womax/nova
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add service role in Nova policy

Browse Source 
RBAC community wide goal phase-2[1] is to add 'service'
role for the service APIs policy rule. This commit
defaults the service APIs to 'service' role. This way
service APIs will be allowed for service user only.

Tempest tests also modified to simulate the service-to-service
communication. Tempest tests send the user with service
role to nova API.
- https://review.opendev.org/c/openstack/tempest/+/892639>

Partial implement blueprint policy-service-role-default

[1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#phase-2

Change-Id: I1565ea163fa2c8212f71c9ba375654d2aab28330
Signed-off-by: Ghanshyam Maan <gmaan@ghanshyammann.com>
This commit is contained in:
Ghanshyam Maan
2025-08-16 04:11:31 +00:00
parent a7e5377da4
commit f914cb185c
34 changed files with 308 additions and 183 deletions
Download Patch File Download Diff File Expand all files Collapse all files
releasenotes/notes/add-policy-service-role-eaa391e30431a9d6.yaml
+43
View File
@@ -0,0 +1,43 @@
---
features:
- |
A few of the Nova APIs are meant only for use by other Openstack services.
Those APIs are not supposed to be used by any non-service users (even
admins) because they can make deployment or resources in unwanted state.
To restrict the usage of those APIs by users, Nova now defaults those APIs
to a policy rule of the ``service`` role. This will make sure they are
allowed to be used by the OpenStack services only.
upgrade:
- |
Nova changed the default access for the service-to-service APIs which are
meant to be used by the OpenStack services only and not by any users.
The below service-to-service APIs access default to the ``service`` role:
* os_compute_api:os-assisted-volume-snapshots:create
* os_compute_api:os-assisted-volume-snapshots:delete
* os_compute_api:os-server-external-events:create
* os_compute_api:os-volumes-attachments:swap
Make sure the configured nova service user in other services has the
``service`` role otherwise communication from the other services to
Nova will fail. For example, user configured as ``username`` option in
``neutron.conf`` file under ``[nova]`` section has the ``service``
role.
If you are allowing these APIs to be accessed by admin or non-admin users
then it is highly recommended to remove that permission and make sure
those APIs are not accessible by any non-service users.
For backward compatibility, Nova continue allow ``admin`` role token to
access service APIs but in future release, ``admin`` access will be
removed.
deprecations:
- |
The below service-to-service APIs policy rule default value
``role:admin or role:service`` is deprecated and will be changed to
``role:service`` in future release:
* os_compute_api:os-assisted-volume-snapshots:create
* os_compute_api:os-assisted-volume-snapshots:delete
* os_compute_api:os-server-external-events:create
* os_compute_api:os-volumes-attachments:swap