Red Hat SummitChapter 2. Secure role based access control in Red Hat OpenStack Services on OpenShift
Configure secure role-based access control (SRBAC) in Red Hat OpenStack Services on OpenShift (RHOSO) to enforce granular access to policies. Implementing SRBAC limits users to the specific permissions required for their role, which strengthens the security of your environment.
All users who authenticate to the Identity service (keystone) in RHOSO 18.0 use SRBAC. SRBAC is the updated role-based authentication schema, and is present in all deployments of RHOSO and is used by all the policies.
2.1. SRBAC in Red Hat OpenStack Services on OpenShift
Understand secure role-based access control (SRBAC) personas in Red Hat OpenStack Services on OpenShift (RHOSO) to enforce granular access control. These personas define the specific scope and actions allowed for users, ensuring they have only the permissions necessary for their tasks.
The Identity service (keystone) implements secure roles using personas, which are scope-specific roles. You can assign roles to users or groups that are either project or system scoped.
2.1.1. Roles
Roles define which actions users can perform. There are three OpenStack roles that are available within the project and system scopes.
- admin
- Granting the admin role in any scope includes all create, read, update, or delete operations on resources and APIs.
- member
-
The
memberrole is allowed to create, read, update, and delete resources that are owned by the scope in which they are a member. - reader
-
The
readerrole is for read-only operations, regardless of the scope it is applied to. This role can view resources across the entirety of the scope to which it is applied.
2.1.2. Scope
The scope is the context in which operations are performed. All OpenStack resources are owned by a specific project, so access to those resources is granted by assigning a role to the project scope.
2.1.3. Personas
- Project admin
- This persona includes create, read, update and delete operations on resources across projects, which includes adding and removing users and other projects. Granting a user admin in any scope grants full API access to all APIs in all available scopes.
- Project member
- The project member persona is for users who are granted permission to consume resources within the project scope. This persona can create, list, update, and delete resources within the project to which they are assigned. This persona implies all permissions granted to project readers.
- Project reader
- The project reader persona is for users who are granted permission to view non-sensitive resources in the project. On projects, assign the reader role to end users who need to inspect or view resources, or to auditors, who only need to view project-specific resources within a single project for the purposes of an audit The project-reader persona will not address all auditing use cases.
- System admin
- System administrators are typically cloud administrators who can affect the behavior of the deployment. Granting a user admin in any scope grants full API access to all APIs in all available scopes.
- System members and system readers
-
System members and system readers have the same authorization and can view all resources within keystone. The
system readerpersona is useful for auditors if the audit does not require access to sensitive information.
Additional personas based on the domain scope are not available for use.
2.2. Assigning roles in Red Hat OpenStack Services on OpenShift
Assign roles in a secure role-based access control (SRBAC) environment in Red Hat OpenStack Services on OpenShift (RHOSO) to enforce granular access. This configuration limits users to the specific permissions required for their tasks.
You can assign users to the role of admin, member, or reader within either the project or system scope.
Prerequisites
-
You must have the
adminrole assigned to your user account to assign roles.
Procedure
Use syntax similar to the following command to provide a user a role with a
projectscope:$ openstack role add --user user1 --user-domain Default --project demo --project-domain Default <role>where:
<role>-
Specifies either
reader,member, oradmin.
Use syntax similar to the following command to provide a user a role with a
systemscope:$ openstack role add --user user1 --user-domain Default --system all <role>
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}