5a8c1e5480
After upgrading the OpenStack services to its 2023.1 (Antelope) release,
the RBAC policies used for test also required several updates, mainly
due to:
* Deprecated policies
* Policies that were split for more fine grained control
* Policies that had its default rule modified
* openstack-client errors that now include the 403 Forbidden when
blocking a given user
Also it was noticed that the project_read_only user was not able to list
servers (servers:detail,servers:index and servers:show).
This would cause several other failures, and we assume that this is a
default behavior that changed from Ussuri to 2023.1.
So the actual "projectreadonly_required" role key was added to be used
for policies that should be allowed to the read_only user.
Story: 2010715
Task: 49259
TEST PLAN:
PASS - Apply new enhanced RBAC policies YAML files
* system helm-override-update
PASS - Proceed with the documentation steps for configuring users
PASS - Ensure polices are working as expected (250 automated TCs)
Change-Id: Ia6036b2be694c27f6cc7ca2fded40f32862eca85
Signed-off-by: Thales Elero Cervi <thaleselero.cervi@windriver.com>
73 lines
5.3 KiB
YAML
73 lines
5.3 KiB
YAML
conf:
|
|
policy:
|
|
admin_or_projectadmin_owner: rule:context_is_admin or rule:projectadmin_and_owner
|
|
admin_or_projectadmin_required: rule:context_is_admin or rule:projectadmin_required
|
|
admin_or_projectmember_owner: rule:context_is_admin or rule:projectmember_and_owner
|
|
admin_or_projectmember_required: rule:context_is_admin or rule:projectmember_required
|
|
admin_or_projectreadonly_required: rule:context_is_admin or rule:projectreadonly_required
|
|
context_is_admin: role:admin
|
|
os_compute_api:os-admin-password: rule:admin_or_projectadmin_owner
|
|
os_compute_api:os-attach-interfaces:create: rule:admin_or_projectadmin_owner
|
|
os_compute_api:os-attach-interfaces:delete: rule:admin_or_projectadmin_owner
|
|
os_compute_api:os-console-output: rule:admin_or_projectmember_owner
|
|
os_compute_api:os-consoles:create: rule:admin_or_projectmember_owner
|
|
os_compute_api:os-consoles:delete: rule:admin_or_projectmember_owner
|
|
os_compute_api:os-create-backup: rule:admin_or_projectadmin_owner
|
|
os_compute_api:os-deferred-delete:force: rule:admin_or_projectadmin_owner
|
|
os_compute_api:os-deferred-delete:restore: rule:admin_or_projectadmin_owner
|
|
os_compute_api:os-lock-server:lock: rule:admin_or_projectadmin_owner
|
|
os_compute_api:os-lock-server:unlock: rule:admin_or_projectadmin_owner
|
|
os_compute_api:os-pause-server:pause: rule:admin_or_projectadmin_owner
|
|
os_compute_api:os-pause-server:unpause: rule:admin_or_projectadmin_owner
|
|
os_compute_api:os-remote-consoles: rule:admin_or_projectmember_owner
|
|
os_compute_api:os-security-groups:add: rule:admin_or_projectadmin_owner
|
|
os_compute_api:os-security-groups:create: rule:admin_or_projectadmin_owner
|
|
os_compute_api:os-security-groups:delete: rule:admin_or_projectadmin_owner
|
|
os_compute_api:os-security-groups:get: rule:admin_or_projectadmin_owner
|
|
os_compute_api:os-security-groups:list: rule:admin_or_projectadmin_owner
|
|
os_compute_api:os-security-groups:remove: rule:admin_or_projectadmin_owner
|
|
os_compute_api:os-security-groups:show: rule:admin_or_projectadmin_owner
|
|
os_compute_api:os-security-groups:update: rule:admin_or_projectadmin_owner
|
|
os_compute_api:os-server-groups:create: rule:admin_or_projectadmin_owner
|
|
os_compute_api:os-server-groups:delete: rule:admin_or_projectadmin_owner
|
|
os_compute_api:os-server-password:clear: rule:admin_or_projectadmin_owner
|
|
os_compute_api:os-server-password:show: rule:admin_or_projectadmin_owner
|
|
os_compute_api:os-server-tags:delete: rule:admin_or_projectadmin_owner
|
|
os_compute_api:os-server-tags:delete_all: rule:admin_or_projectadmin_owner
|
|
os_compute_api:os-server-tags:update: rule:admin_or_projectadmin_owner
|
|
os_compute_api:os-server-tags:update_all: rule:admin_or_projectadmin_owner
|
|
os_compute_api:os-shelve:shelve: rule:admin_or_projectadmin_owner
|
|
os_compute_api:os-shelve:unshelve: rule:admin_or_projectadmin_owner
|
|
os_compute_api:os-suspend-server:resume: rule:admin_or_projectadmin_owner
|
|
os_compute_api:os-suspend-server:suspend: rule:admin_or_projectadmin_owner
|
|
os_compute_api:os-unrescue: rule:admin_or_projectadmin_owner
|
|
os_compute_api:os-volumes-attachments:create: rule:admin_or_projectmember_owner
|
|
os_compute_api:os-volumes-attachments:delete: rule:admin_or_projectmember_owner
|
|
os_compute_api:os-volumes-attachments:update: rule:admin_or_projectadmin_required
|
|
os_compute_api:server-metadata:create: rule:admin_or_projectadmin_owner
|
|
os_compute_api:server-metadata:delete: rule:admin_or_projectadmin_owner
|
|
os_compute_api:server-metadata:update: rule:admin_or_projectadmin_owner
|
|
os_compute_api:server-metadata:update_all: rule:admin_or_projectadmin_owner
|
|
os_compute_api:servers:confirm_resize: rule:admin_or_projectadmin_owner
|
|
os_compute_api:servers:create: rule:admin_or_projectmember_owner
|
|
os_compute_api:servers:create_image: rule:admin_or_projectadmin_owner
|
|
os_compute_api:servers:delete: rule:admin_or_projectadmin_owner
|
|
os_compute_api:servers:detail: rule:admin_or_projectreadonly_required
|
|
os_compute_api:servers:index: rule:admin_or_projectreadonly_required
|
|
os_compute_api:servers:reboot: rule:admin_or_projectadmin_owner
|
|
os_compute_api:servers:rebuild: rule:admin_or_projectadmin_owner
|
|
os_compute_api:servers:resize: rule:admin_or_projectadmin_owner
|
|
os_compute_api:servers:revert_resize: rule:admin_or_projectadmin_owner
|
|
os_compute_api:servers:show: rule:admin_or_projectreadonly_required
|
|
os_compute_api:servers:start: rule:admin_or_projectadmin_owner
|
|
os_compute_api:servers:stop: rule:admin_or_projectadmin_owner
|
|
os_compute_api:servers:trigger_crash_dump: rule:admin_or_projectadmin_owner
|
|
os_compute_api:servers:update: rule:admin_or_projectadmin_owner
|
|
owner: project_id:%(project_id)s
|
|
projectadmin_and_owner: rule:projectadmin_required and rule:owner
|
|
projectadmin_required: role:project_admin
|
|
projectmember_and_owner: rule:projectmember_required and rule:owner
|
|
projectmember_required: role:project_admin or role:member
|
|
projectreadonly_required: role:project_admin or role:member or role:project_readonly
|
|
|