Buildah is a valuable tool in the container ecosystem. As an effort to get more familiar with it, and to finally get my hand-rolled version of Keystone to deploy on Kubernetes, I decided to work through building a couple of Keystone based containers with Buildah.
Continue readingCloud is easy. It is networking that is hard.
Red Hat supports installing OpenShift on OpenStack. As a Cloud SA, I need to be able to demonstrate this, and make it work for customers. As I was playing around with it, I found I could not tear down clusters due to a dependency issue with ports.
Continue readingKolla has become the primary source of Containers for running OpenStack services. Since if has been a while since I tried deliberately running just the Keystone container, I decided to build the Kolla version from scratch and run it.
Continue readingIf you read the TripleO setup for network isolation, it lists eight distinct networks. Why does TripleO need so many networks? Lets take it from the ground up.
Continue reading
Ozz did a fantastic job laying out the rules around policy. This article assumes you’ve read that. I’ll wait.
Lets say you are an administrator of an OpenStack cloud. This means you are pretty much all powerful in the deployment. Now, you need to perform some operation, but you don’t want to give it full admin privileges? Why? well, do you work as root on your Linux box? I hope note. Here’s how to set up a self trust for a reduced set of roles on your token.
Continue reading
When a user requests a code review, the review is responsible for making sure that the code is tested. While the quality of the tests is a subjective matter, their presences is not; either they are there or they are not there. If they are not there, it is on the developer to explain why or why not.
Not every line of code is testable. Not every test is intelligent. But, at a minimum, a test should ensure that the code in a patch is run at least once, without an unexpected exception.
The policy .yaml file generated from oslo has the following format:
# Intended scope(s): system #"identity:update_endpoint_group": "rule:admin_required" # Delete endpoint group. # DELETE /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id} # Intended scope(s): system #"identity:delete_endpoint_group": "rule:admin_required" |
This is not very useful for anything other than feeding to oslo-policy to enforce. If you want to use these values for anything else, it would be much more useful to have each rule as a dictionary, and all of the rules in a list. Here is a little bit of awk to help out:
#!/usr/bin/awk -f BEGIN {apilines=0; print("---")} /#"/ { if (api == 1){ printf(" ") }else{ printf("- ") } split ($0,array,"\"") print ("rule:", array[2]); print (" check:", array[4]); rule=0 } /# / {api=1;} /^$/ {api=0; apilines=0;} api == 1 && apilines == 0 {print ("- description:" substr($0,2))} /# GET/ || /# DELETE/ || /# PUT/ || /# POST/ || /# HEAD/ || /# PATCH/ { print (" " $2 ": " $3) } api == 1 { apilines = apilines +1 } |
I have it saved in mungepolicy.awk. I ran it like this:
cat etc/keystone.policy.yaml.sample | ./mungepolicy.awk > /tmp/keystone.access.yaml |
And the output looks like this:
--- - rule: admin_required check: role:admin or is_admin:1 - rule: service_role check: role:service - rule: service_or_admin check: rule:admin_required or rule:service_role - rule: owner check: user_id:%(user_id)s - rule: admin_or_owner check: rule:admin_required or rule:owner - rule: token_subject check: user_id:%(target.token.user_id)s - rule: admin_or_token_subject check: rule:admin_required or rule:token_subject - rule: service_admin_or_token_subject check: rule:service_or_admin or rule:token_subject - description: Show application credential details. GET: /v3/users/{user_id}/application_credentials/{application_credential_id} HEAD: /v3/users/{user_id}/application_credentials/{application_credential_id} rule: identity:get_application_credential check: rule:admin_or_owner - description: List application credentials for a user. GET: /v3/users/{user_id}/application_credentials HEAD: /v3/users/{user_id}/application_credentials rule: identity:list_application_credentials check: rule:admin_or_owner |
Which is valid yaml. It might be a pain to deal with the verbs in separate keys. Ideally, that would be a list, too, but this will work for starters.
The Policy management tool I’m working on really needs revision and change management. Since I’ve spent so much time with Git, it affects my thinking about change management things. So, here is my attempt to lay out my current thinking for implementing a git-like scheme for managing policy rules.
“We need a read only role.”
It seems like such a simple requirement. Users have been requesting a read-only role for several years now. Why is it so tough to implement?  Because it calls for modifying access control policy across multiple, disjoint services deployed at innumerable distinct locations.
“We need help in modifying policy to implement our own read only role.”
This one is a little bit more attainable. We should be able to provide better tools to help people customize their policy. What should that look like?
We gathered some information at the last summit, and I am going to try and distill it to a requirements document here.