Page MenuHomePhabricator
Create Task
Maniphest T276018

Investigate new roles and policies in openstack Xena
Closed, ResolvedPublic
Actions

Description

In theory the new Keystone role model supports a model closer to the model that we've set up with custom policies. Let's see which of our customizations we can remove in favor of standard upstream models.

Details

SubjectRepoBranchLines +/-
OpenStack Keystone: Remove some unneeded policy rulesoperations/puppetproduction+0 -5
Keystone policy.yaml: apply changes from oslopolicy-policy-upgradeoperations/puppetproduction+2 -2
keystone policy.yaml: reformat yamloperations/puppetproduction+36 -36
cloud-vps rename 'observer' role to 'reader'operations/puppetproduction+2 -2
Customize query in gerrit

Related Objects
Search...

Event Timeline

Andrew created this task.Mar 1 2021, 4:12 AM
Restricted Application added a project: cloud-services-team (Kanban). · View Herald TranscriptMar 1 2021, 4:12 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Andrew mentioned this in T274385: rework novaadmin and novaobserver project memberships.Mar 1 2021, 4:13 AM
Andrew added a subtask: T274385: rework novaadmin and novaobserver project memberships.
taavi subscribed.Mar 1 2021, 5:18 AM
Andrew closed subtask T274385: rework novaadmin and novaobserver project memberships as Resolved.Mar 3 2021, 10:25 PM
Andrew added a comment.Mar 5 2021, 8:23 PM

It looks like the reader/member/admin model is in Keystone Train but didn't make it to nova until Ussuri. So there are limited things we can do with this immediately.

I'm going to rename 'observer' to 'reader' so that we've taken at least one step in the right direction before the upgrade to U.

gerritbot added a comment.Mar 5 2021, 9:34 PM

Change 668789 had a related patch set uploaded (by Andrew Bogott; owner: Andrew Bogott):
[operations/puppet@production] cloud-vps rename 'observer' role to 'reader'

https://gerrit.wikimedia.org/r/668789

gerritbot added a project: Patch-For-Review.Mar 5 2021, 9:34 PM

Change 668789 merged by Andrew Bogott:
[operations/puppet@production] cloud-vps rename 'observer' role to 'reader'

https://gerrit.wikimedia.org/r/668789

Stashbot added a comment.Mar 5 2021, 9:40 PM

Mentioned in SAL (#wikimedia-cloud) [2021-03-05T21:40:49Z] <andrewbogott> replacing 'observer' role with 'reader' role in eqiad1 T276018

Andrew added a comment.Mar 5 2021, 9:45 PM

The next thing we can do to converge on Ussuri standards is to locate all the "" policies in our policy.yaml files that correspond to an upstream default of 'owner' or 'admin_or_owner'. The effect of a "" policy is to provide access to any project member which is ~ the same as what 'owner' means in the upstream defaults and what will become 'reader' access in future releases.

Maintenance_bot removed a project: Patch-For-Review.Mar 5 2021, 10:10 PM
Phamhi moved this task from Inbox to Doing on the cloud-services-team (Kanban) board.Mar 9 2021, 5:21 PM
Andrew moved this task from Doing to Blocked on the cloud-services-team (Kanban) board.Mar 26 2021, 6:06 PM

I'm marking this as blocked so it can wait for future OpenStack upgrades. It will be a lot easier to simplify our policies when we have existing upstream policies in code to compare with.

Andrew triaged this task as Medium priority.Mar 26 2021, 6:06 PM
gerritbot added a comment.Mar 26 2021, 7:23 PM

Change 675204 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):
[operations/puppet@production] keystone policy.yaml: reformat yaml

https://gerrit.wikimedia.org/r/675204

gerritbot added a project: Patch-For-Review.Mar 26 2021, 7:23 PM
gerritbot added a comment.Mar 26 2021, 7:30 PM

Change 675204 merged by Andrew Bogott:
[operations/puppet@production] keystone policy.yaml: reformat yaml

https://gerrit.wikimedia.org/r/675204

gerritbot added a comment.Mar 26 2021, 7:30 PM

Change 675205 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):
[operations/puppet@production] Keystone policy.yaml: apply changes from oslopolicy-policy-upgrade

https://gerrit.wikimedia.org/r/675205

gerritbot added a comment.Mar 26 2021, 7:32 PM

Change 675205 merged by Andrew Bogott:
[operations/puppet@production] Keystone policy.yaml: apply changes from oslopolicy-policy-upgrade

https://gerrit.wikimedia.org/r/675205

Maintenance_bot removed a project: Patch-For-Review.Mar 26 2021, 8:10 PM
Andrew added a subtask: T279845: Openstack policy tests.Apr 12 2021, 9:49 PM
Andrew added a comment.Apr 13 2021, 7:11 PM

I just overheard people in the Horizon irc channel talking about future support for scoped roles, so we probably don't want to adopt them just yet.

gerritbot added a comment.Apr 19 2021, 2:50 PM

Change 681101 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[operations/puppet@production] OpenStack Keystone: Remove some unneeded policy rules

https://gerrit.wikimedia.org/r/681101

gerritbot added a project: Patch-For-Review.Apr 19 2021, 2:50 PM

Change 681101 merged by Andrew Bogott:

[operations/puppet@production] OpenStack Keystone: Remove some unneeded policy rules

https://gerrit.wikimedia.org/r/681101

Maintenance_bot removed a project: Patch-For-Review.Apr 19 2021, 3:10 PM
Andrew closed subtask T279845: Openstack policy tests as Resolved.May 20 2021, 2:33 PM
Andrew renamed this task from Investigate new roles and policies in openstack train to Investigate new roles and policies in openstack Xena.Aug 24 2021, 9:28 PM

Postponing this to Xena when hopefully the upstream will have settled down a bit

Andrew mentioned this in T323319: OpenStack deprecation hunt.Nov 17 2022, 9:51 PM
Andrew added a comment.Nov 28 2022, 5:53 PM

https://docs.openstack.org/nova/latest/configuration/policy-concepts.html

dcaro mentioned this in rCCKB58f23fb2528a: Add upgrade_openstack_node.py.Dec 14 2022, 3:33 PM
Andrew mentioned this in T325773: Cumin/Openstack: multi-project commands are extremely slow.Dec 21 2022, 8:49 PM
fnegri edited projects, added cloud-services-team; removed cloud-services-team (Kanban).Jan 18 2023, 7:22 PM
fnegri moved this task from Kanban to Blocked on the cloud-services-team board.
Andrew mentioned this in T328560: Cannot create magnum cluster template.Feb 9 2023, 10:20 PM
Andrew changed the status of subtask T330759: Modernize openstack rbac from Open to Stalled.Jul 27 2023, 4:11 PM
Aklapper removed Andrew as the assignee of this task.Nov 21 2023, 8:12 AM

@Andrew: Per emails from Sep18 and Oct20 and https://www.mediawiki.org/wiki/Bug_management/Assignee_cleanup , I am resetting the assignee of this task because there has not been progress lately (please correct me if I am wrong!). Resetting the assignee avoids the impression that somebody is already working on this task. It also allows others to potentially work towards fixing this task. Please claim this task again when you plan to work on it (via Add Action...Assign / Claim in the dropdown menu) - it would be welcome. Thanks for your understanding!

Andrew closed this task as Resolved.Nov 29 2023, 9:46 PM
Andrew claimed this task.

This is partially done, and partially blocked by upstream dithering. Either way, this task can be closed.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL