openstack/octavia
Code Issues Proposed changes
octavia/doc/source/configuration/policy.rst
Michael Johnson fafabad042 Switch oslo.policy over to yaml 
Oslo.policy is moving away from using json format policy files[1].

This patch updates the Octavia documentation, policy configuration file, and
legacy admin-or-owner policy file to be in yaml format.

Octavia will continue to honor and support the json format file as long
as oslo.policy does, but this patch will encourage new deployments
to use the yaml format.

[1] https://docs.openstack.org/oslo.policy/latest/admin/policy-json-file.html

Change-Id: I925cc05981e677c0552b18f845fdbc512d2af22c
2020-06-08 08:54:07 -07:00

2.5 KiB
Raw Blame History

Octavia Policies

The default policy is to not allow access unless the auth_strategy is 'noauth'.

Users must be a member of one of the following roles to have access to the load-balancer API:

role:load-balancer_observer

User has access to load-balancer read-only APIs.

role:load-balancer_global_observer

User has access to load-balancer read-only APIs including resources owned by others.

role:load-balancer_member

User has access to load-balancer read and write APIs.

role:load-balancer_quota_admin

User is considered an admin for quota APIs only.

role:load-balancer_admin

User is considered an admin for all load-balnacer APIs including resources owned by others.

role:admin

User is admin to all APIs.

Note

'is_admin:True' is a policy rule that takes into account the auth_strategy == noauth configuration setting. It is equivalent to 'rule:context_is_admin or {auth_strategy == noauth}' if that would be valid syntax.

Legacy Admin or Owner Policy

An alternate policy file has been provided in octavia/etc/policy called admin_or_owner-policy.yaml that removes the load-balancer RBAC role requirement. Please see the README.rst in that directory for more information.

Sample File Generation

To generate a sample policy.yaml file from the Octavia defaults, run the oslo policy generation script:

oslopolicy-sample-generator
--config-file etc/policy/octavia-policy-generator.conf
--output-file policy.yaml.sample

Merged File Generation

This will output a policy file which includes all registered policy defaults and all policies configured with a policy file. This file shows the effective policy in use by the project:

oslopolicy-policy-generator
--config-file etc/policy/octavia-policy-generator.conf

This tool uses the output_file path from the config-file.

List Redundant Configurations

This will output a list of matches for policy rules that are defined in a configuration file where the rule does not differ from a registered default rule. These are rules that can be removed from the policy file with no change in effective policy:

oslopolicy-list-redundant
--config-file etc/policy/octavia-policy-generator.conf

Default Octavia Policies

_static/octavia.policy.yaml.sample