[RFE] Add charm option for enforce_new_defaults and enforce_scope

Bug #1960806 reported by Peter De Sousa
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Cinder Charm
New
Undecided
Unassigned
OpenStack Keystone Charm
New
Undecided
Unassigned
OpenStack Neutron API Charm
New
Undecided
Unassigned
OpenStack Nova Cloud Controller Charm
New
Undecided
Unassigned
OpenStack Nova Compute Charm
In Progress
Wishlist
Unassigned
OpenStack Placement Charm
New
Undecided
Unassigned

Bug Description

Hi,

When testing user access on openstack the users are able to create objects outside of their given access scopes. For example: Reader roles can create objects inside of projects. There is an upstream keystone issue for this: https://bugs.launchpad.net/keystone/+bug/1915193.

In that bug https://bugs.launchpad.net/keystone/+bug/1915193/comments/3 points to a enforce_new_defaults config value which is availabe in nova https://docs.openstack.org/nova/latest/configuration/sample-config.html.

Currently the nova-compute charm does not enable this configuration value, and the issue is present, please see the test run at: https://private-fileshare.canonical.com/~pjds/nova-compute-kvm-tests/results.txt the script to run these tests can be found at: https://private-fileshare.canonical.com/~pjds/nova-compute-kvm-tests/run_rbac_openstack_tests.sh

[Edit]

With some further testing, the enforce_new_defaults will not work without the enforce_scope option.

Thanks,

Peter

https://docs.openstack.org/oslo.policy/latest/configuration/index.html#oslo_policy.enforce_scope
https://docs.openstack.org/oslo.policy/latest/configuration/index.html#oslo_policy.enforce_new_defaults

Peter De Sousa (pjds)
description: updated
description: updated
Revision history for this message
Alex Kavanagh (ajkavanagh) wrote :

Note that this option was available from ussuri (but may have had issues associated with it). Need a discussion on which version(s) it should be made available for.

Changed in charm-nova-compute:
importance: Undecided → Wishlist
status: New → Triaged
tags: added: good-first-bug
Revision history for this message
Peter De Sousa (pjds) wrote (last edit ):

from testing, the enforce_new_defaults will not work unless enforce_scope is enabled too. Updating the description.

summary: - [RFE] Add charm option for enforce_new_defaults
+ [RFE] Add charm option for enforce_new_defaults and enforce_scope
description: updated
Nobuto Murata (nobuto)
description: updated
Revision history for this message
Nobuto Murata (nobuto) wrote :

When I was looking into Octavia doc for something else, I found the following statement.

https://docs.openstack.org/octavia/latest/configuration/policy.html#oslo-policy-enforce-scope
> The Octavia API supports enforcing the Keystone token scopes as of the Wallaby release.

Changed in charm-nova-cloud-controller:
assignee: nobody → Mustafa Kemal Gilor (mustafakemalgilor)
status: New → In Progress
Changed in charm-nova-cloud-controller:
assignee: Mustafa Kemal Gilor (mustafakemalgilor) → nobody
status: In Progress → New
Changed in charm-nova-compute:
assignee: nobody → Muhammad Ahmad (ahmadfsbd)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to charm-nova-compute (master)
Changed in charm-nova-compute:
status: Triaged → In Progress
Revision history for this message
Nobuto Murata (nobuto) wrote :

This shouldn't be considered good-first-bug IMO since it requires wider testing coverage etc instead of just modifying one charm.

tags: removed: good-first-bug
Revision history for this message
Billy Olsen (billy-olsen) wrote :

100% agree with Nobuto that this is not a good first bug, it requires looking at the larger picture.

Changed in charm-nova-compute:
assignee: Muhammad Ahmad (ahmadfsbd) → nobody
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on charm-nova-compute (master)

Change abandoned by "Muhammad Ahmad <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/charm-nova-compute/+/851841
Reason: Abandoning due to the need for further analysis as per comments.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.