OpenStack Policy Generator

Overview

Oslo policy generation and testing framework.

Compute Service

We need the following to be allowed (non-root):

• Management of quotas

Network Service

We need the following to be allowed (non-root):

• Management of quotas
• Provisioning of provider networks in managed projects

Block Storage Service

We need the following to be allowed (non-root):

• Management of quotas

Design

Problem with any service that isn't Keystone is, it has zero view of identity hierarchies. When you create a network, for example, it infers the project from the token, and that's it. There is no way to infer the domain and allow access at that level.

Our only option is to take our domain admin manager role, and apply that role to every project we create and manage. Then, when we want to create a network, we need to create a token bound to that project. Finally, we need to allow the manager to create provider networks in the project.

Usage

You first need to create a non-admin role to perform all the necessary actions. Unikorn already requires the SCS domain admin functionality for reduced privilege user/project creation, so we use the same role.

The SCS policies limit the roles that can be applied to projects by the manager, and are incompatible with how our services need to work so you will want to update the following line:

-"is_domain_managed_role": "'member':%(target.role.name)s or 'load-balancer_member':%(target.role.name)s"
+"is_domain_managed_role": "'member':%(target.role.name)s or 'load-balancer_member':%(target.role.name)s or 'manager':%(target.role.name)s"

You may also need to add a _member_ role if you are using an old version of OpenStack and this is required by Neutron to function.

Install the policies we define in this library, though whatever mechanism your orchestration layer provides.

Testing

As an admin account:

openstack role create manager

Assuming a domain-manager user has then been created in a managed-domain domain with the manager role on that domain, authenticate as that user scoped to the managed domain, then create a managed project:

openstack project create --domain managed-domain managed-project

Then to actually use the policies defined here you need to bind the manager role to the project:

openstack role add --user domain-manager --domain managed-domain --project managed-project manager

Reauthenticate as the domain-manager scoped to the managed-project and try creating a provider network, which should succeed.

Note

This obviously requires VLAN provider network support by the platform. You may also verify everything works by performing some quota updates.

openstack network create --provider-network-type vlan --provider-physical-network physnet1 --provider-segment 666 my-provider-network

Installation

python3 -m venv venv
source venv/bin/activate
pip3 install build pylint

Note

Running the following will install all the necessary dependencies. This also includes any commands required for the the following sections.

python3 -m build
pip3 install --force-reinstall --no-deps dist/python_unikorn_openstack_policy-0.1.0-py3-none-any.whl

Generating Policy Files

oslopolicy-policy-generator --namespace unikorn_openstack_policy_blockstorage
oslopolicy-policy-generator --namespace unikorn_openstack_policy_compute
oslopolicy-policy-generator --namespace unikorn_openstack_policy_network

Development

Coding Standards

You require 10/10 when running:

pylint unikorn_openstack_policy

Testing

You must test everything works and get 100% pass rate when running:

python3 -m unittest discover