yahoo-eng-team team mailing list archive

Thread
Date

[Bug 2026182] Re: Add support for the service role in neutron API policies

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <2026182@xxxxxxxxxxxxxxxxxx>
Date: Fri, 06 Oct 2023 13:37:07 -0000
Reply-to: Bug 2026182 <2026182@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Reviewed:  https://review.opendev.org/c/openstack/neutron/+/886724
Committed: https://opendev.org/openstack/neutron/commit/428f7a8418447e75d6a9245dbaf7ccc165579ec4
Submitter: "Zuul (22348)"
Branch:    master

commit 428f7a8418447e75d6a9245dbaf7ccc165579ec4
Author: Slawek Kaplonski <skaplons@xxxxxxxxxx>
Date:   Thu Jun 22 09:34:26 2023 +0200

    [S-RBAC] Add service role in neutron policy
    
    RBAC community wide goal phase-2[1] is to add service
    role for the service APIs policy rule.
    This patch adds new "service_api" role in policies, deprecates old rule
    "context_is_advsvc" as this had basically same goal but for consistency
    reasons we want now to have it named "service_api" as in other policies
    for other projects.
    This patch also adds unit tests to ensure what is allowed and what is
    forbidden for the service role user.
    
    [1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#phase-2
    
    Closes-Bug: #2026182
    
    Change-Id: Iaa1a3a491d310c2304f6500c6e5d2b9c31a72fa8


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2026182

Title:
  Add support for the service role in neutron API policies

Status in neutron:
  Fix Released

Bug description:
  As part of the second phase of the community goal "Consistent and Secure Default RBAC" [1] we should implement in Neutron support for the "service" role which will be used for the APIs developed for the machines to communicate, like e.g. port binding APIs which are used by nova-compute service.
  Second step of this phase 2 implementation should be usage of that new service role in the APIs which are designed for such service to service communication.

  
  [1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#phase-2

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2026182/+subscriptions

References

[Bug 2026182] [NEW] Add support for the service role in neutron API policies
From: Slawek Kaplonski, 2023-07-05