Skip to content

Commit df70355

Browse files
markus-hentschmarkus-hentsch
committed
Add more regulation to policy rules, add Octavia quirks
Signed-off-by: Markus Hentsch <[email protected]>
1 parent beb6557 commit df70355

File tree

1 file changed

+10
-5
lines changed

1 file changed

+10
-5
lines changed

Standards/scs-03XX-v1-standard-roles.md

Lines changed: 10 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -154,10 +154,7 @@ Core Roles:
154154

155155
All API services MUST be configured to use the Secure RBAC role model by enabling `enforce_new_defaults` and `enforce_scope` of the oslo.policy library.
156156

157-
If custom policy rules to any API by a CSP, the following MUST be adhered to:
158-
159-
1. The `policy_file` option of the oslo.policy library MUST be set to the name of the policy override file and not rely on default paths.
160-
2. The custom policy rules MUST NOT extend the privileges of the roles mentioned in this standard.
157+
If custom policy rules are added to an API by a CSP the `policy_file` option of the oslo.policy library SHOULD be explicitly set to the name of the policy override file and not rely on the corresponding default path.
161158

162159
Example configuration entries:
163160

@@ -170,7 +167,15 @@ policy_file = policy.yaml
170167

171168
#### API Policies
172169

173-
TODO: what does the CSP need to adhere to when it comes to API policy configuration?
170+
The following applies to all APIs that use RBAC policies:
171+
172+
- Custom policy rules MUST NOT extend the privileges of the core roles mentioned in this standard beyond their default permissions.
173+
- If roles with custom permission sets are required, new roles and corresponding policies MAY be added as long as their names differ from the core roles and they do not impact the core roles.
174+
175+
The following applies only to the Octavia v2 LBaaS API:
176+
177+
- The scoping-compatible variant of [OpenStack Default Roles Policy Override File](https://docs.openstack.org/octavia/2024.1/configuration/policy.html#openstack-default-roles-policy-override-file) MUST be used as a base to align the LBaaS API with the standardized reader, member and admin role set.
178+
As of the 2024.1 release of Octavia, this template is provided as [keystone_default_roles_scoped-policy.yaml](https://github.com/openstack/octavia/blob/stable/2024.1/etc/policy/keystone_default_roles_scoped-policy.yaml).
174179

175180
## Related Documents
176181

0 commit comments

Comments
 (0)