * all policies in code Change-Id: I79472317c5c1b4aa2660e1c2d5cc61737299975a Story: 2007024 Task: 40934
This commit is contained in:
		| @@ -1,9 +1,9 @@ | ||||
| ========================================================= | ||||
| ================================================== | ||||
| Configuration options for the Acceleration service | ||||
| ========================================================= | ||||
| ================================================== | ||||
|  | ||||
| The following options can be set in the ``/etc/cyborg/cyborg.conf`` config file | ||||
| A :doc:`sample configuration file <sample_config>` is also available. | ||||
| A :doc:`sample configuration file <sample-config>` is also available. | ||||
|  | ||||
| .. show-options:: | ||||
|    :config-file: tools/config/cyborg-config-generator.conf | ||||
|   | ||||
| @@ -6,5 +6,6 @@ Configuration Guide | ||||
|    :maxdepth: 2 | ||||
|  | ||||
|    config-options | ||||
|    sample_config | ||||
|    sample_policy | ||||
|    sample-config | ||||
|    sample-policy | ||||
|    policy-guide | ||||
|   | ||||
							
								
								
									
										287
									
								
								doc/source/configuration/policy-concepts.rst
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										287
									
								
								doc/source/configuration/policy-concepts.rst
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,287 @@ | ||||
| ============================= | ||||
| Understanding Cyborg Policies | ||||
| ============================= | ||||
|  | ||||
| .. warning:: | ||||
|  | ||||
|    JSON formatted policy file is deprecated since Cyborg (Victoria). | ||||
|    Use YAML formatted file. Use `oslopolicy-convert-json-to-yaml`__ tool | ||||
|    to convert the existing JSON to YAML formatted policy file in backward | ||||
|    compatible way. | ||||
|  | ||||
| .. __: https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-convert-json-to-yaml.html | ||||
|  | ||||
| Cyborg supports a rich policy system that has evolved significantly over its | ||||
| lifetime. Initially, cyborg policy defaults have been defined in the codebase, | ||||
| requiring the ``policy.json`` file only to override these defaults. Starting in | ||||
| the Victoria release, policy file has been changed from ``policy.json`` | ||||
| to ``policy.yaml``. | ||||
|  | ||||
| The old default policy in Cyborg is incomplete and not good enough. Since | ||||
| Cyborg V2 API is newly implemented in Train, RBAC check for V2 API still | ||||
| remains incomplete. So in the Ussuri release, the specification of policy | ||||
| refresh was approved. In the Victoria release, Cyborg landed the new default | ||||
| roles to improve some issues that had been identified: | ||||
|  | ||||
| #. No ``allow``. Old policy ``allow`` means any access will be passed. | ||||
|    ``allow`` rule was used by cyborg:arq:create, which is too slack. | ||||
|  | ||||
| #. No global vs project admin. The old role ``is_admin`` is used for the global | ||||
|    admin that is able to make almost any change to Cyborg, and see all details | ||||
|    of the Cyborg system. The rule passes for any user with an admin role, it | ||||
|    doesn’t matter which project is used. | ||||
|  | ||||
| #. No ``admin_or_owner``. Old role ``admin_or_owner`` sounds like it checks if | ||||
|    the user is a member of a project. However, for most APIs we use the default | ||||
|    target which means this rule will pass for any authenticated user. | ||||
|  | ||||
| #. Introduce ``scope_type`` and ``reader`` role. There still some cases which | ||||
|    are not well covered. For example, it is impossible to allow a user to | ||||
|    retrieve/update devices which are shared by multiple projects from a system | ||||
|    level without being given the global admin role. In addition, cyborg now | ||||
|    doesn’t have a ``reader`` role. | ||||
|  | ||||
| Keystone comes with ``admin``, ``member`` and ``reader`` roles by default. | ||||
| Please refer to `keystone document <https://docs.openstack.org/keystone/latest//admin/service-api-protection.html>`__ | ||||
| for more information about these new defaults. In addition, keystone supports | ||||
| a new "system scope" concept that makes it easier to protect deployment level | ||||
| resources from project or system level resources. Please refer to | ||||
| `token scopes <https://docs.openstack.org/keystone/latest//admin/tokens-overview.html#authorization-scopes>`__ | ||||
| and `system scope specification <https://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html>`__ | ||||
| to understand the scope concept. | ||||
|  | ||||
| In the Cyborg (Victoria) release, Cyborg policies implemented | ||||
| the scope concept and default roles provided by keystone (admin, member, | ||||
| and reader). Using common roles from keystone reduces the likelihood of | ||||
| similar, but different, roles implemented across projects or deployments. | ||||
| With the help of the new defaults it is easier to understand who can do | ||||
| what across projects, reduces divergence, and increases interoperability. | ||||
|  | ||||
