Octavia Policies¶
Warning
JSON formatted policy file is deprecated since Octavia 8.0.0 (Wallaby). This oslopolicy-convert-json-to-yaml tool will migrate your existing JSON-formatted policy file to YAML in a backward-compatible way.
Octavia Advanced Role Based Access Control (RBAC)¶
Octavia adopted the “Advanced Role Based Access Control (RBAC)” default policies in the Pike release of OpenStack. This provides a fine-grained default access control policy for the Octavia service.
The Octavia Advanced RBAC goes beyond the OpenStack legacy RBAC policies of allowing “owners and admins” full access to all services. It also provides a more fine-grained RBAC policy than the newer Keystone Default Roles .
The default policy is to not allow access unless the auth_strategy is ‘noauth’.
Users must be a member of one of the following roles to have access to the load-balancer API:
- role:load-balancer_observer¶
User has access to load-balancer read-only APIs.
- role:load-balancer_global_observer¶
User has access to load-balancer read-only APIs including resources owned by others.
- role:load-balancer_member¶
User has access to load-balancer read and write APIs.
- role:load-balancer_quota_admin¶
User is considered an admin for quota APIs only.
- role:load-balancer_admin¶
User is considered an admin for all load-balancer APIs including resources owned by others.
- role:admin and system_scope:all¶
User is admin to all service APIs, including Octavia.
Note
‘is_admin:True’ is a policy rule that takes into account the auth_strategy == noauth configuration setting. It is equivalent to ‘rule:context_is_admin or {auth_strategy == noauth}’ if that would be valid syntax.
These roles are in addition to the Keystone Default Roles:
role:reader
role:member
In addition, the Octavia API supports Keystone scoped tokens. When enabled in Oslo Policy, users will need to present a token scoped to either the “system” or a specific “project”. See the section Upgrade Considerations for more information.
See the section Managing Octavia User Roles for examples and advice on how to apply these RBAC policies in production.
Legacy Admin or Owner Policy Override File¶
An alternate policy file has been provided in octavia/etc/policy called admin_or_owner-policy.yaml that removes the load-balancer RBAC role requirement. Please see the README.rst in that directory for more information.
This will drop the role requirements to allow access to all with the “admin” role or if the user is a member of the project that created the resource. All users have access to the Octavia API to create and manage load balancers under their project.
OpenStack Default Roles Policy Override File¶
An alternate policy file has been provided in octavia/etc/policy called keystone_default_roles-policy.yaml that removes the load-balancer RBAC role requirement. Please see the README.rst in that directory for more information.
This policy will honor the following Keystone Default Roles in the Octavia API:
Admin
Project scoped - Reader
Project scoped - Member
In addition, there is an alternate policy file that enables system scoped tokens checking called keystone_default_roles_scoped-policy.yaml.
System scoped - Admin
System scoped - Reader
Project scoped - Reader
Project scoped - Member
Managing Octavia User Roles¶
User and group roles are managed through the Keystone (identity) project.
A role can be added to a user with the following command:
openstack role add --project <project name or id> --user <user name or id> <role>
An example where user “jane”, in the “engineering” project, gets a new role “load-balancer_member”:
openstack role add --project engineering --user jane load-balancer_member
Keystone Group Roles¶
Roles can also be assigned to Keystone groups. This can simplify the management of user roles greatly.
For example, your cloud may have a “users” group defined in Keystone. This group is set up to have all of the regular users of your cloud as a member. If you want all of your users to have access to the load balancing service Octavia, you could add the “load-balancer_member” role to the “users” group:
openstack role add --domain default --group users load-balancer_member
Upgrade Considerations¶
Starting with the Wallaby release of Octavia, Keystone token scopes and default roles can be enforced. By default, in the Wallaby release, Oslo Policy will not be enforcing these new roles and scopes. However, at some point in the future they may become the default. You may want to enable them now to be ready for the later transition. This section will describe those settings.
The Oslo Policy project defines two configuration settings, among others, that can be set in the Octavia configuration file to influence how policies are handled in the Octavia API. Those two settings are enforce_scope and enforce_new_defaults.
[oslo_policy] enforce_scope¶
Keystone has introduced the concept of token scopes. Currently, Oslo Policy defaults to not enforce the scope validation of a token for backward compatibility reasons.
The Octavia API supports enforcing the Keystone token scopes as of the Wallaby release. If you are ready to start enforcing the Keystone token scope in the Octavia API you can add the following setting to your Octavia API configuration file:
[oslo_policy]
enforce_scope = True
Currently the primary effect of this setting is to allow a system scoped admin token when performing administrative API calls to the Octavia API. It will also allow system scoped reader tokens to have the equivalent of the load-balancer_global_observer role.
The Octavia API already enforces the project scoping in Keystone tokens.
[oslo_policy] enforce_new_defaults¶
The Octavia Wallaby release added support for Keystone Default Roles in the default policies. The previous Octavia Advanced RBAC policies have now been deprecated in favor of the new policies requiring one of the new Keystone Default Roles. Currently, Oslo Policy defaults to using the deprecated policies that do not require the new Keystone Default Roles for backward compatibility.
The Octavia API supports requiring these new Keystone Default Roles as of the Wallaby release. If you are ready to start requiring these roles you can enable the new policies by adding the following setting to your Octavia API configuration file:
[oslo_policy]
enforce_new_defaults = True
When the new default policies are enabled in the Octavia API, users with the load-balancer:observer role will also require the Keystone default role of “role:reader”. Users with the load-balancer:member role will also require the Keystone default role of “role:member”.
Sample File Generation¶
To generate a sample policy.yaml file from the Octavia defaults, run the oslo policy generation script:
oslopolicy-sample-generator
--config-file etc/policy/octavia-policy-generator.conf
--output-file policy.yaml.sample
Merged File Generation¶
This will output a policy file which includes all registered policy defaults and all policies configured with a policy file. This file shows the effective policy in use by the project:
oslopolicy-policy-generator
--config-file etc/policy/octavia-policy-generator.conf
This tool uses the output_file path from the config-file.
List Redundant Configurations¶
This will output a list of matches for policy rules that are defined in a configuration file where the rule does not differ from a registered default rule. These are rules that can be removed from the policy file with no change in effective policy:
oslopolicy-list-redundant
--config-file etc/policy/octavia-policy-generator.conf
Default Octavia Policies - API Effective Rules¶
This section will list the RBAC rules the Octavia API will use followed by a list of the roles that will be allowed access.
Without enforce_scope and enforce_new_defaults:
load-balancer:read
load-balancer_admin
load-balancer_global_observer
load-balancer_member and <project member>
load-balancer_observer and <project member>
role:admin
load-balancer:read-global
load-balancer_admin
load-balancer_global_observer
role:admin
load-balancer:write
load-balancer_admin
load-balancer_member and <project member>
role:admin
load-balancer:read-quota
load-balancer_admin
load-balancer_global_observer
load-balancer_member and <project member>
load-balancer_observer and <project member>
load-balancer_quota_admin
role:admin
load-balancer:read-quota-global
load-balancer_admin
load-balancer_global_observer
load-balancer_quota_admin
role:admin
load-balancer:write-quota
load-balancer_admin
load-balancer_quota_admin
role:admin
With enforce_scope and enforce_new_defaults:
load-balancer:read
load-balancer_admin
load-balancer_global_observer
load-balancer_member and <project member> and role:member
load-balancer_observer and <project member> and role:reader
role:admin and system_scope:all
role:reader and system_scope:all
load-balancer:read-global
load-balancer_admin
load-balancer_global_observer
role:admin and system_scope:all
role:reader and system_scope:all
load-balancer:write
load-balancer_admin
load-balancer_member and <project member> and role:member
role:admin and system_scope:all
load-balancer:read-quota
load-balancer_admin
load-balancer_global_observer
load-balancer_member and <project member> and role:member
load-balancer_observer and <project member> and role:reader
load-balancer_quota_admin
role:admin and system_scope:all
role:reader and system_scope:all
load-balancer:read-quota-global
load-balancer_admin
load-balancer_global_observer
load-balancer_quota_admin
role:admin and system_scope:all
role:reader and system_scope:all
load-balancer:write-quota
load-balancer_admin
load-balancer_quota_admin
role:admin and system_scope:all
Default Octavia Policies - Generated From The Octavia Code¶
# Intended scope(s): project
#"project-member": "role:member and project_id:%(project_id)s"
# Intended scope(s): project
#"project-reader": "role:reader and project_id:%(project_id)s"
# Intended scope(s): project
#"context_is_admin": "role:load-balancer_admin or role:admin"
# DEPRECATED
# "context_is_admin":"role:admin or role:load-balancer_admin" has been
# deprecated since W in favor of "context_is_admin":"role:load-
# balancer_admin or role:admin".
# The Octavia API now requires the OpenStack default roles and scoped
# tokens. See
# https://docs.openstack.org/octavia/latest/configuration/policy.html
# and https://docs.openstack.org/keystone/latest/contributor/services.
# html#reusable-default-roles for more information.
# Intended scope(s): project
#"load-balancer:owner": "project_id:%(project_id)s"
# Intended scope(s): project
#"load-balancer:observer_and_owner": "role:load-balancer_observer and rule:project-reader"
# DEPRECATED
# "load-balancer:observer_and_owner":"role:load-balancer_observer and
# rule:load-balancer:owner" has been deprecated since W in favor of
# "load-balancer:observer_and_owner":"role:load-balancer_observer and
# rule:project-reader".
# The Octavia API now requires the OpenStack default roles and scoped
# tokens. See
# https://docs.openstack.org/octavia/latest/configuration/policy.html
# and https://docs.openstack.org/keystone/latest/contributor/services.
# html#reusable-default-roles for more information.
# Intended scope(s): project
#"load-balancer:global_observer": "role:load-balancer_global_observer"
# Intended scope(s): project
#"load-balancer:member_and_owner": "role:load-balancer_member and rule:project-member"
# DEPRECATED
# "load-balancer:member_and_owner":"role:load-balancer_member and
# rule:load-balancer:owner" has been deprecated since W in favor of
# "load-balancer:member_and_owner":"role:load-balancer_member and
# rule:project-member".
# The Octavia API now requires the OpenStack default roles and scoped
# tokens. See
# https://docs.openstack.org/octavia/latest/configuration/policy.html
# and https://docs.openstack.org/keystone/latest/contributor/services.
# html#reusable-default-roles for more information.
# Intended scope(s): project
#"load-balancer:admin": "is_admin:True or role:load-balancer_admin or role:admin"
# Intended scope(s): project
#"load-balancer:read": "rule:load-balancer:observer_and_owner or rule:load-balancer:global_observer or rule:load-balancer:member_and_owner or rule:load-balancer:admin"
# Intended scope(s): project
#"load-balancer:read-global": "rule:load-balancer:global_observer or rule:load-balancer:admin"
# Intended scope(s): project
#"load-balancer:write": "rule:load-balancer:member_and_owner or rule:load-balancer:admin"
# Intended scope(s): project
#"load-balancer:read-quota": "rule:load-balancer:observer_and_owner or rule:load-balancer:global_observer or rule:load-balancer:member_and_owner or role:load-balancer_quota_admin or rule:load-balancer:admin"
# Intended scope(s): project
#"load-balancer:read-quota-global": "rule:load-balancer:global_observer or role:load-balancer_quota_admin or rule:load-balancer:admin"
# Intended scope(s): project
#"load-balancer:write-quota": "role:load-balancer_quota_admin or rule:load-balancer:admin"
# List Flavors
# GET /v2.0/lbaas/flavors
#"os_load-balancer_api:flavor:get_all": "rule:load-balancer:read"
# Create a Flavor
# POST /v2.0/lbaas/flavors
#"os_load-balancer_api:flavor:post": "rule:load-balancer:admin"
# Update a Flavor
# PUT /v2.0/lbaas/flavors/{flavor_id}
#"os_load-balancer_api:flavor:put": "rule:load-balancer:admin"
# Show Flavor details
# GET /v2.0/lbaas/flavors/{flavor_id}
#"os_load-balancer_api:flavor:get_one": "rule:load-balancer:read"
# Remove a Flavor
# DELETE /v2.0/lbaas/flavors/{flavor_id}
#"os_load-balancer_api:flavor:delete": "rule:load-balancer:admin"
# List Flavor Profiles
# GET /v2.0/lbaas/flavorprofiles
#"os_load-balancer_api:flavor-profile:get_all": "rule:load-balancer:admin"
# Create a Flavor Profile
# POST /v2.0/lbaas/flavorprofiles
#"os_load-balancer_api:flavor-profile:post": "rule:load-balancer:admin"
# Update a Flavor Profile
# PUT /v2.0/lbaas/flavorprofiles/{flavor_profile_id}
#"os_load-balancer_api:flavor-profile:put": "rule:load-balancer:admin"
# Show Flavor Profile details
# GET /v2.0/lbaas/flavorprofiles/{flavor_profile_id}
#"os_load-balancer_api:flavor-profile:get_one": "rule:load-balancer:admin"
# Remove a Flavor Profile
# DELETE /v2.0/lbaas/flavorprofiles/{flavor_profile_id}
#"os_load-balancer_api:flavor-profile:delete": "rule:load-balancer:admin"
# List Availability Zones
# GET /v2.0/lbaas/availabilityzones
#"os_load-balancer_api:availability-zone:get_all": "rule:load-balancer:read"
# Create an Availability Zone
# POST /v2.0/lbaas/availabilityzones
#"os_load-balancer_api:availability-zone:post": "rule:load-balancer:admin"
# Update an Availability Zone
# PUT /v2.0/lbaas/availabilityzones/{availability_zone_id}
#"os_load-balancer_api:availability-zone:put": "rule:load-balancer:admin"
# Show Availability Zone details
# GET /v2.0/lbaas/availabilityzones/{availability_zone_id}
#"os_load-balancer_api:availability-zone:get_one": "rule:load-balancer:read"
# Remove an Availability Zone
# DELETE /v2.0/lbaas/availabilityzones/{availability_zone_id}
#"os_load-balancer_api:availability-zone:delete": "rule:load-balancer:admin"
# List Availability Zones
# GET /v2.0/lbaas/availabilityzoneprofiles
#"os_load-balancer_api:availability-zone-profile:get_all": "rule:load-balancer:admin"
# Create an Availability Zone
# POST /v2.0/lbaas/availabilityzoneprofiles
#"os_load-balancer_api:availability-zone-profile:post": "rule:load-balancer:admin"
# Update an Availability Zone
# PUT /v2.0/lbaas/availabilityzoneprofiles/{availability_zone_profile_id}
#"os_load-balancer_api:availability-zone-profile:put": "rule:load-balancer:admin"
# Show Availability Zone details
# GET /v2.0/lbaas/availabilityzoneprofiles/{availability_zone_profile_id}
#"os_load-balancer_api:availability-zone-profile:get_one": "rule:load-balancer:admin"
# Remove an Availability Zone
# DELETE /v2.0/lbaas/availabilityzoneprofiles/{availability_zone_profile_id}
#"os_load-balancer_api:availability-zone-profile:delete": "rule:load-balancer:admin"
# List Health Monitors of a Pool
# GET /v2/lbaas/healthmonitors
#"os_load-balancer_api:healthmonitor:get_all": "rule:load-balancer:read"
# List Health Monitors including resources owned by others
# GET /v2/lbaas/healthmonitors
#"os_load-balancer_api:healthmonitor:get_all-global": "rule:load-balancer:read-global"
# Create a Health Monitor
# POST /v2/lbaas/healthmonitors
#"os_load-balancer_api:healthmonitor:post": "rule:load-balancer:write"
# Show Health Monitor details
# GET /v2/lbaas/healthmonitors/{healthmonitor_id}
#"os_load-balancer_api:healthmonitor:get_one": "rule:load-balancer:read"
# Update a Health Monitor
# PUT /v2/lbaas/healthmonitors/{healthmonitor_id}
#"os_load-balancer_api:healthmonitor:put": "rule:load-balancer:write"
# Remove a Health Monitor
# DELETE /v2/lbaas/healthmonitors/{healthmonitor_id}
#"os_load-balancer_api:healthmonitor:delete": "rule:load-balancer:write"
# List L7 Policys
# GET /v2/lbaas/l7policies
#"os_load-balancer_api:l7policy:get_all": "rule:load-balancer:read"
# List L7 Policys including resources owned by others
# GET /v2/lbaas/l7policies
#"os_load-balancer_api:l7policy:get_all-global": "rule:load-balancer:read-global"
# Create a L7 Policy
# POST /v2/lbaas/l7policies
#"os_load-balancer_api:l7policy:post": "rule:load-balancer:write"
# Show L7 Policy details
# GET /v2/lbaas/l7policies/{l7policy_id}
#"os_load-balancer_api:l7policy:get_one": "rule:load-balancer:read"
# Update a L7 Policy
# PUT /v2/lbaas/l7policies/{l7policy_id}
#"os_load-balancer_api:l7policy:put": "rule:load-balancer:write"
# Remove a L7 Policy
# DELETE /v2/lbaas/l7policies/{l7policy_id}
#"os_load-balancer_api:l7policy:delete": "rule:load-balancer:write"
# List L7 Rules
# GET /v2/lbaas/l7policies/{l7policy_id}/rules
#"os_load-balancer_api:l7rule:get_all": "rule:load-balancer:read"
# Create a L7 Rule
# POST /v2/lbaas/l7policies/{l7policy_id}/rules
#"os_load-balancer_api:l7rule:post": "rule:load-balancer:write"
# Show L7 Rule details
# GET /v2/lbaas/l7policies/{l7policy_id}/rules/{l7rule_id}
#"os_load-balancer_api:l7rule:get_one": "rule:load-balancer:read"
# Update a L7 Rule
# PUT /v2/lbaas/l7policies/{l7policy_id}/rules/{l7rule_id}
#"os_load-balancer_api:l7rule:put": "rule:load-balancer:write"
# Remove a L7 Rule
# DELETE /v2/lbaas/l7policies/{l7policy_id}/rules/{l7rule_id}
#"os_load-balancer_api:l7rule:delete": "rule:load-balancer:write"
# List Listeners
# GET /v2/lbaas/listeners
#"os_load-balancer_api:listener:get_all": "rule:load-balancer:read"
# List Listeners including resources owned by others
# GET /v2/lbaas/listeners
#"os_load-balancer_api:listener:get_all-global": "rule:load-balancer:read-global"
# Create a Listener
# POST /v2/lbaas/listeners
#"os_load-balancer_api:listener:post": "rule:load-balancer:write"
# Show Listener details
# GET /v2/lbaas/listeners/{listener_id}
#"os_load-balancer_api:listener:get_one": "rule:load-balancer:read"
# Update a Listener
# PUT /v2/lbaas/listeners/{listener_id}
#"os_load-balancer_api:listener:put": "rule:load-balancer:write"
# Remove a Listener
# DELETE /v2/lbaas/listeners/{listener_id}
#"os_load-balancer_api:listener:delete": "rule:load-balancer:write"
# Show Listener statistics
# GET /v2/lbaas/listeners/{listener_id}/stats
#"os_load-balancer_api:listener:get_stats": "rule:load-balancer:read"
# List Load Balancers
# GET /v2/lbaas/loadbalancers
#"os_load-balancer_api:loadbalancer:get_all": "rule:load-balancer:read"
# List Load Balancers including resources owned by others
# GET /v2/lbaas/loadbalancers
#"os_load-balancer_api:loadbalancer:get_all-global": "rule:load-balancer:read-global"
# Create a Load Balancer
# POST /v2/lbaas/loadbalancers
#"os_load-balancer_api:loadbalancer:post": "rule:load-balancer:write"
# Show Load Balancer details
# GET /v2/lbaas/loadbalancers/{loadbalancer_id}
#"os_load-balancer_api:loadbalancer:get_one": "rule:load-balancer:read"
# Update a Load Balancer
# PUT /v2/lbaas/loadbalancers/{loadbalancer_id}
#"os_load-balancer_api:loadbalancer:put": "rule:load-balancer:write"
# Remove a Load Balancer
# DELETE /v2/lbaas/loadbalancers/{loadbalancer_id}
#"os_load-balancer_api:loadbalancer:delete": "rule:load-balancer:write"
# Show Load Balancer statistics
# GET /v2/lbaas/loadbalancers/{loadbalancer_id}/stats
#"os_load-balancer_api:loadbalancer:get_stats": "rule:load-balancer:read"
# Show Load Balancer status
# GET /v2/lbaas/loadbalancers/{loadbalancer_id}/status
#"os_load-balancer_api:loadbalancer:get_status": "rule:load-balancer:read"
# Failover a Load Balancer
# PUT /v2/lbaas/loadbalancers/{loadbalancer_id}/failover
#"os_load-balancer_api:loadbalancer:put_failover": "rule:load-balancer:admin"
# List Members of a Pool
# GET /v2/lbaas/pools/{pool_id}/members
#"os_load-balancer_api:member:get_all": "rule:load-balancer:read"
# Create a Member
# POST /v2/lbaas/pools/{pool_id}/members
#"os_load-balancer_api:member:post": "rule:load-balancer:write"
# Show Member details
# GET /v2/lbaas/pools/{pool_id}/members/{member_id}
#"os_load-balancer_api:member:get_one": "rule:load-balancer:read"
# Update a Member
# PUT /v2/lbaas/pools/{pool_id}/members/{member_id}
#"os_load-balancer_api:member:put": "rule:load-balancer:write"
# Remove a Member
# DELETE /v2/lbaas/pools/{pool_id}/members/{member_id}
#"os_load-balancer_api:member:delete": "rule:load-balancer:write"
# List Pools
# GET /v2/lbaas/pools
#"os_load-balancer_api:pool:get_all": "rule:load-balancer:read"
# List Pools including resources owned by others
# GET /v2/lbaas/pools
#"os_load-balancer_api:pool:get_all-global": "rule:load-balancer:read-global"
# Create a Pool
# POST /v2/lbaas/pools
#"os_load-balancer_api:pool:post": "rule:load-balancer:write"
# Show Pool details
# GET /v2/lbaas/pools/{pool_id}
#"os_load-balancer_api:pool:get_one": "rule:load-balancer:read"
# Update a Pool
# PUT /v2/lbaas/pools/{pool_id}
#"os_load-balancer_api:pool:put": "rule:load-balancer:write"
# Remove a Pool
# DELETE /v2/lbaas/pools/{pool_id}
#"os_load-balancer_api:pool:delete": "rule:load-balancer:write"
# List enabled providers
# GET /v2/lbaas/providers
#"os_load-balancer_api:provider:get_all": "rule:load-balancer:read"
# List Quotas
# GET /v2/lbaas/quotas
#"os_load-balancer_api:quota:get_all": "rule:load-balancer:read-quota"
# List Quotas including resources owned by others
# GET /v2/lbaas/quotas
#"os_load-balancer_api:quota:get_all-global": "rule:load-balancer:read-quota-global"
# Show Quota details
# GET /v2/lbaas/quotas/{project_id}
#"os_load-balancer_api:quota:get_one": "rule:load-balancer:read-quota"
# Update a Quota
# PUT /v2/lbaas/quotas/{project_id}
#"os_load-balancer_api:quota:put": "rule:load-balancer:write-quota"
# Reset a Quota
# DELETE /v2/lbaas/quotas/{project_id}
#"os_load-balancer_api:quota:delete": "rule:load-balancer:write-quota"
# Show Default Quota for a Project
# GET /v2/lbaas/quotas/{project_id}/default
#"os_load-balancer_api:quota:get_defaults": "rule:load-balancer:read-quota"
# List Amphorae
# GET /v2/octavia/amphorae
#"os_load-balancer_api:amphora:get_all": "rule:load-balancer:admin"
# Show Amphora details
# GET /v2/octavia/amphorae/{amphora_id}
#"os_load-balancer_api:amphora:get_one": "rule:load-balancer:admin"
# Delete an Amphora
# DELETE /v2/octavia/amphorae/{amphora_id}
#"os_load-balancer_api:amphora:delete": "rule:load-balancer:admin"
# Update Amphora Agent Configuration
# PUT /v2/octavia/amphorae/{amphora_id}/config
#"os_load-balancer_api:amphora:put_config": "rule:load-balancer:admin"
# Failover Amphora
# PUT /v2/octavia/amphorae/{amphora_id}/failover
#"os_load-balancer_api:amphora:put_failover": "rule:load-balancer:admin"
# Show Amphora statistics
# GET /v2/octavia/amphorae/{amphora_id}/stats
#"os_load-balancer_api:amphora:get_stats": "rule:load-balancer:admin"
# List the provider flavor capabilities.
# GET /v2/lbaas/providers/{provider}/flavor_capabilities
#"os_load-balancer_api:provider-flavor:get_all": "rule:load-balancer:admin"
# List the provider availability zone capabilities.
# GET /v2/lbaas/providers/{provider}/availability_zone_capabilities
#"os_load-balancer_api:provider-availability-zone:get_all": "rule:load-balancer:admin"