Re: [openstack-dev] [cross-project] Admin

[Adam Young]

On 10/24/2015 12:46 AM, Clint Byrum wrote:

Can I ask one thing though, can we use a domain name + project_name_
and not the ID?

I think we can do that.  The submitted patch for the overall spec is here:

https://review.openstack.org/#/c/205629/

and the change for Keystone is here:

https://review.openstack.org/#/c/240719/

Both of these are WIP.  Please post your changed request on the review.

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [cross-project] Admin

[Clint Byrum]

Excerpts from Adam Young's message of 2015-10-19 22:53:14 +0900:
> While I tend to play up  bug 968696 for dramatic effect, the reality is 
> we have a logical contradiction on what we mean by 'admin' when talking 
> about RBAC.
> 
> In early iterations of OpenStack, roles were global.  This is reflected 
> in many of the Policy checks that only look for the global role.  
> However, prior to the Keystone-Light rewrite, role assignments became 
> scoped to tenants.  This shows up in the Keystone git history.  As this 
> pattern got established, some people wrote policy checks that assert:
> 
>   role==admin and tenant_id=resource.tenant_id
> 
> This contradicts the global-ness of the admin roles.  If I assign
> ('joeuser', 'admin','mytenant') I've just granted them the ability to 
> perform all of the admin operations.
> 
> Thus, today we have a situation where, unless the user rewrites the 
> default policy, they have to only assign the role  admins to users that 
> are trusted to be admins on the whole deployment.
> 
> We have a few choices.
> 
> 1.  Remove Admin from the scoping for projects. Admin is a special role 
> reserved only for system admins.  Replace project scoped admins with 
> 'manager' or some other comparable role.  This is actually the easiest 
> solution.
> 
> 2.  Create a special project for administrative actions.  Cloud admin 
> users are assigned to this project. Communicate that project Id to the 
> remote systems.  This is what the policy.v3cloudsample.json file 
> (http://git.openstack.org/cgit/openstack/keystone/tree/etc/policy.v3cloudsample.json)
>  
> recommends.
> 
> However, 2 is really not practical without some significant 
> engineering.  For a new deployment, it would require the following steps.
> 1) Every single policy file would have to be "templatized"
> 2) Then deployment mechanism would have to create the admin project, get 
> the id for it, and string replace it in the policy file.

I'm glad we're hashing the details of this out, because I've always
found policy file maintenance daunting because of the weird juxtaposition
between careful role assignment, and the user-0 super user access that
'admin' grants.

Can I ask one thing though, can we use a domain name + project _name_
and not the ID?

Using ids in config files means that you cannot configure a service
until after Keystone has been initialized and loaded with data. Of
course this is totally doable, but it puts a huge burden on the config
layer.

However, using logical names means that the physical, random ID that gets
assigned is irrelevant to the configuration step, and thus one can have
a much easier to understand configuration process with static options.

My understanding is that domain+project is a unique ID in Keystone, so
is there any reason not to use that?

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [cross-project] Admin

[William M Edmonds]

Adam Young  wrote on 10/22/2015 10:31:12 AM:
> On 10/22/2015 05:16 AM, William M Edmonds wrote:
> Adam Young  wrote on 10/19/2015 09:53:14 AM:
> > While I tend to play up  bug 968696 for dramatic effect, the reality is

> > we have a logical contradiction on what we mean by 'admin' when talking

> > about RBAC.
> >
> > In early iterations of OpenStack, roles were global.  This is reflected

> > in many of the Policy checks that only look for the global role.
> > However, prior to the Keystone-Light rewrite, role assignments became
> > scoped to tenants.  This shows up in the Keystone git history.  As this

> > pattern got established, some people wrote policy checks that assert:
> >
> >       role==admin and tenant_id=resource.tenant_id
> >
> > This contradicts the global-ness of the admin roles.  If I assign
> > ('joeuser', 'admin','mytenant') I've just granted them the ability to
> > perform all of the admin operations.
> >
> > Thus, today we have a situation where, unless the user rewrites the
> > default policy, they have to only assign the role  admins to users that

