-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Define list of useful SCS-standardized roles in OpenStack #396
Define list of useful SCS-standardized roles in OpenStack #396
Comments
As Markus said, there's also the upstream As an upshot for me, I think we need to have the dimension of |
Upstream workI gathered the following upstream resources in regards to role definitions. KeystoneRoles: https://docs.openstack.org/keystone/latest/admin/service-api-protection.html BarbicanRoles: https://docs.openstack.org/barbican/train/admin/access_control.html Other"Consistent and Secure RBAC" trackhttps://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html
Policy concepts in NovaState in Nova: https://docs.openstack.org/nova/latest/configuration/policy-concepts.html Side note: policy config 101https://docs.openstack.org/cinder/ussuri/configuration/block-storage/policy-config-HOWTO.html
|
Important update from the Keystone PTG session from 2023-10-25: These Barbican-specific roles are superseded by the "Consistent and Secure RBAC" track and its roles according to the Keystone team. This makes work on this standard substantially easier, because upstream will also deploy a consistent set of roles across all services which we can build upon. |
I'm unfortunately unable to finish the Role Standard in its current state. Since there is no defined list of supported and allowed OpenStack services in SCS yet, the standard cannot rely on delivering and maintaining full policy configuration templates - there are just too many services. Also, writing SCS-specific and gapless policy templates for each and every possible OpenStack service would put an unfeasible development, testing and maintenance burden on SCS. Instead I opted to describe general guidelines in the standard draft on how to work with the OpenStack defaults in order to provide a consistent role model across SCS infrastructures, i.e. not modifying the default permission sets of OpenStack and properly preserving them when making adjustments as the CSP. The standard intended to provide a way to generate default policy files using OpenStack tools, define them as the gold standard and then describe on how to make individual adjustments if necessary. Below are just a few small examples of the various effects these settings can have and how they conflict across services. General:
Barbican:
Keystone:
Footnotes |
I am currently reading into the secure RBAC work on upstream. So far I am concerned about the scopes especially: Even though system scope is currently postponed (or even cancelled?) the project scope may change the behavior of the cloud. And the system scope will either break a lot of operator workflows or will need an incredible large amount of time to be implemented. The standard should definitely describe this. But we may also need an upgrade path for CSPs and users, if we change the standard in this point. |
Standardizing the roles in OpenStack is an important topic. Reading through all the current progress upstream, the problems @markus-hentsch mentioned, are still and will be most likely still in place for 2024.1. The tracking of progress shows, that Cinder does not yet fully obey the new personas ( Having not yet a wide spread consensus over the openstack-projects about those personas contradicts using the new policies right now. But as Markus also mentioned, There are side-effects, when enabling the new policies (e.g. it breaks the domain manager role as described in the same-named standard). As the old policies do not seem to be deprecated right now.2 We should be safe to use them for another year. There are two more things to consider:
I would like to add those two parts to the standard. Footnotes |
We discussed the "network rbac create" option, that lets non-admin users share security groups and networks with other projects as a default policy. Now I am thinking about adding an phrase to this standard to integrate some SCS-defined policy-optiones. It should lead to a website or document or something like this, were we should be gathering all potential security enhancements in policy, we would like to see in an scs-deployment. So all this standard would need to to is to point at this document and state, that those changes should be integrated. @bitkeks would that be possible way to go? If yes, the question remains, where the adjusted policy-options will be available. |
That works for me! Either apply the policy patch directly in IaaS layer and explain it in the docs, or recommend the patch in the docs. Somewhere where configuration and/or security is the main focus. Release notes as well, if the patch is applied onto the release artifacts. |
Currently pending on #528 |
Now that we are close to finalizing the list of mandatory and supported services in #528, I looked at each applicable service and gathered which roles are currently established based on documentation and source code of the services. List of roles
