Monday, 2026-04-27

« Friday, 2026-04-24 Index Tuesday, 2026-04-28 »
cardoeI've added a couple of items in the open section of the agenda16:02
gouthamro/ cardoe; i can promote them to the main agenda.. we only have standing items as of now16:33
gouthamrare you okay with that?16:34
cardoeYep.16:51
cardoeIt's more free form and nothing really written down which is why I threw them there16:51
cardoeI can post to the ML first.16:51
gouthamredited the agenda to move them to the main section, on the RBAC question, it certainly could be resolved over the ML, or pinging gmaan 16:59
gmaanor RBAC meeting is schedule for next Monday, feel free to add there https://etherpad.opendev.org/p/rbac-goal-tracking#L9817:01
gmaan++ on ML17:01
cardoeoh well I'll ask gmaan then17:02
cardoeI guess I'll do it here...17:15
cardoegmaan: reading through the RBAC bits I've come across a couple of things that just don't match with my operator hat on.17:15
cardoe1. I see we tried to get rid of the system scope but then it's written up as a persona in a number of places. I don't know what the intent here us? Like I'll use neutron as an example... Granting me admin on one project grants me the ability to manipulate system wide resources. Looking at the RBAC goals... phase 1 was to get rid of system scope though.17:17
cardoeTo use non-OpenStack terms... it seems system scope is good for non-namespaced objects. Where a namespace is a project in OpenStack terms.17:21
cardoe2. We've got manager as a role but a lot of things say its just for keystone and manipulating projects. But then other places refer to it more broad. Shall we have a goal to update the definition of it to be more broad?17:23
cardoe3. We've got 'auditor' referred here https://docs.openstack.org/keystone/latest/admin/service-api-protection.html shall we aim to add that role in the hierarchy so it can be used?17:23
gmaancardoe: 1. for system scope, yes we the tried the system scope in all services but17:29
gmaan a. it did not work as integrated use case for example it broke heat, nfv use cases,17:29
gmaan b.  operator did not understand it and did not like it. That was the key feedback from operators in forum and PTG session. 17:29
gmaanwe wrote the reason of dropping it https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#direction-change17:29
gmaanI know the admin being global admin a existing problem but that is what most of the operators were ok with. I do not deny to solve this issue but we do not have any perfect solution for this17:30
cardoeSo its just awkward from the client side due to the two different tokens involved.17:30
cardoeI guess then we'll slash that from my agenda items.17:31
cardoeI'll go down this road a little bit solo then.17:32
gmaanwe talked about global admin issue many times and being back and forth on solutions17:33
gmaan2. manager role: it might be a doc but but manager role is someone between admin and project member. ity is applicable for all the services depends on their use case. for example, nova added project manager access to do live migration of user VMs belong to same project. means admin can delegate that task to project manager17:33
gmaancardoe: can you please point me to the doc and I can correct it if needed or explain it more17:34
gmaan3. auditor: you mean global auditor not project specific reader right?17:34
cardoeIt could be system scoped or it could be project scoped17:35
cardoeThe keystone docs about roles seem to imply manager is really keystone only.17:36
gmaanwe do have project scope reader already to they can audit the things within their project17:36
cardoewell reading metadata about an object vs reading the whole object.17:37
cardoebarbican for example has this concept17:37
cardoebut yes auditor would likely be system scoped.17:37
gmaanbut global reader is not there yet. it was brought up as need in vancouver summit i think 3-4 years back by john. I agreed with the idea but we just did not progress on that due to bandwidth17:37
gmaanI remember i added action item for John to propose the spec in keystone but it did not happen17:38
cardoealright.17:39
gmaanbut yes, it anyone would like to implement it, this is good use case17:39
cardoeWell I'm happy to join in on any sessions you've got in the future.17:39
gmaanI might not have bandwidth to do that by myself but happy to review17:39
gmaan++ thanks17:39
gmaanand for system scope, I am able to find this etherpad where we got set back on that https://etherpad.opendev.org/p/rbac-operator-feedback17:40
gmaanas you know ironic implemented it and some operator were happy about it so it was kept in ironic and then in keystone for ironic use case17:40
gmaan* ironic operatror17:40
gmaanI can write about the global reader on ML and ask for any volunteer. bcz i feel like this is a good or common use case which can help many operators 17:42
gouthamrgmaan: curious who john was in this case? garbutt? 17:43
gmaanyes, i did not find him in IRC  but John garbutt 17:43
gouthamrack ty17:44
JayFjohnthetubaguy; he's not online often upstream these days17:52
JayFIf someone needs to get in touch I can certainly find an up to date email for him17:52
sean-k-mooneythe global auttor persona i.e. a cross project reader 17:59
sean-k-mooneyis not gernealy supproteded in most projects17:59
sean-k-mooney*services18:00
JayFhttps://docs.openstack.org/ironic/2026.1//admin/secure-rbac.html#system-scoped fwiw Ironic implements system reader18:00
sean-k-mooneynova requires admin for any cross project request for example18:00
sean-k-mooneysystme reader shoudl only be able to read system scoped resocues18:00
sean-k-mooneynot project scoped resourcs18:00
sean-k-mooneyand many project dont have system scoped api. although ironic does18:01
JayFIronic's a weird case here where all nodes are kinda system and can also kinda be owned by >1 project 18:01
JayF(node.owner / node.lessee can be set to different values)18:01
JayFso I think our stuff is just a little weirdly shaped compared to the rest18:01
sean-k-mooneyperhasp but its a person athat could be supproted with a new role in the future18:02
gmaansent on ML https://lists.openstack.org/archives/list/openstack-discuss@lists.openstack.org/thread/ZEKOWEMLY6F2RFFXVD37QRQPMB35H5PR/18:02
gmaancardoe: ^^18:02
sean-k-mooneythere is just no way to express "cross project reader" uniformly under the SRBAC goal today 18:02
sean-k-mooneywe could have an "audit"  rule which was a readonly admin18:03
gmaanJayF: nothing needed on johnthetubaguy contacting. I just reminded myself that he was one who brought up the global reader need so reference it here18:03
sean-k-mooneyit woudl just need work to enable in each of the projects18:03
gmaanyeah18:04
JayFI can probably speak to that use case too, I suspect he was representing GR's use case (among others).18:04
JayFand global auditor / system auditor is a good way to describe the persona18:04
gmaan++18:05
gmaanits not a big work other than keystone spec and doc. and then projects can start adopting it which also should not be big work. its just we need someone to start it18:05
sean-k-mooneyJayF: i understand the usecase but we dont have a good machanic to descibe read only cross proejct access to project scoped resouce in the 5 roles we have today18:05
sean-k-mooneyadmin,manager,member,reader and service18:06
sean-k-mooneywe coudl add a 6th role for this to that set18:06
gmaan'global_reader' is the one name i thought of when it came up first18:06
sean-k-mooneyya that works too18:06
gmaanso that it will be explicit about what it means 18:07
sean-k-mooneysure the role could be named that way rather then the usecase18:07
sean-k-mooneyi.e. audit18:07
sean-k-mooneyi think we all agree on the gap18:07
sean-k-mooneyand hte actual name is less imporant18:07
gmaangouthamr: FYI about email, in case you get chance to advertise it in wider way (I think this release openinfra live is done but maybe for the next one if no volunteer ) https://lists.openstack.org/archives/list/openstack-discuss@lists.openstack.org/thread/ZEKOWEMLY6F2RFFXVD37QRQPMB35H5PR/18:08
gmaanyeah, name things does not matter but yes its a clear need and came up many times18:09
gouthamrack gmaan, makes sense18:10
sean-k-mooneyfor now you have to basiclly jsut use admin for this usecase18:10
sean-k-mooneynot ideal18:10
sean-k-mooneybut that the only thing that works for all services18:11
gouthamrsimilar pain as "service", a bit more dire.. 18:12
gouthamryou don't want to give "admin" to things that should read, it'd be disasterous if something non-deterministic were to malfunction18:13
gouthamrlike this unfortunate thing: https://x.com/lifeof_jer/status/204810347101943424818:13
sean-k-mooneywell servie is also a restict but distinct form or what used to be in admin18:13
sean-k-mooneyi.e. we created serivce so that w had a role for thigns that should only ever be called by anohter openstack service18:14
sean-k-mooneyso that admin could not do that any more and soe we could restict what serivces could call right18:14
gouthamrack, admin is the superuser, service is a subset blessed and expected by us maintainers - but our implementation has been slow18:15
cardoesorry I had to wander off for a bit.18:16
cardoesean-k-mooney: so an example in neutron of a system resource would be the network segment range list.18:17
cardoeIt's pools for available VLANs. It can be configured via the ML2 config or via the API.18:18
sean-k-mooneycardoe: that is one way to model it18:19
sean-k-mooneybut if you did that you could not return them in respocne to a project scoped admin token18:19
cardoeI'm just saying that's how it works. All projects pull from the same pool. Unless there's a private project pool.18:19
sean-k-mooneyand operators told use we cant break glbal admin18:19
sean-k-mooneyso using scope for this was basiclly not an option18:20
cardoesean-k-mooney: I'm telling you how neutron works today. I'm not advocating for any change.18:20
sean-k-mooneyok so they either supprot both personas or they broke the global admin part of that goal18:20
sean-k-mooneyit is posisbel to advertise a resouce in multiple scopes18:20
sean-k-mooneyso them may be doing that18:21
cardoeIt's also kinda like things that are marked "public=True" cause they're visible in all projects.18:21
sean-k-mooneywe had made flavors and hostaggraes system scoped in nova but all that got ripped out in yoga when the change in direction was agreed18:21
cardoeSo in this case someone with project scoped role:admin needs to see the items available to that project.18:22
cardoeBUT someone with admin on ANY project is allowed to manipulate what ANY project is able to see.18:22
sean-k-mooneyproject scoped does not meean limited to a project.18:22
sean-k-mooneythe nameing is bad18:22
sean-k-mooneyproject scoepd orgnlly ment the resouce could be owned/consumed  by a porject18:22
cardoeWell neutron also has the model of sharing a resource to another project.18:23
sean-k-mooneyther native rbac api18:23
sean-k-mooneyyes nova can also have priviate flavors that are aviabel to only specfic projects18:23
sean-k-mooneyand glance has visiablity which is not quite the same18:23
sean-k-mooneybut simialr18:24
sean-k-mooneythe visablity/shareablity of resocues in many cases predates the SRBAC goal and is indepentent of it18:24
cardoeThat's fine. This one might just be better to tackle downstream.18:26
sean-k-mooneydoign it in a portabl way will need servifce work unfortuently18:26
sean-k-mooneymany service have a db level check that repvents cross project access without the admin role18:27
cardoeYeah not the resources I'm talking about.18:32
sean-k-mooneydo you have a list in etherpad out of interst18:32
sean-k-mooneythe other problem with scopes is anyoen with reader can create a system scoped reader token (as far as i am aware)18:33
sean-k-mooneyi.e. there is no way in keystone to say what scoep a user can request18:34
cardoeof resources? No. I'm writing a personas doc of operations.18:34
sean-k-mooneyin keystoen you just do role assignemnt to users in a given proejct18:34
cardoeNo. You have to have system scope in keystone18:34
sean-k-mooneybut the entiry os scope enformce i doen out of band18:34
sean-k-mooneyare you sure about that because i dont think that is ture18:35
sean-k-mooneyhum maybe you are right https://docs.openstack.org/api-ref/identity/v3/index.html#system-role-assignments18:36
sean-k-mooneymy view may be coloured by devstack18:38
sean-k-mooneythe keyson docs are still vastly out of date so i dont know how trustworhter they are in genral18:40
sean-k-mooneyi.e. they still use  compute hypervisors18:40
sean-k-mooneyas an exmapel fo a systme scoped api18:40
cardoeSo just to confirm I attempted this and bypassed the service catalog and I didn't have permissions18:41
cardoeI am able to auth but I have no idea what I'm getting. The docs are a bit light here.18:42
sean-k-mooneyack so you set system_scope: all18:42
sean-k-mooneyin your clouds.yaml18:42
cardoeYep.18:42
sean-k-mooneylooking at devstack-system-reader:18:43
sean-k-mooneyit is actuly useing a diffent username then i tought18:43
sean-k-mooneyi tought it sill used demo or alt-demo18:43
sean-k-mooneybut is actully system_reader18:43
gmaanyeah, for system role assignment, it make sense to ask for system permission instead of allowing project admin to do18:44
sean-k-mooneyso i guess system_reader could be used as the global_reader if that was agreed by all proejct but i dont know fi that is safe to do now18:44
cardoeI'm looking at this how k8s does RBAC18:45
gmaanbut for all other operations, they will work for project scope token also along with system token. mainly keep the keystone behavior unchanged which was before system scope. that is what we fixed. if still some permission issue then its a keystone bug18:45
sean-k-mooneycardoe: one complication at least for nova is we also filtere the fields in the respocen based on yoru role18:45
cardoeWhich is good. So does Ironic.18:45
gmaanyes, system reader is the global reader but we do not have that in any servicecs than ironic and keystone18:45
sean-k-mooneyi.e. we dont show some fields to non admins which si part fo the issues with using reader18:45
sean-k-mooneywell its reader access to system scoped apis18:46
sean-k-mooneythe question is are system scoped apis prviledged or not18:47
gmaansean-k-mooney: good point on hard coded admin in DB for cross project things, that is something we should get rid of irrespective of global reader use case18:47
sean-k-mooneygmaan: eventully but there were concersn about secuirty of remiving that final check18:47
gmaanit can be driven from API and based on the configured RBAC18:48
sean-k-mooneywith some code change yes18:48
sean-k-mooneywe cna have a cross_tenatn_allowed flag base don new or existing policy rules18:49
sean-k-mooneyi dont know if we have all teh rules we would requried for that today but it could be done eventually18:50
gmaanyes, code change, idea was API to call get|do_<things>_projectA  or get|do_<things>_all_projects  which are control via the policy rules18:50
gmaananyways not discussing that here but yes that is one of the things to fix18:50
cardoesean-k-mooney: So an example I'd use for nova would be 'openstack compute agent list'. Are those project scoped at all?18:53
sean-k-mooneycardoe: its project scopped not system socped18:55
sean-k-mooneycardoe: nova had system_scoped apis and they were all removed18:55
sean-k-mooneyso everythign in nova is project scoped now18:55
sean-k-mooneycardoe: one of the limiation today in oslo.policy is while its posible for a rule to have more then one scope or role i dont think its possible to say "(system_scoped:all and role:reader) or (project_admin)"18:59
sean-k-mooneyi might be wrong about that18:59
sean-k-mooneybut nova does nto do that even if it si posisble to express18:59
cardoeYou are wrong18:59
cardoeIronic uses that all over19:00
sean-k-mooneyok well nova does not19:00
sean-k-mooneyhttps://github.com/openstack/nova/commit/066e1e69d1394839a9f0bde4ca8c3a0db2d5239619:00
cardoeI’ll hack on this locally myself.19:01
sean-k-mooneylooking at https://github.com/openstack/ironic/blob/master/ironic/common/policy.py19:03
sean-k-mooneyironic does not use scope_types19:03
sean-k-mooneyoh yo do later19:03
sean-k-mooneyjust not on the defautl rules you use them on the per endpoitn ones19:03
sean-k-mooneyah and you are encodeign the check in teh check string https://github.com/openstack/ironic/blob/master/ironic/common/policy.py#L77-L10319:05
sean-k-mooneyso you are just using scope_types=['system', 'project'], so list the possisbel scope types you can rescie and the n doin gthe actul enfocmene in the check_str19:06
« Friday, 2026-04-24 Index Tuesday, 2026-04-28 »

Generated by irclog2html.py 4.1.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!