> > are trusted to be admins on the whole deployment.
> >
>
> This all appears to be based on a misassumptions that a) checking
> the project id should be done in policy.json files and b) if it's
> not being checked in the policy file then it's not being checked.
> Neither of those is the case. Many APIs check project id in the
> code, which is where it should be checked. Tokens are scoped to
> projects, thus any use of those tokens should necessarily be scoped
> to the project... otherwise you're not obeying the token scoping.
> The few places that are not already enforcing that in their code
> need to be fixed to start enforcing that. It doesn't make sense to
> do that in policy files, since this is a hard and fast rule, not
> something someone needs to be able to change in policy, or should be
> able to change. Nor would it be practical to put this in policy
> files when you realize that this logic applies to all roles, not just
admin.
>
> I agree that project_id check is better performed in code.  That is
> not the issue here.
>
> Checking Project ID needs to be done, policy file or code does not
> matter.  The problem is more fundamental.
>
> 0. All access is done with Keystone tokens.
> 1. Admin is a role assigned on a project. Always.
> 2. Some APIs have no project with which to check the Scope.

if the URI of the API doesn't include the project, then the code should
limit the request to the scope of the token. No need to check that the
scope of the token matches the scope of the API because scope wasn't
indicated on the API, i.e. scope is implicit based on the token.

> 3. We do not, today, have a means to communicate the scope for an
> admin project.

I don't know what you mean here. "Scope for an admin project"? The scope of
a project is the things that are in that project. And admin is a role that
can exist on any project per #1, i.e., there is no "admin project". We may
need to create the concept of an admin project for keystone in order to
address 968696, but that would be a keystone concept and irrelevant to
nova, cinder, etc.

-matthew
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [cross-project] Admin

[Adam Young]

On 10/22/2015 05:16 AM, William M Edmonds wrote:


Adam Young  wrote on 10/19/2015 09:53:14 AM:
> While I tend to play up  bug 968696 for dramatic effect, the reality is
> we have a logical contradiction on what we mean by 'admin' when talking
> about RBAC.
>
> In early iterations of OpenStack, roles were global.  This is reflected
> in many of the Policy checks that only look for the global role.
> However, prior to the Keystone-Light rewrite, role assignments became
> scoped to tenants.  This shows up in the Keystone git history.  As this
> pattern got established, some people wrote policy checks that assert:
>
>   role==admin and tenant_id=resource.tenant_id
>
> This contradicts the global-ness of the admin roles.  If I assign
> ('joeuser', 'admin','mytenant') I've just granted them the ability to
> perform all of the admin operations.
>
> Thus, today we have a situation where, unless the user rewrites the
> default policy, they have to only assign the role  admins to users that
> are trusted to be admins on the whole deployment.
>

This all appears to be based on a misassumptions that a) checking the 
project id should be done in policy.json files and b) if it's not 
being checked in the policy file then it's not being checked. Neither 
of those is the case. Many APIs check project id in the code, which is 
where it should be checked. Tokens are scoped to projects, thus any 
use of those tokens should necessarily be scoped to the project... 
otherwise you're not obeying the token scoping. The few places that 
are not already enforcing that in their code need to be fixed to start 
enforcing that. It doesn't make sense to do that in policy files, 
since this is a hard and fast rule, not something someone needs to be 
able to change in policy, or should be able to change. Nor would it be 
practical to put this in policy files when you realize that this logic 
applies to all roles, not just admin.




I agree that project_id check is better performed in code.  That is not 
the issue here.


Checking Project ID needs to be done, policy file or code does not 
matter.  The problem is more fundamental.


0. All access is done with Keystone tokens.
1. Admin is a role assigned on a project. Always.
2. Some APIs have no project with which to check the Scope.
3. We do not, today, have a means to communicate the scope for an admin 
project.









-Matthew



__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [cross-project] Admin

[William M Edmonds]

Adam Young  wrote on 10/19/2015 09:53:14 AM:
> While I tend to play up  bug 968696 for dramatic effect, the reality is
> we have a logical contradiction on what we mean by 'admin' when talking
> about RBAC.
>
> In early iterations of OpenStack, roles were global.  This is reflected
> in many of the Policy checks that only look for the global role.
> However, prior to the Keystone-Light rewrite, role assignments became
> scoped to tenants.  This shows up in the Keystone git history.  As this
> pattern got established, some people wrote policy checks that assert:
>
>   role==admin and tenant_id=resource.tenant_id
>
> This contradicts the global-ness of the admin roles.  If I assign
> ('joeuser', 'admin','mytenant') I've just granted them the ability to
> perform all of the admin operations.
>
> Thus, today we have a situation where, unless the user rewrites the
> default policy, they have to only assign the role  admins to users that
> are trusted to be admins on the whole deployment.
>

This all appears to be based on a misassumptions that a) checking the
project id should be done in policy.json files and b) if it's not being
checked in the policy file then it's not being checked. Neither of those is
the case. Many APIs check project id in the code, which is where it should
be checked. Tokens are scoped to projects, thus any use of those tokens
should necessarily be scoped to the project... otherwise you're not obeying
the token scoping. The few places that are not already enforcing that in
their code need to be fixed to start enforcing that. It doesn't make sense
to do that in policy files, since this is a hard and fast rule, not
something someone needs to be able to change in policy, or should be able
to change. Nor would it be practical to put this in policy files when you
realize that this logic applies to all roles, not just admin.