Barbican3:
(note: Barbican's special roles are planned to be superseded by the RBAC rework4 and replaced by the standard reader, member etc. however the special roles are currently still included as deprecated5; using the reworked roles requires Ceilometer/Swift:
Octavia5 (default configuration):
EDIT (2024-05-14): according to Octavia's documentation, Octavia ships optional alternative policy files, which scrap the Octavia-specific roles and align it with the default reader, member, admin scheme: Heat:
Services that don't introduce additional roles:
Footnotes
|
I added Heat to my DevStack in order to check this potential loophole. OpenStack Heat special role behaviorI created a basic Heat template to deploy a Keystone user in order to verify the role behavior. Heat template: heat_template_version: 2015_04_30
resources:
heat_created_project:
type: OS::Keystone::Project
properties:
description: "A project created by Heat"
domain: "Default"
enabled: true
name: "heat_created_project"
heat_created_user:
type: OS::Keystone::User
properties:
description: "A user created by Heat"
domain: "Default"
enabled: true
name: "heat_created_user"
password: "notsosecret"
role_assignment:
type: OS::Keystone::UserRoleAssignment
properties:
user: { get_resource: heat_created_user }
roles:
- project: { get_resource: heat_created_project }
role: member Then deploying the template as admin: source openrc admin admin
openstack stack create -t heat_template.yml demo-heat-stack According to both documentation and implementation1, Heat should add the openstack role assignment list --names --user heat_created_user
+--------+---------------------------+-------+---------------------------+--------+--------+-----------+
| Role | User | Group | Project | Domain | System | Inherited |
+--------+---------------------------+-------+---------------------------+--------+--------+-----------+
| member | heat_created_user@Default | | heat_created_project@Defa | | | False |
| | | | ult | | | |
+--------+---------------------------+-------+---------------------------+--------+--------+-----------+ ... it only creates the role assignment as per template. Something is amiss here. I will look into this more and update this comment accordingly. Update (2024-05-03): I misinterpreted the documentation and code. The One example is the resources:
sample_server:
type: OS::Nova::Server
properties:
flavor: "m1.tiny"
image: "cirros-0.6.2-x86_64-disk"
name: "heat-created-server"
user_data: "bogus"
user_data_format: "SOFTWARE_CONFIG" This results in a technical user account which only possesses the
Since this user account does not possess a regular role (e.g. ConclusionThe Footnotes |
Considerations for the standardizationDue to the large amount of services and roles involved by now, I think the standard should try to keep it as simple as possible:
As a result, I need to find a solution to the dissonance between implemented and generated defaults (i.e. Update (2024-05-07):Here are some observations about
|
Update to the above: I was finally able to cleanly differentiate between in-code policy definitions and overrides by mimicking the crucial part of oslopolicy-policy-generator1 while changing the behavior to not discard in-code defaults that have overrides but actually output them separately: from oslo_policy import generator, policy
DEPRECATED_RULES = False
NAMESPACE = "keystone"
def ruledefault_to_yaml_entry(ruledefault):
return generator._format_rule_default_yaml(
ruledefault, include_help=False, comment_rule=False,
add_deprecated_rules=DEPRECATED_RULES
)
enforcer = generator._get_enforcer(NAMESPACE)
enforcer.load_rules()
file_rules = [policy.RuleDefault(name, default.check_str)
for name, default in enforcer.file_rules.items()]
registered_rules = [policy.RuleDefault(name, default.check_str)
for name, default in enforcer.registered_rules.items()]
file_rules_out = open("file_rules.yaml", 'w')
registered_rules_out = open("registered_rules.yaml", 'w')
file_rules_out.writelines(
[ruledefault_to_yaml_entry(df) for df in file_rules]
)
registered_rules_out.writelines(
[ruledefault_to_yaml_entry(df) for df in registered_rules]
) The resulting Now that I have the untainted defaults, I will check whether the discrepancies observed in #396 (comment) can be demystified and solved. Footnotes |
Solving the policy mismatch mysteryI finally found the root cause of the observed unexpected default API policy behavior described in #396 (comment) The documentation of the
... and this statement seems to be wrong. As I uncovered below, it actually ignores deprecated policy rules even if they are actively still in use. Barbican on DevStack without policy file:file /etc/barbican/policy.yaml
# /etc/barbican/policy.yaml: cannot open `/etc/barbican/policy.yaml' (No such file or directory)
source openrc admin admin
openstack secret list
# (no output)
echo $?
# 0 Authenticated with the Barbican on DevStack with oslo.policy-generated policy file:/opt/stack/data/venv/bin/oslopolicy-policy-generator \
--namespace barbican --output-file /etc/barbican/policy.yaml
file /etc/barbican/policy.yaml
# /etc/barbican/policy.yaml: ASCII text
sudo systemctl restart [email protected]
source openrc admin admin
openstack secret list
# 4xx Client error: Forbidden: Secret(s) retrieval attempt not allowed - please review your user/project privileges
# Forbidden: Secret(s) retrieval attempt not allowed - please review your user/project privileges
echo $?
# 1 Since the new policy defaults strictly require the scoped authentication with the Proper policy generationUsing the code from #396 (comment), the behavior can be adjusted to include deprecated rules instead: use_deprecated = True
enforcer = generator._get_enforcer(namespace)
enforcer.load_rules()
registered_rules = []
for name, default in enforcer.registered_rules.items():
if use_deprecated and default.deprecated_rule:
rule = default.deprecated_rule.check_str
else:
rule = default.check_str
registered_rules.append(policy.RuleDefault(name, rule)) Using this code I can generate a policy file from scratch that now seems to match the actual API behavior when the API is not using any policy file. Footnotes |
I implemented a small toolkit for batch-generating default API policy files for all (currently) SCS-mandatory and -supported APIs accordingly here: https://gist.github.com/markus-hentsch/54adc0bd5bc7c5799199bf11bf1b8abf |
Upon closer inspection Octavia seems to support alternative policy defaults that omit the Octavia-specific roles. I've updated #396 (comment) accordingly. If there's no critical loss of functionality or other downsides, it would be beneficial to the simplicity of the standard to align Octavia with the other roles, discarding the Octavia-specific ones. This would however make SCS behave differently than default Octavia in terms of role assignment processes. |
I closed the existing PR and started writing a new standard draft from scratch in SovereignCloudStack/standards#590 based on all the new findings documented above. Important note about role reworks and compatibilityAs described in #396 (comment) there are a bunch of special roles in both Barbican and Octavia.
That means for both Barbican and Octavia to get rid of the service-specific role set, the I've documented this in the design considerations sections of the new standard draft. It seems that for now we have to keep the service-specific roles of both Octavia and Barbican which sadly bloats our list of roles. Footnotes
|
For the standard to be useful we need some way to verify conformance to it. Possible Conformance TestsWithout admin rights and from the outside:
Problems with that approach:
With admin rights or from the inside:
|
While implementing conformance tests I found a way to make sure that a test is executed with only the member role using limited role inheritance via application credentials. While implementing the corresponding Key Manager API tests I found and reported a bug in OpenStack SDK: https://bugs.launchpad.net/openstacksdk/+bug/2066045 |
Important statement/update1 from upstream (Nova):
Footnotes |
Current adoption of
|
Service | Uses new options? | Comment |
---|---|---|
Nova | Fully | Link |
Neutron | Fully | Link |
Glance | Fully | Link |
Barbican | Fully | Link |
Ironic | Fully | Link |
Manila | Fully | Link |
Heat | Yes* | Link, *Options were known to break Heat, current state unknown |
Cinder | No, but supported | Link |
Keystone | No, but supported | Link |
Placement | No, but supported | Link |
Octavia | No, but supported | Link |
Designate | No, but supported | Link |
Swift | No | No mentions in code |
CloudKitty | No | No mentions in code |
Masakari | No | No mentions in code |
Gnocchi | No | No mentions in code, not part of opendev anymore, adoption late or unlikely |
Ceilometer | Not Applicable | Has no API |
Note that oslo.policy still defaults to disabling those options currently. This means that any service that does not explicitly force-enable those will not use them per default.
I already corrected my erronous statements in the standard PR but I will need to revisit the whole standard in regards to deciding for or against the new options and resulting role models.
