From 8f38a1c45f78deb0f1f3858a601e2a487a2ef378 Mon Sep 17 00:00:00 2001 From: guilhermesteinmuller Date: Thu, 25 Mar 2021 19:32:08 -0300 Subject: [PATCH] Update glance default policy values Currently, when users try to navigate through horizon panels or use the command-line interface that contains calls to /api/glance/metadefs it will pop up insufficient permission errors due to the fact we are disabling [1] the metadef APIs in glance addressing OSSN-0088 [2]. As a side effect on how we address the OSSN, all API calls to metadefs will be forbidden for any user, which is not recommended in production environments. However, we have the current recommendation of the OSSN which allows CRUD of metadef to admin only and provide read access to all users. [1] https://github.com/openstack/openstack-helm/commit/aab5ee77113c03865cc863f1a22a3730a86235c8 [2] https://wiki.openstack.org/wiki/OSSN/OSSN-0088 Story: 2008761 Task: 42128 Change-Id: Ib1415cadbbfab874a8d44ac6b5c6fba3c7502242 --- glance/Chart.yaml | 2 +- glance/values.yaml | 48 +++++++++++++++++++-------------- horizon/Chart.yaml | 2 +- horizon/values.yaml | 43 ++++++++++++++++++----------- releasenotes/notes/glance.yaml | 1 + releasenotes/notes/horizon.yaml | 1 + 6 files changed, 60 insertions(+), 37 deletions(-) diff --git a/glance/Chart.yaml b/glance/Chart.yaml index 73b101cb6f..150f570c28 100644 --- a/glance/Chart.yaml +++ b/glance/Chart.yaml @@ -14,7 +14,7 @@ apiVersion: v1 appVersion: v1.0.0 description: OpenStack-Helm Glance name: glance -version: 0.1.7 +version: 0.1.8 home: https://docs.openstack.org/glance/latest/ icon: https://www.openstack.org/themes/openstack/images/project-mascots/Glance/OpenStack_Project_Glance_vertical.png sources: diff --git a/glance/values.yaml b/glance/values.yaml index df1370c7e0..be29f490ef 100644 --- a/glance/values.yaml +++ b/glance/values.yaml @@ -194,6 +194,8 @@ conf: filter:http_proxy_to_wsgi: paste.filter_factory: oslo_middleware:HTTPProxyToWSGI.factory policy: + metadef_default: '' + metadef_admin: 'role:admin' context_is_admin: role:admin default: role:admin add_image: '' @@ -220,26 +222,32 @@ conf: modify_task: role:admin deactivate: '' reactivate: '' - get_metadef_namespace: '!' - get_metadef_namespaces: '!' - modify_metadef_namespace: '!' - add_metadef_namespace: '!' - get_metadef_object: '!' - get_metadef_objects: '!' - modify_metadef_object: '!' - add_metadef_object: '!' - list_metadef_resource_types: '!' - get_metadef_resource_type: '!' - add_metadef_resource_type_association: '!' - get_metadef_property: '!' - get_metadef_properties: '!' - modify_metadef_property: '!' - add_metadef_property: '!' - get_metadef_tag: '!' - get_metadef_tags: '!' - modify_metadef_tag: '!' - add_metadef_tag: '!' - add_metadef_tags: '!' + get_metadef_namespace: rule:metadef_default + get_metadef_namespaces: rule:metadef_default + modify_metadef_namespace: rule:metadef_admin + add_metadef_namespace: rule:metadef_admin + delete_metadef_namespace: rule:metadef_admin + get_metadef_object: rule:metadef_default + get_metadef_objects: rule:metadef_default + modify_metadef_object: rule:metadef_admin + add_metadef_object: rule:metadef_admin + delete_metadef_object: rule:metadef_admin + list_metadef_resource_types: rule:metadef_default + get_metadef_resource_type: rule:metadef_default + add_metadef_resource_type_association: rule:metadef_admin + remove_metadef_resource_type_association: rule:metadef_admin + get_metadef_property: rule:metadef_default + get_metadef_properties: rule:metadef_default + modify_metadef_property: rule:metadef_admin + add_metadef_property: rule:metadef_admin + remove_metadef_property: rule:metadef_admin + get_metadef_tag: rule:metadef_default + get_metadef_tags: rule:metadef_default + modify_metadef_tag: rule:metadef_admin + add_metadef_tag: rule:metadef_admin + add_metadef_tags: rule:metadef_admin + delete_metadef_tag: rule:metadef_admin + delete_metadef_tags: rule:metadef_admin glance: DEFAULT: log_config_append: /etc/glance/logging.conf diff --git a/horizon/Chart.yaml b/horizon/Chart.yaml index 9845ecf640..3c028fc485 100644 --- a/horizon/Chart.yaml +++ b/horizon/Chart.yaml @@ -14,7 +14,7 @@ apiVersion: v1 appVersion: v1.0.0 description: OpenStack-Helm Horizon name: horizon -version: 0.1.6 +version: 0.1.7 home: https://docs.openstack.org/horizon/latest/ icon: https://www.openstack.org/themes/openstack/images/project-mascots/Horizon/OpenStack_Project_Horizon_vertical.png sources: diff --git a/horizon/values.yaml b/horizon/values.yaml index 0ccfcb6ab8..7c53ec1045 100644 --- a/horizon/values.yaml +++ b/horizon/values.yaml @@ -1036,12 +1036,36 @@ conf: 'volume_extension:volume_type_encryption': 'rule:admin_api' 'volume_extension:volume_unmanage': 'rule:admin_api' glance: + metadef_default: '' + metadef_admin: 'role:admin' + get_metadef_namespace: 'rule:metadef_default' + get_metadef_namespaces: 'rule:metadef_default' + modify_metadef_namespace: 'rule:metadef_admin' + add_metadef_namespace: 'rule:metadef_admin' + delete_metadef_namespace: 'rule:metadef_admin' + get_metadef_object: 'rule:metadef_default' + get_metadef_objects: 'rule:metadef_default' + modify_metadef_object: 'rule:metadef_admin' + add_metadef_object: 'rule:metadef_admin' + delete_metadef_object: 'rule:metadef_admin' + list_metadef_resource_types: 'rule:metadef_default' + get_metadef_resource_type: 'rule:metadef_default' + add_metadef_resource_type_association: 'rule:metadef_admin' + remove_metadef_resource_type_association: 'rule:metadef_admin' + get_metadef_property: 'rule:metadef_default' + get_metadef_properties: 'rule:metadef_default' + modify_metadef_property: 'rule:metadef_admin' + add_metadef_property: 'rule:metadef_admin' + remove_metadef_property: 'rule:metadef_admin' + get_metadef_tag: 'rule:metadef_default' + get_metadef_tags: 'rule:metadef_default' + modify_metadef_tag: 'rule:metadef_admin' + add_metadef_tag: 'rule:metadef_admin' + add_metadef_tags: 'rule:metadef_admin' + delete_metadef_tag: 'rule:metadef_admin' + delete_metadef_tags: 'rule:metadef_admin' add_image: '' add_member: '' - add_metadef_namespace: '' - add_metadef_object: '' - add_metadef_property: '' - add_metadef_resource_type_association: '' add_task: '' admin_or_owner: 'is_admin:True or project_id:%(project_id)s' context_is_admin: 'role:admin' @@ -1050,28 +1074,17 @@ conf: delete_image: 'rule:admin_or_owner' delete_image_location: '' delete_member: '' - delete_metadef_namespace: '' download_image: '' get_image: '' get_image_location: '' get_images: '' get_member: '' get_members: '' - get_metadef_namespace: '' - get_metadef_namespaces: '' - get_metadef_object: '' - get_metadef_objects: '' - get_metadef_properties: '' - get_metadef_property: '' get_task: '' get_tasks: '' - list_metadef_resource_types: '' manage_image_cache: 'role:admin' modify_image: 'rule:admin_or_owner' modify_member: '' - modify_metadef_namespace: '' - modify_metadef_object: '' - modify_metadef_property: '' modify_task: '' publicize_image: '' set_image_location: '' diff --git a/releasenotes/notes/glance.yaml b/releasenotes/notes/glance.yaml index 4426007fd4..e797c2080a 100644 --- a/releasenotes/notes/glance.yaml +++ b/releasenotes/notes/glance.yaml @@ -8,3 +8,4 @@ glance: - 0.1.5 Change Issuer to ClusterIssuer - 0.1.6 Update glance default policy values - 0.1.7 Update storage init script with cacert + - 0.1.8 Update glance default policy values diff --git a/releasenotes/notes/horizon.yaml b/releasenotes/notes/horizon.yaml index 184fecc5f6..3b72fcc8b5 100644 --- a/releasenotes/notes/horizon.yaml +++ b/releasenotes/notes/horizon.yaml @@ -7,4 +7,5 @@ horizon: - 0.1.4 Change Issuer to ClusterIssuer - 0.1.5 Revert - Change Issuer to ClusterIssuer - 0.1.6 Change Issuer to ClusterIssuer + - 0.1.7 Update glance default policy values ...