| The below sections explain how these new defaults in the Cyborg can solve the | ||||
| issues mentioned above and extend more functionality to end users in a safe | ||||
| and secure way. | ||||
|  | ||||
| More information is provided in the `cyborg specification <https://specs.openstack.org/openstack/cyborg-specs/specs/ussuri/approved/policy-defaults-refresh.html>`__ | ||||
|  | ||||
| Scope | ||||
| ----- | ||||
|  | ||||
| OpenStack Keystone supports different scopes in tokens. | ||||
| These are described `here <https://docs.openstack.org/keystone/latest//admin/tokens-overview.html#authorization-scopes>`__. | ||||
| Token scopes represent the layer of authorization. Policy ``scope_types`` | ||||
| represent the layer of authorization required to access an API. | ||||
|  | ||||
| .. note:: | ||||
|  | ||||
|      The ``scope_type`` of each policy is hardcoded and is not | ||||
|      overridable via the policy file. | ||||
|  | ||||
| Cyborg policies have implemented the scope concept by defining the | ||||
| ``scope_type`` in policies. To know each policy's ``scope_type``, please | ||||
| refer to the :doc:`Policy Reference <policy>` and look for | ||||
| ``Scope Types`` or ``Intended scope(s)`` in | ||||
| :doc:`Policy Sample File <sample-policy>` as shown in below | ||||
| examples. | ||||
|  | ||||
| .. rubric:: ``system`` scope | ||||
|  | ||||
| Policies with a ``scope_type`` of ``system`` means a user with a | ||||
| ``system-scoped`` token has permission to access the resource. This can be | ||||
| seen as a global role. All the system-level operation's policies | ||||
| have defaulted to ``scope_type`` of ``['system']``. | ||||
|  | ||||
| For example, consider the ``POST  /v2/device_profiles`` API. | ||||
|  | ||||
| .. code:: | ||||
|  | ||||
|     # Create a device_profile | ||||
|     # POST  /v2/device_profiles | ||||
|     # Intended scope(s): system | ||||
|     #"cyborg:device_profile:create": "rule:system_admin_api" | ||||
|  | ||||
| .. rubric:: ``project`` scope | ||||
|  | ||||
| Policies with a ``scope_type`` of ``project`` means a user with a | ||||
| ``project-scoped`` token has permission to access the resource. This can be | ||||
| seen as a project role. All the project-level operation's policies should be | ||||
| set to ``scope_type`` of ``['project']`` by default. | ||||
|  | ||||
| .. rubric:: ``system and project`` scope | ||||
|  | ||||
| Policies with a ``scope_type`` of ``system and project`` means a user with a | ||||
| ``system-scoped`` or ``project-scoped`` token has permission to access the | ||||
| resource. All the system and project level operation's policies have defaulted | ||||
| to ``scope_type`` of ``['system', 'project']``. | ||||
|  | ||||
| For example, consider the ``GET  /v2/device_profiles/{device_profiles_uuid}`` | ||||
| API. | ||||
|  | ||||
| .. code:: | ||||
|  | ||||
|     # Retrieve a specific device_profile | ||||
|     # GET  /v2/device_profiles/{device_profiles_uuid} | ||||
|     # Intended scope(s): system, project | ||||
|     #"cyborg:device_profile:get_one": "rule:system_or_project_reader" | ||||
|  | ||||
| These scope types provide a way to differentiate between system-level and | ||||
| project-level access roles. You can control the information with scope of the | ||||
| users. | ||||
|  | ||||
| Policy scope is disabled by default to allow operators to migrate from | ||||
| the old policy enforcement system in a graceful way. This can be | ||||
| enabled by configuring the :oslo.config:option:`oslo_policy.enforce_scope` | ||||
| option to ``True``. | ||||
|  | ||||
| .. note:: | ||||
|  | ||||
|   [oslo_policy] | ||||
|   enforce_scope=True | ||||
|  | ||||
|  | ||||
| Roles | ||||
| ----- | ||||
|  | ||||
| You can refer to `this <https://docs.openstack.org/keystone/latest//admin/service-api-protection.html>`__ | ||||
| document to know about all available defaults from Keystone. | ||||
|  | ||||
| Along with the ``scope_type`` feature, Cyborg policy defines new | ||||
| defaults for each policy. | ||||
|  | ||||
| .. rubric:: ``reader`` | ||||
|  | ||||
| This provides read-only access to the resources within the ``system`` or | ||||
| ``project``. Cyborg policies are defaulted to below rules: | ||||
|  | ||||
| .. code:: | ||||
|  | ||||
|    system_reader_api | ||||
|       Default | ||||
|          role:reader and system_scope:all | ||||
|  | ||||
|    project_reader_api | ||||
|       Default | ||||
|          role:reader and project_id:%(project_id)s | ||||
|  | ||||
|    system_or_project_reader | ||||
|       Default | ||||
|          rule:system_reader_api or rule:project_reader_api | ||||
|  | ||||
| .. rubric:: ``member`` | ||||
|  | ||||
| This role is to perform the project level write operation with combination | ||||
| to the system admin. Cyborg policies are defaulted to below rules: | ||||
|  | ||||
| .. code:: | ||||
|  | ||||
|    project_member_api | ||||
|       Default | ||||
|          role:member and project_id:%(project_id)s | ||||
|  | ||||
|    system_admin_or_owner | ||||
|       Default | ||||
|          rule:system_admin_api or rule:project_member_api | ||||
|  | ||||
| .. rubric:: ``admin`` | ||||
|  | ||||
| This role is to perform the admin level write operation at system as well | ||||
| as at project-level operations. Cyborg policies are defaulted to below rules: | ||||
|  | ||||
| .. code:: | ||||
|  | ||||
|    system_admin_api | ||||
|       Default | ||||
|          role:admin and system_scope:all | ||||
|  | ||||
|    project_admin_api | ||||
|       Default | ||||
|          role:admin and project_id:%(project_id)s | ||||
|  | ||||
|    system_admin_or_owner | ||||
|       Default | ||||
|          rule:system_admin_api or rule:project_member_api | ||||
|  | ||||
| With these new defaults, you can solve the problem of: | ||||
|  | ||||
| #. Providing the read-only access to the user. Polices are made more granular | ||||
|    and defaulted to reader rules. For exmaple: If you need to let someone audit | ||||
|    your deployment for security purposes. | ||||
|  | ||||
| #. Customize the policy in better way. For example, you will be able | ||||
|    to provide access to project level member to perform arq patch/post for | ||||
|    instance boot with the project's token. | ||||
|  | ||||
| Backward Compatibility | ||||
| ---------------------- | ||||
|  | ||||
| During the development period (Victoria and Wallaby releases), the new and old | ||||
| policy will both work for backward compatibility by supporting the old | ||||
| defaults and disabling the ``scope_type`` feature by default. This means the | ||||
| old defaults and deployments that use them will keep working as-is. However, | ||||
| we encourage every deployment to switch to new policy. ``scope_type`` will be | ||||
| enabled by default and the old defaults will be removed starting in the | ||||
| X release. | ||||
|  | ||||
| To implement the new default reader roles, some policies needed to become | ||||
| granular. They have been renamed, with the old names still supported for | ||||
| backwards compatibility. | ||||
|  | ||||
| Migration Plan | ||||
| -------------- | ||||
|  | ||||
| To have a graceful migration, Cyborg provides two flags to switch to the new | ||||
| policy completely. You do not need to overwrite the policy file to adopt the | ||||
| new policy defaults. | ||||
|  | ||||
| Here is step wise guide for migration: | ||||
|  | ||||
| #. Create scoped token: | ||||
|  | ||||
|    You need to create the new token with scope knowledge via below CLI: | ||||
|  | ||||
|    - `Create System Scoped Token <https://docs.openstack.org/keystone/latest//admin/tokens-overview.html#operation_create_system_token>`__. | ||||
|    - `Create Project Scoped Token <https://docs.openstack.org/keystone/latest//admin/tokens-overview.html#operation_create_project_scoped_token>`__. | ||||
|  | ||||
| #. Create new default roles in keystone if not done: | ||||
|  | ||||
|    If you do not have new defaults in Keystone then you can create and re-run | ||||
|    the `Keystone Bootstrap <https://docs.openstack.org/keystone/latest//admin/bootstrap.html>`__. | ||||
|    Keystone added this support in 14.0.0 (Rocky) release. | ||||
|  | ||||
| #. Enable Scope Checks | ||||
|  | ||||
|    The :oslo.config:option:`oslo_policy.enforce_scope` flag is to enable the | ||||
|    ``scope_type`` features. The scope of the token used in the request is | ||||
|    always compared to the ``scope_type`` of the policy. If the scopes do not | ||||
|    match, one of two things can happen. | ||||
|    If :oslo.config:option:`oslo_policy.enforce_scope` is True, the request | ||||
|    will be rejected. If :oslo.config:option:`oslo_policy.enforce_scope` is | ||||
|    False, an warning will be logged, but the request will be accepted | ||||
|    (assuming the rest of the policy passes). The default value of this flag | ||||
|    is False. | ||||
|  | ||||
|    .. note:: Before you enable this flag, you need to audit your users and make | ||||
|              sure everyone who needs system-level access has a system role | ||||
|              assignment in keystone. | ||||
|  | ||||
| #. Enable new defaults | ||||
|  | ||||
|    The `oslo_policy.enforce_new_defaults` flag switches | ||||
|    the policy to new defaults-only. This flag controls whether or not to use | ||||
|    old deprecated defaults when evaluating policies. If True, the old | ||||
|    deprecated defaults are not evaluated. This means if any existing | ||||
|    token is allowed for old defaults but is disallowed for new defaults, | ||||
|    it will be rejected. The default value of this flag is False. | ||||
|  | ||||
|    .. note:: Before you enable this flag, you need to educate users about the | ||||
|              different roles they need to use to continue using Cyborg APIs. | ||||
|  | ||||
|  | ||||
| #. Check for deprecated policies | ||||
|  | ||||
|    A few policies were made more granular to implement the reader roles. New | ||||
|    policy names are available to use. If old policy names which are renamed | ||||
|    are overwritten in policy file, then warning will be logged. Please migrate | ||||
|    those policies to new policy names. | ||||
|  | ||||
| We expect all deployments to migrate to new policy by X release so that | ||||
| we can remove the support of old policies. | ||||
							
								
								
									
										45
									
								
								doc/source/configuration/policy-guide.rst
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										45
									
								
								doc/source/configuration/policy-guide.rst
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,45 @@ | ||||
| ================================= | ||||
| Cyborg Policy Configuration Guide | ||||
| ================================= | ||||
|  | ||||
| Cyborg, like most OpenStack projects, uses a policy language to restrict | ||||
| permissions on REST API actions. | ||||
|  | ||||
| * :doc:`Policy Concepts <policy-concepts>`: In the Victoria | ||||
|   release, Cyborg API policy defines new default roles with system scope | ||||
|   capabilities. These new changes improve the security level and | ||||
|   manageability of Cyborg API as they are richer in terms of handling | ||||
|   access at system and project level token with 'Read' and 'Write' roles. | ||||
|  | ||||
| .. toctree:: | ||||
|    :hidden: | ||||
|  | ||||
|    policy-concepts | ||||
|  | ||||
| * :doc:`Policy Reference <policy>`: A complete reference of all | ||||
|   policy points in cyborg and what they impact. | ||||
|  | ||||
| .. only:: html | ||||
|  | ||||
|    * :doc:`Sample Policy File <sample-policy>`: A sample cyborg | ||||
|      policy file with inline documentation. | ||||
|  | ||||
| .. # NOTE(mriedem): This is the section where we hide things that we don't | ||||
|    # actually want in the table of contents but sphinx build would fail if | ||||
|    # they aren't in the toctree somewhere. | ||||
| .. # NOTE(amotoki): toctree needs to be placed at the end of the secion to | ||||
|    # keep the document structure in the PDF doc. | ||||
| .. toctree:: | ||||
|    :hidden: | ||||
|  | ||||
|    policy | ||||
|  | ||||
| .. # NOTE(amotoki): Sample files are only available in HTML document. | ||||
|    # Inline sample files with literalinclude hit LaTeX processing error | ||||
|    # like TeX capacity exceeded and direct links are discouraged in PDF doc. | ||||
| .. only:: html | ||||
|  | ||||
|    .. toctree:: | ||||
|       :hidden: | ||||
|  | ||||
|       sample-policy | ||||
							
								
								
									
										21
									
								
								doc/source/configuration/policy.rst
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										21
									
								
								doc/source/configuration/policy.rst
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,21 @@ | ||||
| =============== | ||||
| Cyborg Policies | ||||
| =============== | ||||
|  | ||||
| The following is an overview of all available policies in Cyborg. | ||||
|  | ||||
| .. warning:: | ||||
|  | ||||
|    JSON formatted policy file is deprecated since Cyborg (Victoria). | ||||
|    Use YAML formatted file. Use `oslopolicy-convert-json-to-yaml`__ tool | ||||
|    to convert the existing JSON to YAML formatted policy file in backward | ||||
|    compatible way. | ||||
|  | ||||
| .. __: https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-convert-json-to-yaml.html | ||||
|  | ||||
| .. only:: html | ||||
|  | ||||
|    For a sample configuration file, refer to :doc:`sample-policy`. | ||||
|  | ||||
| .. show-policy:: | ||||
|    :config-file: tools/config/cyborg-policy-generator.conf | ||||
		Reference in New Issue
	
	Block a user
	 Yumeng Bao
					Yumeng Bao