-Matthew
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [cross-project] Admin

[Adam Young]

On 10/19/2015 12:50 PM, Fox, Kevin M wrote:
Maybe I misunderstood then. I was thinking you were proposing endpoint 
scoped tokens. But heat calls out to other endpoints itself, so if a 
token is scoped to heat, it can't relay it further.



Right...not proposing that.  This is specifically for operations on the 
Services themselves, or for operations that are not cleanly scoped to an 
existing project.  I *think* it just makes explicit what people have 
been doing implicitly.  Trying not to break things too badly.


__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [cross-project] Admin

[Fox, Kevin M]

Maybe I misunderstood then. I was thinking you were proposing endpoint scoped 
tokens. But heat calls out to other endpoints itself, so if a token is scoped 
to heat, it can't relay it further.

Thanks,
Kevin

From: Adam Young [ayo...@redhat.com]
Sent: Monday, October 19, 2015 9:00 AM
To: openstack-dev@lists.openstack.org
Subject: Re: [openstack-dev] [cross-project] Admin

On 10/19/2015 11:53 AM, Fox, Kevin M wrote:

+1.

I think there may be a slight issue with this and Heat, or any other service 
depending on Heat though. It would have to be very carefully through through, 
since Heat acts on behalf of the user as the User him/herself would, so scoping 
may need to interact differently there, then say Nova. Maybe a flag in the 
service catalog saying if the service can be scoped or not?

I think there is a subtlety there you are not making clear.  Why would Heat, or 
any other service not be scoped?  The only rule I am seeing in Heat's policy 
would be

"service:index": "rule:context_is_admin",

 http://git.openstack.org/cgit/openstack/heat/tree/etc/heat/policy.json


But that certainly suffers from the admin-ess problem.  There is certainly 
something strange with the deny rules;  it is trivial to bypass this role with 
a trust.  Somethin needs a second look there anyway.



Thanks,
Kevin

From: Adam Young [ayo...@redhat.com<mailto:ayo...@redhat.com>]
Sent: Monday, October 19, 2015 6:53 AM
To: OpenStack Development Mailing List
Subject: [openstack-dev] [cross-project] Admin

While I tend to play up  bug 968696 for dramatic effect, the reality is
we have a logical contradiction on what we mean by 'admin' when talking
about RBAC.

In early iterations of OpenStack, roles were global.  This is reflected
in many of the Policy checks that only look for the global role.
However, prior to the Keystone-Light rewrite, role assignments became
scoped to tenants.  This shows up in the Keystone git history.  As this
pattern got established, some people wrote policy checks that assert:

  role==admin and tenant_id=resource.tenant_id

This contradicts the global-ness of the admin roles.  If I assign
('joeuser', 'admin','mytenant') I've just granted them the ability to
perform all of the admin operations.

Thus, today we have a situation where, unless the user rewrites the
default policy, they have to only assign the role  admins to users that
are trusted to be admins on the whole deployment.

We have a few choices.

1.  Remove Admin from the scoping for projects. Admin is a special role
reserved only for system admins.  Replace project scoped admins with
'manager' or some other comparable role.  This is actually the easiest
solution.

2.  Create a special project for administrative actions.  Cloud admin
users are assigned to this project. Communicate that project Id to the
remote systems.  This is what the policy.v3cloudsample.json file
(http://git.openstack.org/cgit/openstack/keystone/tree/etc/policy.v3cloudsample.json)
recommends.

However, 2 is really not practical without some significant
engineering.  For a new deployment, it would require the following steps.
1) Every single policy file would have to be "templatized"
2) Then deployment mechanism would have to create the admin project, get
the id for it, and string replace it in the policy file.

We could make this happen in Devstack.  The same is true of Puppet,
OSAD, and Fuel.  There would be a lag and the downstream mechanisms
would eventually pick it up, multiple releases down the road.
I went through this logic back when I started proposing the Dynamic
Policy approach.  If OpenStack managed policy deployment via an
inte4rnal mechanism, then adding things like the admin_project_id
becomes trivial.


While I think Dynamic Policy provides a lot of value, I concede that it
is overkill for just substituting in a single value.  The real reason I
am backing off Dynamic Policy for the moment is that we need to better
understand what part of policy should be dynamic and what part should be
static;  we are just getting that clean now.


There is an additional dimension to the admin_project_id issue that
several developers want solved.  In larger deployments, different users
should have administrative capabilities on different endpoints.
Sometimes this is segregated by service (storage admins vs network
admins) and sometimes by region.

Having a special project clearly communicates the intention of RBAC.
But even clearer would be to have the role assignment explicitly on the
catalog item itself.  Which of the following statements would you think
is clearer?


1) Assign Joe the admin role on the project designated to administer
endpoint 0816.
2) 1) Assign Joe the admin role on endpoint 0816.

I think you will agree that it is the latter.  Making this happen would
not be too difficult on the Ke

Re: [openstack-dev] [cross-project] Admin

[Adam Young]

On 10/19/2015 12:39 PM, Neil Jerram wrote:

On 19/10/15 14:57, Adam Young wrote:

While I tend to play up  bug 968696 for dramatic effect, the reality is
we have a logical contradiction on what we mean by 'admin' when talking
about RBAC.

In early iterations of OpenStack, roles were global.  This is reflected
in many of the Policy checks that only look for the global role.
However, prior to the Keystone-Light rewrite, role assignments became
scoped to tenants.  This shows up in the Keystone git history.  As this
pattern got established, some people wrote policy checks that assert:

   role==admin and tenant_id=resource.tenant_id

This contradicts the global-ness of the admin roles.  If I assign
('joeuser', 'admin','mytenant') I've just granted them the ability to
perform all of the admin operations.

I'm afraid I'm not sure I follow.  Do you mean all of the admin
operations on resources that are protected only by 'role==admin' ?

Yes, exactly. For example, Nova has such a call with "Hypervisors"

http://git.openstack.org/cgit/openstack/nova/tree/etc/nova/policy.json#n159

An there is no clear project that this call can be scoped to.

Contrast this with update-quota which should be scoped to a project.

http://git.openstack.org/cgit/openstack/nova/tree/etc/nova/policy.json#n175




 Neil


__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [cross-project] Admin

[Neil Jerram]

On 19/10/15 14:57, Adam Young wrote:
> While I tend to play up  bug 968696 for dramatic effect, the reality is 
> we have a logical contradiction on what we mean by 'admin' when talking 
> about RBAC.
>
> In early iterations of OpenStack, roles were global.  This is reflected 
> in many of the Policy checks that only look for the global role.  
> However, prior to the Keystone-Light rewrite, role assignments became 
> scoped to tenants.  This shows up in the Keystone git history.  As this 
> pattern got established, some people wrote policy checks that assert:
>
>   role==admin and tenant_id=resource.tenant_id
>
> This contradicts the global-ness of the admin roles.  If I assign
> ('joeuser', 'admin','mytenant') I've just granted them the ability to 
> perform all of the admin operations.

I'm afraid I'm not sure I follow.  Do you mean all of the admin
operations on resources that are protected only by 'role==admin' ?

Neil


__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [cross-project] Admin

[Adam Young]

On 10/19/2015 11:53 AM, Fox, Kevin M wrote:

+1.

I think there may be a slight issue with this and Heat, or any other service 
depending on Heat though. It would have to be very carefully through through, 
since Heat acts on behalf of the user as the User him/herself would, so scoping 
may need to interact differently there, then say Nova. Maybe a flag in the 
service catalog saying if the service can be scoped or not?


I think there is a subtlety there you are not making clear.  Why would 
Heat, or any other service not be scoped?  The only rule I am seeing in 
Heat's policy would be


|"service:index": "rule:context_is_admin", 
||http://git.openstack.org/cgit/openstack/heat/tree/etc/heat/policy.json |

But that certainly suffers from the admin-ess problem.  There is 
certainly something strange with the deny rules;  it is trivial to 
bypass this role with a trust.  Somethin needs a second look there anyway.





Thanks,
Kevin

From: Adam Young [ayo...@redhat.com]
Sent: Monday, October 19, 2015 6:53 AM
To: OpenStack Development Mailing List
Subject: [openstack-dev] [cross-project] Admin

While I tend to play up  bug 968696 for dramatic effect, the reality is
we have a logical contradiction on what we mean by 'admin' when talking
about RBAC.

In early iterations of OpenStack, roles were global.  This is reflected
in many of the Policy checks that only look for the global role.
However, prior to the Keystone-Light rewrite, role assignments became
scoped to tenants.  This shows up in the Keystone git history.  As this
pattern got established, some people wrote policy checks that assert:

   role==admin and tenant_id=resource.tenant_id

This contradicts the global-ness of the admin roles.  If I assign
('joeuser', 'admin','mytenant') I've just granted them the ability to
perform all of the admin operations.

Thus, today we have a situation where, unless the user rewrites the
default policy, they have to only assign the role  admins to users that
are trusted to be admins on the whole deployment.

We have a few choices.

1.  Remove Admin from the scoping for projects. Admin is a special role
reserved only for system admins.  Replace project scoped admins with
'manager' or some other comparable role.  This is actually the easiest
solution.

2.  Create a special project for administrative actions.  Cloud admin
users are assigned to this project. Communicate that project Id to the
remote systems.  This is what the policy.v3cloudsample.json file
(http://git.openstack.org/cgit/openstack/keystone/tree/etc/policy.v3cloudsample.json)
recommends.

However, 2 is really not practical without some significant
engineering.  For a new deployment, it would require the following steps.
1) Every single policy file would have to be "templatized"
2) Then deployment mechanism would have to create the admin project, get
the id for it, and string replace it in the policy file.

We could make this happen in Devstack.  The same is true of Puppet,
OSAD, and Fuel.  There would be a lag and the downstream mechanisms
would eventually pick it up, multiple releases down the road.
I went through this logic back when I started proposing the Dynamic
Policy approach.  If OpenStack managed policy deployment via an
inte4rnal mechanism, then adding things like the admin_project_id
becomes trivial.


While I think Dynamic Policy provides a lot of value, I concede that it
is overkill for just substituting in a single value.  The real reason I
am backing off Dynamic Policy for the moment is that we need to better
understand what part of policy should be dynamic and what part should be
static;  we are just getting that clean now.


There is an additional dimension to the admin_project_id issue that
several developers want solved.  In larger deployments, different users
should have administrative capabilities on different endpoints.
Sometimes this is segregated by service (storage admins vs network
admins) and sometimes by region.

Having a special project clearly communicates the intention of RBAC.
But even clearer would be to have the role assignment explicitly on the
catalog item itself.  Which of the following statements would you think
is clearer?


1) Assign Joe the admin role on the project designated to administer
endpoint 0816.
2) 1) Assign Joe the admin role on endpoint 0816.

I think you will agree that it is the latter.  Making this happen would
not be too difficult on the Keystone side, and would require fairly
simple changes on the policy enforcement of the remote projects.  We've
already discussed "endpoint binding of tokens" where an endpoint needs
to know its own ID.  Having a new "scope" in a token that is endpoint_id
would be fairly easy to execute.


One project, though, it that all of the client tooling would need to
change.  Horizon, openstackclient, and keystoneauth wo

Re: [openstack-dev] [cross-project] Admin

[Fox, Kevin M]

+1.

I think there may be a slight issue with this and Heat, or any other service 
depending on Heat though. It would have to be very carefully through through, 
since Heat acts on behalf of the user as the User him/herself would, so scoping 
may need to interact differently there, then say Nova. Maybe a flag in the 
service catalog saying if the service can be scoped or not?

Thanks,
Kevin

From: Adam Young [ayo...@redhat.com]
Sent: Monday, October 19, 2015 6:53 AM
To: OpenStack Development Mailing List
Subject: [openstack-dev] [cross-project] Admin

While I tend to play up  bug 968696 for dramatic effect, the reality is
we have a logical contradiction on what we mean by 'admin' when talking
about RBAC.

In early iterations of OpenStack, roles were global.  This is reflected
in many of the Policy checks that only look for the global role.
However, prior to the Keystone-Light rewrite, role assignments became
scoped to tenants.  This shows up in the Keystone git history.  As this
pattern got established, some people wrote policy checks that assert:

  role==admin and tenant_id=resource.tenant_id

This contradicts the global-ness of the admin roles.  If I assign
('joeuser', 'admin','mytenant') I've just granted them the ability to
perform all of the admin operations.

Thus, today we have a situation where, unless the user rewrites the
default policy, they have to only assign the role  admins to users that
are trusted to be admins on the whole deployment.

We have a few choices.

1.  Remove Admin from the scoping for projects. Admin is a special role
reserved only for system admins.  Replace project scoped admins with
'manager' or some other comparable role.  This is actually the easiest
solution.

2.  Create a special project for administrative actions.  Cloud admin
users are assigned to this project. Communicate that project Id to the
remote systems.  This is what the policy.v3cloudsample.json file
(http://git.openstack.org/cgit/openstack/keystone/tree/etc/policy.v3cloudsample.json)
recommends.

However, 2 is really not practical without some significant
engineering.  For a new deployment, it would require the following steps.
1) Every single policy file would have to be "templatized"
2) Then deployment mechanism would have to create the admin project, get
the id for it, and string replace it in the policy file.

We could make this happen in Devstack.  The same is true of Puppet,
OSAD, and Fuel.  There would be a lag and the downstream mechanisms
would eventually pick it up, multiple releases down the road.
I went through this logic back when I started proposing the Dynamic
Policy approach.  If OpenStack managed policy deployment via an
inte4rnal mechanism, then adding things like the admin_project_id
becomes trivial.


While I think Dynamic Policy provides a lot of value, I concede that it
is overkill for just substituting in a single value.  The real reason I
am backing off Dynamic Policy for the moment is that we need to better
understand what part of policy should be dynamic and what part should be
static;  we are just getting that clean now.


There is an additional dimension to the admin_project_id issue that
several developers want solved.  In larger deployments, different users
should have administrative capabilities on different endpoints.
Sometimes this is segregated by service (storage admins vs network
admins) and sometimes by region.

Having a special project clearly communicates the intention of RBAC.
But even clearer would be to have the role assignment explicitly on the
catalog item itself.  Which of the following statements would you think
is clearer?


1) Assign Joe the admin role on the project designated to administer
endpoint 0816.
2) 1) Assign Joe the admin role on endpoint 0816.

I think you will agree that it is the latter.  Making this happen would
not be too difficult on the Keystone side, and would require fairly
simple changes on the policy enforcement of the remote projects.  We've
already discussed "endpoint binding of tokens" where an endpoint needs
to know its own ID.  Having a new "scope" in a token that is endpoint_id
would be fairly easy to execute.


One project, though, it that all of the client tooling would need to
change.  Horizon, openstackclient, and keystoneauth would need to handle
"endpoint" as the scope.  This includes third party integrations, which
we do not control.


All of these constraints drive toward a solution where we link the admin
project to the existing endpoint ids.

Make the catalog a separate domain.
Make regions, services, and endpoints projects
Use the rules of Hierarchical Multitenancy to manage the role
assignments for a project.

On the enforcing side, endpoints *must* know their own ID.  They would
have checks that assert token.project_id = self.endpoint_id.

This is the "least magic" app

[openstack-dev] [cross-project] Admin

[Adam Young]

While I tend to play up  bug 968696 for dramatic effect, the reality is 
we have a logical contradiction on what we mean by 'admin' when talking 
about RBAC.


In early iterations of OpenStack, roles were global.  This is reflected 
in many of the Policy checks that only look for the global role.  
However, prior to the Keystone-Light rewrite, role assignments became 
scoped to tenants.  This shows up in the Keystone git history.  As this 
pattern got established, some people wrote policy checks that assert:


 role==admin and tenant_id=resource.tenant_id

This contradicts the global-ness of the admin roles.  If I assign
('joeuser', 'admin','mytenant') I've just granted them the ability to 
perform all of the admin operations.


Thus, today we have a situation where, unless the user rewrites the 
default policy, they have to only assign the role  admins to users that 
are trusted to be admins on the whole deployment.


We have a few choices.

1.  Remove Admin from the scoping for projects. Admin is a special role 
reserved only for system admins.  Replace project scoped admins with 
'manager' or some other comparable role.  This is actually the easiest 
solution.


2.  Create a special project for administrative actions.  Cloud admin 
users are assigned to this project. Communicate that project Id to the 
remote systems.  This is what the policy.v3cloudsample.json file 
(http://git.openstack.org/cgit/openstack/keystone/tree/etc/policy.v3cloudsample.json) 
recommends.


However, 2 is really not practical without some significant 
engineering.  For a new deployment, it would require the following steps.

1) Every single policy file would have to be "templatized"
2) Then deployment mechanism would have to create the admin project, get 
the id for it, and string replace it in the policy file.


We could make this happen in Devstack.  The same is true of Puppet, 
OSAD, and Fuel.  There would be a lag and the downstream mechanisms 
would eventually pick it up, multiple releases down the road.
I went through this logic back when I started proposing the Dynamic 
Policy approach.  If OpenStack managed policy deployment via an 
inte4rnal mechanism, then adding things like the admin_project_id 
becomes trivial.



While I think Dynamic Policy provides a lot of value, I concede that it 
is overkill for just substituting in a single value.  The real reason I 
am backing off Dynamic Policy for the moment is that we need to better 
understand what part of policy should be dynamic and what part should be 
static;  we are just getting that clean now.



There is an additional dimension to the admin_project_id issue that 
several developers want solved.  In larger deployments, different users 
should have administrative capabilities on different endpoints.  
Sometimes this is segregated by service (storage admins vs network 
admins) and sometimes by region.


Having a special project clearly communicates the intention of RBAC.  
But even clearer would be to have the role assignment explicitly on the 
catalog item itself.  Which of the following statements would you think 
is clearer?



1) Assign Joe the admin role on the project designated to administer 
endpoint 0816.

2) 1) Assign Joe the admin role on endpoint 0816.

I think you will agree that it is the latter.  Making this happen would 
not be too difficult on the Keystone side, and would require fairly 
simple changes on the policy enforcement of the remote projects.  We've 
already discussed "endpoint binding of tokens" where an endpoint needs 
to know its own ID.  Having a new "scope" in a token that is endpoint_id 
would be fairly easy to execute.



One project, though, it that all of the client tooling would need to 
change.  Horizon, openstackclient, and keystoneauth would need to handle 
"endpoint" as the scope.  This includes third party integrations, which 
we do not control.



All of these constraints drive toward a solution where we link the admin 
project to the existing endpoint ids.


Make the catalog a separate domain.
Make regions, services, and endpoints projects
Use the rules of Hierarchical Multitenancy to manage the role 
assignments for a project.


On the enforcing side, endpoints *must* know their own ID.  They would 
have checks that assert token.project_id = self.endpoint_id.


This is the "least magic" approach.  It reuses existing abstractions 
without radically altering them.  The chance of a collision between an 
existing project_id and and endpoint_id is vanishingly small\, and could 
be addressed by modifying one or the other accordingly. The biggest 
effort would be in updating  the policy files, but this seems to be 
within the capability of  cross project efforts.



We will be discussing this at the Cross Project session at the summit  
on Global Admin


https://mitakadesignsummit.sched.org/event/51c8f2ea29aa0b63f85e424b0acf9741

Please read this, process it, and be ready to help come to a proper 
conclusion of this bug.



Ref

Re: [openstack-dev] [cross-project] "Admin" ness not properly scoped

[Adam Young]

On 07/24/2015 05:10 AM, Thierry Carrez wrote:

Adam Young wrote:

[...]
There should be no  "Global Admin Tokens."  They are a security risk,
and violate the principal of Least Privilege.
https://en.wikipedia.org/wiki/Principle_of_least_privilege.

Thanks for taking on this long-standing issue.

Should we have some cross-project spec to scope the work needed in the
various projects and track overall acceptance of the plan ?


Yes, the is appropriate:

https://review.openstack.org/#/c/205629/







__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [cross-project] "Admin" ness not properly scoped

[Thierry Carrez]

Adam Young wrote:
> [...]
> There should be no  "Global Admin Tokens."  They are a security risk,
> and violate the principal of Least Privilege.
> https://en.wikipedia.org/wiki/Principle_of_least_privilege.

Thanks for taking on this long-standing issue.

Should we have some cross-project spec to scope the work needed in the
various projects and track overall acceptance of the plan ?

-- 
Thierry Carrez (ttx)

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [cross-project] "Admin" ness not properly scoped

[Adam Young]

On 07/23/2015 01:11 PM, melanie witt wrote:

On Jul 23, 2015, at 7:35, Adam Young  wrote:


What this means is the if a user is assigned "admin" on any project, they are 
assigned admin for everything.

Fixing this is going to require a change to how we write policy.

Each policy rule needs to have two parts:

1.  Match the scoped of the token (project for everything that is not Keystone, 
project or domain for Keystone).

2.  Match the role.

Thanks for bringing this up. If I understand correctly, you're saying we can 
fix this by modifying policy.json alone, right? There aren't any code changes 
required?
Unless you need to fetch an object out of the database in order to get 
its project id, and you are not currently doing that, policy enforcement 
as currently implemented should be OK.



On the quota API,  we might acutally need to rethink this;  the role 
that  user gets that allows them to set quota should not be on the 
project itself, but on the containing project.  That information might 
not yet be made available.



What makes quota's different than other things like this is that a quota 
is not something managed *by* the project but instead something external 
managed *on* the project.




So far, for me it has worked fine for "admin" role to grant "admin" everywhere for the 
system administrators (no one else has "admin" role). But with the prospect of nested quota in 
nova, I think we would have a new rule for quota update that is, for example:

"quota_admin_rule": "role:quota_admin and project_id:%(project_id)s"
"admin_or_quota_admin": "role:admin or rule:quota_admin_rule"


 ordinarily the rule should be something like

"quota_admin_rule": "(role:quota_admin or role.admin) and 
project_id:%(project_id)s"




But that means that the user would have the quota_admin on the project 
itself.  That is improperly scoped;  if I am an admin on that project, I 
should not be able to set quota on that project. The rule should be:



"quota_admin_rule": " parent.project_id:%(project_id)s and (role:admin or 
role:quota_admin)",


I would prefer:


quota_admin_role: "(role:admin or role:quota_admin)"
quota_scope: " parent.project_id:%(project_id)s"

 
"compute_extension:quotas:update": "rule:quota_scope and rule:quota_admin_role",


Knowing that a deployer should be able to update the role portion, but not the 
scope





"compute_extension:quotas:update": "rule:admin_or_quota_admin",
"compute_extension:quotas:delete": "rule:admin_or_quota_admin",
"os_compute_api:os-quota-sets:update": "rule:admin_or_quota_admin",
"os_compute_api:os-quota-sets:delete": "rule:admin_or_quota_admin",
"os_compute_api:os-quota-sets:detail": "rule:admin_or_quota_admin",

if I want system administrators and designated quota administrators of a project to be 
able to update quota. In keystone the quota admins will have the role 
"quota_admin" only in their projects.

Is that an example of the right way to scope "admin" in your view?

-melanie (irc: melwitt)







__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [cross-project] "Admin" ness not properly scoped

[melanie witt]

On Jul 23, 2015, at 7:35, Adam Young  wrote:

> What this means is the if a user is assigned "admin" on any project, they are 
> assigned admin for everything.
> 
> Fixing this is going to require a change to how we write policy.
> 
> Each policy rule needs to have two parts:
> 
> 1.  Match the scoped of the token (project for everything that is not 
> Keystone, project or domain for Keystone).
> 
> 2.  Match the role.

Thanks for bringing this up. If I understand correctly, you're saying we can 
fix this by modifying policy.json alone, right? There aren't any code changes 
required?

So far, for me it has worked fine for "admin" role to grant "admin" everywhere 
for the system administrators (no one else has "admin" role). But with the 
prospect of nested quota in nova, I think we would have a new rule for quota 
update that is, for example:

"quota_admin_rule": "role:quota_admin and project_id:%(project_id)s"
"admin_or_quota_admin": "role:admin or rule:quota_admin_rule"

"compute_extension:quotas:update": "rule:admin_or_quota_admin",
"compute_extension:quotas:delete": "rule:admin_or_quota_admin",
"os_compute_api:os-quota-sets:update": "rule:admin_or_quota_admin",
"os_compute_api:os-quota-sets:delete": "rule:admin_or_quota_admin",
"os_compute_api:os-quota-sets:detail": "rule:admin_or_quota_admin",

if I want system administrators and designated quota administrators of a 
project to be able to update quota. In keystone the quota admins will have the 
role "quota_admin" only in their projects.

Is that an example of the right way to scope "admin" in your view?

-melanie (irc: melwitt)







signature.asc
Description: Message signed with OpenPGP using GPGMail
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

[openstack-dev] [cross-project] "Admin" ness not properly scoped

[Adam Young]

I a user has an admin role anywhere, they have it everywhere.  This is 
bug https://bugs.launchpad.net/keystone/+bug/968696 and, in order to fix 
it we are going to have to adjust our thinking on policy checks.


Here is the theory:
A user is assigned a role on a project.  Policy uses the roles assigned 
in the token to see if the user has access to the object.


This breaks down in practice.  The policy checks either look for a role  
OR a project.


The role is almost always "Admin"

If that fails, then look to see if the user has a project assigned in 
the token.


What this means is the if a user is assigned "admin" on any project, 
they are assigned admin for everything.


Fixing this is going to require a change to how we write policy.

Each policy rule needs to have two parts:

1.  Match the scoped of the token (project for everything that is not 
Keystone, project or domain for Keystone).


2.  Match the role.

Only the second part should ever be changed on a deployment.  It is ok 
to take a rule that is normally executable by A Member and say that it 
is Admin only.  or, if you are so included, define new roles, like 
Manager, which can perform some operations different than Member or Admin.


The first part should not be modified.  It is an engineering decision to 
say "here is where we find the scope in this API.  How to find the Scope 
varies from call to call, and changing that part of the rule is likely 
to break the policy check.



There should be no  "Global Admin Tokens."  They are a security risk, 
and violate the principal of Least Privilege. 
https://en.wikipedia.org/wiki/Principle_of_least_privilege.





__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev