Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft: Roles Standard #378

Closed
wants to merge 7 commits into from
Closed

Draft: Roles Standard #378

wants to merge 7 commits into from

Conversation

markus-hentsch
Copy link
Contributor

Adds a standard to define all RBAC roles and permissions in the SCS IaaS layer.

Resolves SovereignCloudStack/issues#396

@markus-hentsch markus-hentsch added the SCS-VP10 Related to tender lot SCS-VP10 label Nov 10, 2023
@markus-hentsch markus-hentsch changed the title WIP: Roles Standard Draft: Roles Standard Nov 23, 2023
@markus-hentsch markus-hentsch marked this pull request as draft November 23, 2023 12:45
Signed-off-by: Markus Hentsch <[email protected]>

### Limited scope of OpenStack services covered by this standard

Currently, SCS does not enforce a list of OpenStack components/services it covers and/or supports exactly.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How do we want to address this?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See the corresponding action item here: https://github.com/SovereignCloudStack/minutes/blob/main/iam/20231018.md?plain=1#L65-L72

Quote:

  • = predefine policy.yaml files for all services that have an API
    • Q: does SCS include a fixed set of services?
      • AI @garloff -> @berendt, @fkr: Put all services in a number of buckets:
        1. Standard services (expected to be available with each SCS deployment)
        2. Optional but fully supported
        3. Optional, no guarantees (Tech Preview ...)
        4. Unavailable

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I introduced an issue to work on this: #469


## Decision

This standard establishes a set of roles consisting of current OpenStack defaults and the stable parts of the ongoing OpenStack RBAC rework[^1].
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How to we handle the roles / policy modifications / policy extensions itself? Are they part of this standard?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm currently looking into figuring out the best strategy for this to fill in the core part of the standard.

Aside from the Domain Manager, we do not diverge from the current upstream roles so far. Hence I'm considering proposing a simple set of rules (e.g. the CSP must not extend the rights of the "reader" or "member" roles beyond the upstream policy definitions, etc.) and a best-practice approach to ensuring/applying the default rule sets of upstream OpenStack.

Standards/scs-0303-v1-standard-roles.md Show resolved Hide resolved
markus-hentsch and others added 4 commits December 11, 2023 16:04
Signed-off-by: Markus Hentsch <[email protected]>
First Update regarding the progress of upstream RBAC development

Signed-off-by: josephineSei <[email protected]>
include newly introduced manager role with project-manager persona into the standard.

Signed-off-by: josephineSei <[email protected]>
Copy link
Contributor

@josephineSei josephineSei left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bitkeks what do you think about integrating a pointer to a set of policy adjustments?

Since the stable parts of the rework are already included in recent OpenStack releases, they can be used as-is.

On a per-service basis, a CSP applying this standard MUST either
**a)** not configure a `policy.yaml` or `policy.json` file for the OpenStack service at all (i.e. using its defaults) or
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
**a)** not configure a `policy.yaml` or `policy.json` file for the OpenStack service at all (i.e. using its defaults) or
**a)** use the predefined policy options from the SCS for certain services and do not configure a `policy.yaml` or `policy.json` file for the rest of the OpenStack service at all (i.e. using its defaults) or

This suggestion includes a hint to a possible repository or document or website for policy-options, that should be adjusted in SCS-deployments compared to the default policies.


- the default OpenStack roles (`admin`, `manager`, `member`, `reader`) MUST NOT be changed regarding their permissions
- for custom permission sets a new role MUST be added and the name of the role MUST NOT match with any of the existing default role defined by OpenStack (`admin`, `manager`, `member`, `reader` etc.) or the name `domain-manager`
- in case of Keystone, a `domain-manager` role MAY be added; in this case its definition MUST adhere to the Domain Manager SCS standard
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- in case of Keystone, a `domain-manager` role MAY be added; in this case its definition MUST adhere to the Domain Manager SCS standard
- in case of Keystone, a `domain-manager` role MAY be added; in this case its definition MUST adhere to the Domain Manager SCS standard
- the policy enhancements provided by the SCS MUST be included

This suggestion should include a hint to a possible repository or document or website for policy-options, that should be adjusted in SCS-deployments compared to the default policies.

@markus-hentsch
Copy link
Contributor Author

Closing this in favor of the rework #590 based on the latest findings of SovereignCloudStack/issues#396

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
SCS-VP10 Related to tender lot SCS-VP10
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Define list of useful SCS-standardized roles in OpenStack
3 participants