Current state of Secure RBAC regarding Heat and roadmapAdding to the above I checked the actual state of Heat compatibility and roadmap plans in regards to Secure RBAC ( BackstoryThe "Consistent and Secure Default RBAC" TC upstream page1 says:
This mailing list message from 2022 summarized the problem pretty well and described the possible solutions. A Zed release Etherpad discussed a few solutions back in April 2022:
From the above information, it is still unclear what the current state of Heat is regarding this problem now in 2024. Current State (as of 2024.2 in development)DevStack
Heat
The following template in Heat works as admin even with heat_template_version: 2015-10-15
resources:
# Keystone user, a system-level resource
heat_created_user:
type: OS::Keystone::User
properties:
description: "A user created by Heat"
domain: "Default"
enabled: true
name: "heat_created_user"
password: "notsosecret"
# Keystone project, a system-level resource
heat_created_project:
type: OS::Keystone::Project
properties:
name: "heat_created_project"
# Cinder volume, a project-level resource
heat_created_volume:
type: OS::Cinder::Volume
properties:
image: "cirros-0.6.2-x86_64-disk"
name: "heat_created_volume"
size: 1 (tested on a DevStack based on current master checkouts from 2024-07-01) Global Adoption
ConclusionIt initially seemed like roadblocks led to the upstream Secure RBAC implementation being on hold for the time being. Judging from merged fixes2 and some basic testing, the core Heat issues seem to be solved by now. Regarding SCS-specific implementations: Only the Domain Manager approach as currently implemented downstream via policies as per SCS Domain Manager Standard will be affected and not work with the new Secure RBAC. Footnotes
|
Thank you for writing all of this down. To me this makes me wondering, whether we want to have a role standard right now. It seems to me that a lot of changes are still coming up soon. Additionally with Swift, Cloudkitty and Masakari not even supporting it right now, i have another question: how do scoped tokens behave when being used with non-scoped APIs? Do they just check the role? (Would make sense) But in the end, when the enforcing of the new version is coming in the next release as well as we are trying to bring the domain manager in for the next release - maybe we should wait for that to happen before we decide here. We may discuss this in the IaaS meeting, but I think focusing on the upstream domain-scoped manager may be a better way to go first. |
Some updates:
The new defaults have now been merged and will be part of 2024.2: openstack/oslo.policy@206ae19
Good news: it seems that this statement is not true anymore. The way that Keystone has progressed in adopting full compatibility to the scope enforcement makes the SCS implementation stay unaffected. On the latest master (upcoming 2024.2), I am able to successfully apply the SCS Domain Manager Standard and pass all tests even with the following options set in Keystone: [oslo_policy]
enforce_new_defaults = true
enforce_scope = true As it seems there are no roadblocks left with 2024.2 that prevent us from adopting the new options and role model. |
I'm currently in the process of wrapping up the rework of the standard. Due to the progress on the upstream side, the standard will be able to pretty much use the new SRBAC model completely, even for R7. Only two things are still noteworthy:
The role standard will mandate adhering to the new SRBAC default role model as provided by OpenStack with the new SRBAC options ( I'm currently integrating Octavia into my DevStack to verify the SRBAC policy configuration. I already adjusted the standard's text and greenlight it once I can confirm it is working. |
In one of the recent SCS calls it was noted by a member of the community that there have been some upstream reports recently about remaining issues with the new defaults in the currently in-development 2024.2 release. So I looked into it again. The RBAC goal tracking page currently (2024-09-19) states:
Notable here are Barbican, Cinder and Horizon as they are relevant for SCS releases. For Barbican it was disabled in this commit. It says "there are many test modification is needed for the new For Cinder it was disabled in this commit. It only says "Until Cinder is ready with the new RBAC" and does not go into detail what that entails. For Horizon, it was disabled in this commit. It says "There are more changes (test fixes also) needed to make |
How is the progress here? |
This standard is aiming to make the new secure RBAC with scopes mandatory. But we cannot make this mandatory until upstream openstack finishes its work on this topic over all projects (Nova, Cinder, Glance, etc....). Right now it seems that Cinder as well as other service do not yet fully implement the new secure RBAC roles and scopes. When the work is finished upstream, we can resume the work on this standard. |
As a IaaS user of SCS-compatible clouds, I want a number of standard roles to be available on every SCS-compatible IaaS environment which serve my typical needs and which are the same (especially from a security & privacy analysis point of view) on all these clouds.
These could be an "admin" role (not available to users, just operators), "domain-manager", "project-member", "read-only", "auditor". These would be global (all services) inside a project (or domain for domain-manager). Maybe read-only vs autitor distrinction is not useful ... Ensure that this is a hierarchy that can easily be understood and analysed from a security point of view.
Work has been done upstream (RBAC work in Yoga) on this.
Tasks:
Definition of Ready:
Definition of Done:
The text was updated successfully, but these errors were encountered: