Enhanced RBAC Policies¶
About this task
The standard OpenStack RBAC roles and policies can be enhanced by updating policy configuration in individual OpenStack Services’ Helm charts. StarlingX provides an optional set of updated policy configurations for Nova, Neutron, Glance, Cinder, Keystone and Horizon services that introduce two new roles (‘project_admin’ and ‘project_readonly’) and modify the capabilities of the default ‘member’ role. A high-level summary of the new roles’ capabilities and the modified ‘default’ role capabilities are in the following table; a detailed description is provided at end of page.
Note
All the overrides files should be applied, some of the rules in a policy from one service might depend on other services to work (e.g. Nova commands might depend on Glance/Cinder/Neutron permissions), and they should not be used separately.
| Design | Roles | Permissions summary | 
|---|---|---|
| Default Role: | member | Users with role ‘member’ may have a limited management of project resources | 
| New Role to add: | project_admin | Users with role ‘project_admin’ can fully manage all resources of the project | 
| New Role to add: | project_readonly | Users with role ‘project_readonly’ can only list and display details of resources of the project, and shared resources of other projects | 
Make sure you have access to the StarlingX OpenStack CLI and follow the instructions in this document.
Procedure
- Log into your active controller. 
- Set up admin credentials for the containerized OpenStack application: - $ source /etc/platform/openrc $ OS_AUTH_URL=http://keystone.openstack.svc.cluster.local/v3 
- Transfer the enhanced policies yml files to the active controller: - Download the openstack-armada repo from StarlingX in opendev (StarlingX OpenStack FluxCD App) to a remote workstation. 
- Copy the contents of the ‘enhanced-policies’ folder from remote workstation to controller. - $ cd /home/sysadmin $ scp -r <remote-workstation-with-download-of-openstack-armada-app-REPO>/enhanced-policies openstack-enhanced-policies-0.1.0 
 
- Create the custom roles: - ~(keystone_admin)]$ openstack role list ~(keystone_admin)]$ openstack role create project_admin ~(keystone_admin)]$ openstack role create project_readonly 
- In order to enable the extensions required for some of the neutron tests, include the following configuration to the neutron Helm override yml file: - cat <<EOF >neutron-extensions.yml conf: neutron: DEFAULT: service_plugins: - router - network_segment_range - qos - segments - port_forwarding - trunk plugins: ml2_conf: ml2: extension_drivers: - port_security - qos openvswitch_agent: agent: extensions: - qos - port_forwarding EOF system helm-override-update --reuse-values --values=./neutron-extensions.yml stx-openstack neutron openstack
- Apply the policy overrides for each service to your cloud: - $ source /etc/platform/openrc ~(keystone_admin)]$ system helm-override-update --reuse-values --values=/home/sysadmin/openstack-enhanced-policies-0.1.0/keystone-policy-overrides.yml stx-openstack keystone openstack ~(keystone_admin)]$ system helm-override-update --reuse-values --values=/home/sysadmin/openstack-enhanced-policies-0.1.0/cinder-policy-overrides.yml stx-openstack cinder openstack ~(keystone_admin)]$ system helm-override-update --reuse-values --values=/home/sysadmin/openstack-enhanced-policies-0.1.0/nova-policy-overrides.yml stx-openstack nova openstack ~(keystone_admin)]$ system helm-override-update --reuse-values --values=/home/sysadmin/openstack-enhanced-policies-0.1.0/neutron-policy-overrides.yml stx-openstack neutron openstack ~(keystone_admin)]$ system helm-override-update --reuse-values --values=/home/sysadmin/openstack-enhanced-policies-0.1.0/glance-policy-overrides.yml stx-openstack glance openstack ~(keystone_admin)]$ system helm-override-update --reuse-values --values=/home/sysadmin/openstack-enhanced-policies-0.1.0/horizon-policy-overrides.yml stx-openstack horizon openstack ~(keystone_admin)]$ system application-apply stx-openstack 
- Watch for application overrides to finish applying: - $ watch system application-show stx-openstack 
Running Tests¶
Please follow the instructions below to test the enhanced policies on your system. We assume that the new roles were created on your system and the overrides were successfully applied.
Procedure
- Change directory to the openstack-enhanced-policies-0.1.0 you transferred to your controller node: - $ cd /home/sysadmin/openstack-enhanced-policies-0.1.0 
- IMPORTANT: Create a venv and install the test dependencies: - if [ ! -d .venv ]; then python3 -m venv .venv fi $ source .venv/bin/activate $ pip install --upgrade pip $ pip install -r test-requirements.txt 
- Download CirrOS image (dependency for nova and cinder tests): - $ wget http://download.cirros-cloud.net/0.3.4/cirros-0.3.4-x86_64-disk.img 
- Execute the tests on StarlingX: - $ source /etc/platform/openrc $ OS_AUTH_URL=http://keystone.openstack.svc.cluster.local/v3 $ pytest tests/ 
To cleanup after testing¶
You can use the run-cleanup-all.sh script to remove any leftovers from the
test on the environment:
$ source /etc/platform/openrc
$ OS_AUTH_URL=http://keystone.openstack.svc.cluster.local/v3
$ bash tests/run-cleanup-all.sh
Role Permission Details¶
| Role Permissions | identity(keystone) | compute(nova) | networking(neutron) | image(glance) | volume(cinder) | 
|---|---|---|---|---|---|
| member | All operations that legacy role ‘member’ can do | 
 | 
 | 
 | 
 | 
| project_admin | All operations that legacy role ‘member’ can do | All operations that legacy role ‘member’ can do | 
 | 
 | 
 | 
| project_readonly | All operations that legacy role ‘member’ can do | 
 | 
 | 
 | 
 | 
