From 8f38a1c45f78deb0f1f3858a601e2a487a2ef378 Mon Sep 17 00:00:00 2001 From: guilhermesteinmuller Date: Thu, 25 Mar 2021 19:32:08 -0300 Subject: [PATCH] Update glance default policy values Currently, when users try to navigate through horizon panels or use the command-line interface that contains calls to /api/glance/metadefs it will pop up insufficient permission errors due to the fact we are disabling [1] the metadef APIs in glance addressing OSSN-0088 [2]. As a side effect on how we address the OSSN, all API calls to metadefs will be forbidden for any user, which is not recommended in production environments. However, we have the current recommendation of the OSSN which allows CRUD of metadef to admin only and provide read access to all users. [1] https://github.com/openstack/openstack-helm/commit/aab5ee77113c03865cc863f1a22a3730a86235c8 [2] https://wiki.openstack.org/wiki/OSSN/OSSN-0088 Story: 2008761 Task: 42128 Change-Id: Ib1415cadbbfab874a8d44ac6b5c6fba3c7502242 --- glance/Chart.yaml | 2 +- glance/values.yaml | 48 +++++++++++++++++++-------------- horizon/Chart.yaml | 2 +- horizon/values.yaml | 43 ++++++++++++++++++----------- releasenotes/notes/glance.yaml | 1 + releasenotes/notes/horizon.yaml | 1 + 6 files changed, 60 insertions(+), 37 deletions(-) diff --git a/glance/Chart.yaml b/glance/Chart.yaml index 73b101cb..150f570c 100644 --- a/glance/Chart.yaml +++ b/glance/Chart.yaml @@ -14,7 +14,7 @@ apiVersion: v1 appVersion: v1.0.0 description: OpenStack-Helm Glance name: glance -version: 0.1.7 +version: 0.1.8 home: https://docs.openstack.org/glance/latest/ icon: https://www.openstack.org/themes/openstack/images/project-mascots/Glance/OpenStack_Project_Glance_vertical.png sources: diff --git a/glance/values.yaml b/glance/values.yaml index df1370c7..be29f490 100644 --- a/glance/values.yaml +++ b/glance/values.yaml @@ -194,6 +194,8 @@ conf: filter:http_proxy_to_wsgi: paste.filter_factory: oslo_middleware:HTTPProxyToWSGI.factory policy: + metadef_default: '' + metadef_admin: 'role:admin' context_is_admin: role:admin default: role:admin add_image: '' @@ -220,26 +222,32 @@ conf: modify_task: role:admin deactivate: '' reactivate: '' - get_metadef_namespace: '!' - get_metadef_namespaces: '!' - modify_metadef_namespace: '!' - add_metadef_namespace: '!' - get_metadef_object: '!' - get_metadef_objects: '!' - modify_metadef_object: '!' - add_metadef_object: '!' - list_metadef_resource_types: '!' - get_metadef_resource_type: '!' - add_metadef_resource_type_association: '!' - get_metadef_property: '!' - get_metadef_properties: '!' - modify_metadef_property: '!' - add_metadef_property: '!' - get_metadef_tag: '!' - get_metadef_tags: '!' - modify_metadef_tag: '!' - add_metadef_tag: '!' - add_metadef_tags: '!' + get_metadef_namespace: rule:metadef_default + get_metadef_namespaces: rule:metadef_default + modify_metadef_namespace: rule:metadef_admin + add_metadef_namespace: rule:metadef_admin + delete_metadef_namespace: rule:metadef_admin + get_metadef_object: rule:metadef_default + get_metadef_objects: rule:metadef_default + modify_metadef_object: rule:metadef_admin + add_metadef_object: rule:metadef_admin + delete_metadef_object: rule:metadef_admin + list_metadef_resource_types: rule:metadef_default + get_metadef_resource_type: rule:metadef_default + add_metadef_resource_type_association: rule:metadef_admin + remove_metadef_resource_type_association: rule:metadef_admin + get_metadef_property: rule:metadef_default + get_metadef_properties: rule:metadef_default + modify_metadef_property: rule:metadef_admin + add_metadef_property: rule:metadef_admin + remove_metadef_property: rule:metadef_admin + get_metadef_tag: rule:metadef_default + get_metadef_tags: rule:metadef_default + modify_metadef_tag: rule:metadef_admin + add_metadef_tag: rule:metadef_admin + add_metadef_tags: rule:metadef_admin + delete_metadef_tag: rule:metadef_admin + delete_metadef_tags: rule:metadef_admin glance: DEFAULT: log_config_append: /etc/glance/logging.conf diff --git a/horizon/Chart.yaml b/horizon/Chart.yaml index 9845ecf6..3c028fc4 100644 --- a/horizon/Chart.yaml +++ b/horizon/Chart.yaml @@ -14,7 +14,7 @@ apiVersion: v1 appVersion: v1.0.0 description: OpenStack-Helm Horizon name: horizon -version: 0.1.6 +version: 0.1.7 home: https://docs.openstack.org/horizon/latest/ icon: https://www.openstack.org/themes/openstack/images/project-mascots/Horizon/OpenStack_Project_Horizon_vertical.png sources: diff --git a/horizon/values.yaml b/horizon/values.yaml index 0ccfcb6a..7c53ec10 100644 --- a/horizon/values.yaml +++ b/horizon/values.yaml @@ -1036,12 +1036,36 @@ conf: 'volume_extension:volume_type_encryption': 'rule:admin_api' 'volume_extension:volume_unmanage': 'rule:admin_api' glance: + metadef_default: '' + metadef_admin: 'role:admin' + get_metadef_namespace: 'rule:metadef_default' + get_metadef_namespaces: 'rule:metadef_default' + modify_metadef_namespace: 'rule:metadef_admin' + add_metadef_namespace: 'rule:metadef_admin' + delete_metadef_namespace: 'rule:metadef_admin' + get_metadef_object: 'rule:metadef_default' + get_metadef_objects: 'rule:metadef_default' + modify_metadef_object: 'rule:metadef_admin' + add_metadef_object: 'rule:metadef_admin' + delete_metadef_object: 'rule:metadef_admin' + list_metadef_resource_types: 'rule:metadef_default' + get_metadef_resource_type: 'rule:metadef_default' + add_metadef_resource_type_association: 'rule:metadef_admin' + remove_metadef_resource_type_association: 'rule:metadef_admin' + get_metadef_property: 'rule:metadef_default' + get_metadef_properties: 'rule:metadef_default' + modify_metadef_property: 'rule:metadef_admin' + add_metadef_property: 'rule:metadef_admin' + remove_metadef_property: 'rule:metadef_admin' + get_metadef_tag: 'rule:metadef_default' + get_metadef_tags: 'rule:metadef_default' + modify_metadef_tag: 'rule:metadef_admin' + add_metadef_tag: 'rule:metadef_admin' + add_metadef_tags: 'rule:metadef_admin' + delete_metadef_tag: 'rule:metadef_admin' + delete_metadef_tags: 'rule:metadef_admin' add_image: '' add_member: '' - add_metadef_namespace: '' - add_metadef_object: '' - add_metadef_property: '' - add_metadef_resource_type_association: '' add_task: '' admin_or_owner: 'is_admin:True or project_id:%(project_id)s' context_is_admin: 'role:admin' @@ -1050,28 +1074,17 @@ conf: delete_image: 'rule:admin_or_owner' delete_image_location: '' delete_member: '' - delete_metadef_namespace: '' download_image: '' get_image: '' get_image_location: '' get_images: '' get_member: '' get_members: '' - get_metadef_namespace: '' - get_metadef_namespaces: '' - get_metadef_object: '' - get_metadef_objects: '' - get_metadef_properties: '' - get_metadef_property: '' get_task: '' get_tasks: '' - list_metadef_resource_types: '' manage_image_cache: 'role:admin' modify_image: 'rule:admin_or_owner' modify_member: '' - modify_metadef_namespace: '' - modify_metadef_object: '' - modify_metadef_property: '' modify_task: '' publicize_image: '' set_image_location: '' diff --git a/releasenotes/notes/glance.yaml b/releasenotes/notes/glance.yaml index 4426007f..e797c208 100644 --- a/releasenotes/notes/glance.yaml +++ b/releasenotes/notes/glance.yaml @@ -8,3 +8,4 @@ glance: - 0.1.5 Change Issuer to ClusterIssuer - 0.1.6 Update glance default policy values - 0.1.7 Update storage init script with cacert + - 0.1.8 Update glance default policy values diff --git a/releasenotes/notes/horizon.yaml b/releasenotes/notes/horizon.yaml index 184fecc5..3b72fcc8 100644 --- a/releasenotes/notes/horizon.yaml +++ b/releasenotes/notes/horizon.yaml @@ -7,4 +7,5 @@ horizon: - 0.1.4 Change Issuer to ClusterIssuer - 0.1.5 Revert - Change Issuer to ClusterIssuer - 0.1.6 Change Issuer to ClusterIssuer + - 0.1.7 Update glance default policy values ...