Oslo policy generation and testing framework.
We need the following to be allowed (non-root):
- Management of quotas
We need the following to be allowed (non-root):
- Management of quotas
- Provisioning of provider networks in managed projects
We need the following to be allowed (non-root):
- Management of quotas
Problem with any service that isn't Keystone is, it has zero view of identity hierarchies. When you create a network, for example, it infers the project from the token, and that's it. There is no way to infer the domain and allow access at that level.
Our only option is to take our domain admin manager
role, and apply that role to every project we create and manage.
Then, when we want to create a network, we need to create a token bound to that project.
Finally, we need to allow the manager
to create provider networks in the project.
You first need to create a non-admin role to perform all the necessary actions. Unikorn already requires the SCS domain admin functionality for reduced privilege user/project creation, so we use the same role.
The SCS policies limit the roles that can be applied to projects by the manager, and are incompatible with how unikorn needs to work so you will want to update the following line:
-"is_domain_managed_role": "'member':%(target.role.name)s or 'load-balancer_member':%(target.role.name)s"
+"is_domain_managed_role": "'member':%(target.role.name)s or 'load-balancer_member':%(target.role.name)s or 'manager':%(target.role.name)s"
You may also need to add a _member_
role if you are using an old version of OpenStack and this is required by Neutron to function.
Install the policies we define in this library, though whatever mechanism your orchestration layer provides.
As an admin account:
openstack role create manager
Assuming a domain-manager
user has then been created in a managed-domain
domain with the manager
role on that domain, authenticate as that user scoped to the managed domain, then create a managed project:
openstack project create --domain managed-domain managed-project
Then to actually use the policies defined here you need to bind the manager
role to the project:
openstack role add --user domain-manager --domain managed-domain --project managed-project manager
Reauthenticate as the domain-manager
scoped to the managed-project
and try creating a provider network, which should succeed.
Note
This obviously requires VLAN provider network support by the platform. You may also verify everything works by performing some quota updates.
openstack network create --provider-network-type vlan --provider-physical-network physnet1 --provider-segment 666 my-provider-network
python3 -m venv venv
source venv/bin/activate
pip3 install build pylint
Note
Running the following will install all the necessary dependencies. This also includes any commands required for the the following sections.
python3 -m build
pip3 install --force-reinstall dist/python_unikorn_openstack_policy-0.1.0-py3-none-any.whl
oslopolicy-policy-generator --namespace unikorn_openstack_policy_blockstorage
oslopolicy-policy-generator --namespace unikorn_openstack_policy_compute
oslopolicy-policy-generator --namespace unikorn_openstack_policy_network
You require 10/10 when running:
pylint unikorn_openstack_policy
You must test everything works and get 100% pass rate when running:
python3 -m unittest discover