Felipe Monteiro | 4d4cb1e | 2018-07-29 13:44:10 -0400 | [diff] [blame] | 1 | .. _rbac-overview: |
| 2 | |
Felipe Monteiro | e917655 | 2018-07-16 14:39:55 -0400 | [diff] [blame] | 3 | ================================== |
| 4 | Role-Based Access Control Overview |
| 5 | ================================== |
| 6 | |
| 7 | Introduction |
| 8 | ------------ |
| 9 | |
| 10 | Role-Based Access Control (RBAC) is used by most OpenStack services to control |
| 11 | user access to resources. Authorization is granted if a user has the necessary |
| 12 | role to perform an action. Patrole is concerned with validating that each of |
| 13 | these resources *can* be accessed by authorized users and *cannot* be accessed |
| 14 | by unauthorized users. |
| 15 | |
| 16 | OpenStack services use `oslo.policy`_ as the library for RBAC authorization. |
| 17 | Patrole relies on the same library for deriving expected test results. |
| 18 | |
| 19 | .. _policy-in-code: |
| 20 | |
| 21 | Policy in Code |
| 22 | -------------- |
| 23 | |
| 24 | Services publish their policy-to-API mapping via policy in code documentation. |
| 25 | This mapping includes the list of APIs that authorize a policy, for each |
| 26 | policy declared within a service. |
| 27 | |
| 28 | For example, Nova's policy in code documentation is located in the |
| 29 | `Nova repository`_ under ``nova/policies``. Likewise, Keystone's policy in |
| 30 | code documentation is located in the `Keystone repository`_ under |
| 31 | ``keystone/common/policies``. The other OpenStack services follow the same |
| 32 | directory layout pattern with respect to policy in code. |
| 33 | |
| 34 | The policy in code `governance goal`_ enumerates many advantages with following |
| 35 | this RBAC design approach. A so-called library of in-code policies offers the |
| 36 | following advantages, with respect to facilitating validation: |
| 37 | |
| 38 | * includes every policy enforced by an OpenStack service, enabling the |
| 39 | possibility of complete Patrole test coverage for that service (otherwise |
| 40 | one has to read the source code to discover all the policies) |
| 41 | * provides the policy-to-API mapping for each policy which can be used |
| 42 | to write correct Patrole tests (otherwise reading source code and |
| 43 | experimentation are required to derive this mapping) |
| 44 | * by extension, the policy-to-API mapping facilitates writing multi-policy |
| 45 | Patrole tests (otherwise even more experimentation and code reading is |
| 46 | required to arrive at all the policies enforced by an API) |
| 47 | * policy in code documentation includes additional information, like |
| 48 | descriptions and (in the case of some services, like Keystone) |
| 49 | `scope types`_, which help with understanding how to correctly write |
| 50 | Patrole tests |
| 51 | * by extension, such information helps to determine whether a Patrole test |
| 52 | should assume :term:`hard authorization` or :term:`soft authorization` |
| 53 | |
| 54 | Policy in Code (Default) Validation |
| 55 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| 56 | |
| 57 | By default, Patrole validates default OpenStack policies. This is so that |
| 58 | the out-of-the-box defaults are sanity-checked, to ensure that OpenStack |
| 59 | services are secure, from an RBAC perspective, for each release. |
| 60 | |
| 61 | Patrole strives to validate RBAC by using the policy in code documentation, |
Felipe Monteiro | 0170c99 | 2018-07-31 20:10:05 -0400 | [diff] [blame] | 62 | wherever possible. See :ref:`validation-workflow-overview` for more details. |
Felipe Monteiro | e917655 | 2018-07-16 14:39:55 -0400 | [diff] [blame] | 63 | |
| 64 | .. _custom-policies: |
| 65 | |
| 66 | Custom Policies |
| 67 | --------------- |
| 68 | |
| 69 | Operators can override policy in code defaults using `policy.yaml`_. While |
| 70 | this allows operators to offer more fine-grained RBAC control to their tenants, |
| 71 | it opens the door to misconfiguration and bugs. Patrole can be used to validate |
| 72 | that custom policy overrides don't break anything and work as expected. |
| 73 | |
| 74 | Custom Policy Validation |
| 75 | ^^^^^^^^^^^^^^^^^^^^^^^^ |
| 76 | |
| 77 | While testing default policy behavior is a valid use case, oftentimes default |
| 78 | policies are modified with custom overrides in production. OpenStack's |
| 79 | `policy.yaml`_ documentation claims that "modifying policy can have unexpected |
| 80 | side effects", which is why Patrole was created: to ensure that custom |
| 81 | overrides allow the principle of least privilege to be tailor-made to exact |
| 82 | specifications via policy overrides, without: |
| 83 | |
| 84 | * causing unintended side effects (breaking API endpoints, breaking |
| 85 | cross-service workflows, breaking the policy file itself); or |
| 86 | * resulting in poor RBAC configuration, promoting security vulnerabilities |
| 87 | |
| 88 | This has implications on Patrole's :ref:`design-principles`: validating custom |
| 89 | overrides requires the ability to handle arbitrary roles, which requires logic |
Felipe Monteiro | 0170c99 | 2018-07-31 20:10:05 -0400 | [diff] [blame] | 90 | capable of dynamically determining expected test behavior. |
Felipe Monteiro | e917655 | 2018-07-16 14:39:55 -0400 | [diff] [blame] | 91 | |
| 92 | Note that support for custom policies is limited. This is because custom |
| 93 | policies can be arbitrarily complex, requiring that tests be very robust |
| 94 | in order to handle all edge cases. |
| 95 | |
| 96 | .. _multiple-policies: |
| 97 | |
| 98 | Multiple Policies |
| 99 | ----------------- |
| 100 | |
| 101 | Behind the scenes, many APIs enforce multiple policies, for many reasons, |
| 102 | including: |
| 103 | |
| 104 | * to control complex cross-service workflows; |
| 105 | * to control whether a server is booted from an image or booted from a volume |
| 106 | (for example); |
| 107 | * to control whether a response body should contain additional information |
| 108 | conditioned upon successful policy authorization. |
| 109 | |
| 110 | This makes `policy in code`_ especially important for policy validation: it |
| 111 | is difficult to keep track of all the policies being enforced across all the |
| 112 | individual APIs, without policy in code documentation. |
| 113 | |
| 114 | Multi-Policy Validation |
| 115 | ^^^^^^^^^^^^^^^^^^^^^^^ |
| 116 | |
| 117 | Patrole offers support for validating APIs that enforce multiple policies. |
| 118 | Perhaps in an ideal world each API endpoint would enforce only one policy, |
| 119 | but in reality some API endpoints enforce multiple policies. Thus, to offer |
| 120 | accurate validation, Patrole handles multiple policies: |
| 121 | |
| 122 | * for services *with* policy in code documentation: this documentation |
| 123 | indicates that a single API endpoint enforces multiple policy actions. |
| 124 | * for services *without* policy in code documentation: the API code clearly |
| 125 | shows multiple policy actions being validated. Note that in this case some |
| 126 | degree of log tracing is required by developers to confirm that the expected |
| 127 | policies are getting enforced, prior to the tests getting merged. |
| 128 | |
Felipe Monteiro | 42f7e1c | 2018-06-10 20:09:26 -0400 | [diff] [blame] | 129 | For more information, see :ref:`multi-policy-validation`. |
Felipe Monteiro | e917655 | 2018-07-16 14:39:55 -0400 | [diff] [blame] | 130 | |
Felipe Monteiro | 42f7e1c | 2018-06-10 20:09:26 -0400 | [diff] [blame] | 131 | .. _policy-error-codes: |
Felipe Monteiro | e917655 | 2018-07-16 14:39:55 -0400 | [diff] [blame] | 132 | |
| 133 | Error Codes |
| 134 | ----------- |
| 135 | |
| 136 | Most OpenStack services raise a ``403 Forbidden`` following failed |
| 137 | :term:`hard authorization`. Neutron, however, can raise a ``404 NotFound`` |
| 138 | as well. See Neutron's `authorization policy enforcement`_ documentation |
| 139 | for more details. |
| 140 | |
Felipe Monteiro | 0170c99 | 2018-07-31 20:10:05 -0400 | [diff] [blame] | 141 | Admin Context Policy |
| 142 | -------------------- |
| 143 | |
| 144 | The so-called "admin context" policy refers to the following policy definition |
| 145 | (using the legacy policy file syntax): |
| 146 | |
| 147 | .. code-block:: javascript |
| 148 | |
| 149 | { |
| 150 | "context_is_admin": "role:admin" |
| 151 | ... |
| 152 | } |
| 153 | |
| 154 | Which is unfortunately used to bypass ``oslo.policy`` authorization checks, |
| 155 | for example: |
| 156 | |
| 157 | .. code-block:: python |
| 158 | |
| 159 | # This function is responsible for calling oslo.policy to check whether |
| 160 | # requests are authorized to perform an API action. |
| 161 | def enforce(context, action, target, [...]): |
| 162 | # Here this condition, if True, skips over the enforce call below which |
| 163 | # is what calls oslo.policy. |
| 164 | if context.is_admin: |
| 165 | return True |
| 166 | _ENFORCER.enforce([...]) # This is what can be skipped over. |
| 167 | [...] |
| 168 | |
| 169 | This type of behavior is currently present in many services. Unless such |
| 170 | logic is removed in the future for services that implement it, Patrole |
| 171 | won't really be able to validate that admin role works from an ``oslo.policy`` |
| 172 | perspective. |
| 173 | |
Felipe Monteiro | e917655 | 2018-07-16 14:39:55 -0400 | [diff] [blame] | 174 | Glossary |
| 175 | -------- |
| 176 | |
| 177 | The following nomenclature is used throughout Patrole documentation so it is |
| 178 | important to understand what each term means in order to understand concepts |
| 179 | related to RBAC in Patrole. |
| 180 | |
| 181 | .. glossary:: |
| 182 | |
| 183 | authorize |
| 184 | |
| 185 | The act of ``oslo.policy`` determining whether a user can perform a |
| 186 | :term:`policy` given his or her :term:`role`. |
| 187 | |
| 188 | enforce |
| 189 | |
| 190 | See :term:`authorize`. |
| 191 | |
| 192 | hard authorization |
| 193 | |
| 194 | The `do_raise`_ flag controls whether policy authorization should result |
| 195 | in an exception getting raised or a boolean value getting returned. |
| 196 | Hard authorization results in an exception getting raised. Usually, this |
| 197 | results in a ``403 Forbidden`` getting returned for unauthorized requests. |
Felipe Monteiro | 42f7e1c | 2018-06-10 20:09:26 -0400 | [diff] [blame] | 198 | (See :ref:`policy-error-codes` for further details.) |
Felipe Monteiro | e917655 | 2018-07-16 14:39:55 -0400 | [diff] [blame] | 199 | |
| 200 | Related term: :term:`soft authorization`. |
| 201 | |
| 202 | oslo.policy |
| 203 | |
| 204 | The OpenStack library providing support for RBAC policy enforcement across |
| 205 | all OpenStack services. See the `official documentation`_ for more |
| 206 | information. |
| 207 | |
| 208 | policy |
| 209 | |
| 210 | Defines an RBAC rule. Each policy is defined by a one-line statement in |
| 211 | the form "<target>" : "<rule>". For more information, reference OpenStack's |
| 212 | `policy documentation`_. |
| 213 | |
| 214 | policy action |
| 215 | |
| 216 | See :term:`policy target`. |
| 217 | |
| 218 | policy file |
| 219 | |
| 220 | Prior to `governance goal`_ used by all OpenStack services to define |
| 221 | policy defaults. Still used by some services, which is why Patrole |
| 222 | needs to read the policy files to derive policy information for testing. |
| 223 | |
| 224 | policy in code |
| 225 | |
| 226 | Registers default OpenStack policies for a service in the service's code |
| 227 | base. |
| 228 | |
| 229 | Beginning with the Queens release, policy in code became a |
| 230 | `governance goal`_. |
| 231 | |
| 232 | policy rule |
| 233 | |
| 234 | The policy rule determines under which circumstances the API call is |
| 235 | permitted. |
| 236 | |
| 237 | policy target |
| 238 | |
| 239 | The name of a policy. |
| 240 | |
| 241 | requirements file |
| 242 | |
| 243 | Requirements-driven approach to declaring the expected RBAC test results |
| 244 | referenced by Patrole. Uses a high-level YAML syntax to crystallize policy |
| 245 | requirements concisely and unambiguously. See :ref:`requirements-authority` |
| 246 | for more information. |
| 247 | |
| 248 | role |
| 249 | |
| 250 | A designation for the set of actions that describe what a user can do in |
| 251 | the system. Roles are managed through the `Keystone Roles API`_. |
| 252 | |
| 253 | Role-Based Access Control (RBAC) |
| 254 | |
| 255 | May be formally defined as "an approach to restricting system access to |
| 256 | authorized users." |
| 257 | |
| 258 | rule |
| 259 | |
| 260 | See :term:`policy rule`. Note that currently the Patrole code base |
| 261 | conflates "rule" with :term:`policy target` in some places. |
| 262 | |
| 263 | soft authorization |
| 264 | |
| 265 | The `do_raise`_ flag controls whether policy authorization should result |
| 266 | in an exception getting raised or a boolean value getting returned. |
| 267 | Soft authorization results in a boolean value getting returned. When policy |
| 268 | authorization evaluates to true, additional operations are performed as a |
| 269 | part of the API request or additional information is included in the |
| 270 | response body (see `response filtering`_ for an example). |
| 271 | |
| 272 | Related term: :term:`hard authorization`. |
| 273 | |
Luigi Toscano | 6da06ed | 2019-01-07 17:50:41 +0100 | [diff] [blame] | 274 | .. _Nova repository: https://git.openstack.org/cgit/openstack/nova/tree/nova/policies |
| 275 | .. _Keystone repository: https://git.openstack.org/cgit/openstack/keystone/tree/keystone/common/policies |
Felipe Monteiro | e917655 | 2018-07-16 14:39:55 -0400 | [diff] [blame] | 276 | .. _governance goal: https://governance.openstack.org/tc/goals/queens/policy-in-code.html |
| 277 | .. _scope types: https://docs.openstack.org/keystone/latest/admin/identity-tokens.html#authorization-scopes |
| 278 | .. _policy.yaml: https://docs.openstack.org/ocata/config-reference/policy-yaml-file.html |
| 279 | .. _oslo.policy: https://docs.openstack.org/oslo.policy/latest/ |
| 280 | .. _policy documentation: https://docs.openstack.org/kilo/config-reference/content/policy-json-file.html |
| 281 | .. _do_raise: https://docs.openstack.org/oslo.policy/latest/reference/api/oslo_policy.policy.html#oslo_policy.policy.Enforcer.enforce |
| 282 | .. _authorization policy enforcement: https://docs.openstack.org/neutron/latest/contributor/internals/policy.html |
| 283 | .. _official documentation: https://docs.openstack.org/oslo.policy/latest/ |
| 284 | .. _Keystone Roles API: https://developer.openstack.org/api-ref/identity/v3/#roles |
| 285 | .. _response filtering: https://docs.openstack.org/neutron/latest/contributor/internals/policy.html#response-filtering |