Role-based Access Control for QoS policies

https://bugs.launchpad.net/neutron/+bug/1512587

Add a Role-based Access Control for QoS policies in Neutron.

Problem Description

Currently, in neutron QoS policies cannot be shared across subsets of tenants. This proposal talks about using RBAC [1] for QoS policies and making them shareable across tenants.

Proposed Change

Introduce a new QosPolicyRBAC table that will control sharing of Neutron QoS policies between tenants. The existing logic of shared policies will then be updated to leverage the new RBAC code as the first implementation. The current ‘shared’ attribute on the qos-policy will be presented as a wildcard entry in the new table to preserve backwards API compatibility (more details below).

This specification only impacts which users are allowed to apply the qos-policies - not how they apply or what happens afterwards. As this feature leverages the existing RBAC code, it will be a whitelist-only model. i.e. the action column can’t be a negative that states a certain tenant can’t do something. Tenants will be able to delete policies they own, however the deletion will be forbidden in case the policy is shared and being used (e.g. attached to other tenant’s network).

Data Model Impact

Add a model of RBAC for qos policy, Using the existing RBAC for Data model as reference [2].

QosPolicyRBAC Table structure:

Attribute Name Type Access Default Value Validation/ Conversion Description
id string (UUID) R generated N/A id of RBAC entry
tenant_id string (UUID) R auto N/A owner of RBAC entry
object_id string (UUID) RW N/A object exists object affected by RBAC
object_type string RW N/A type has RBAC table type of object
target_tenant string RWU
string tenant ID the entry affects. * for all
action string RW N/A in actions for object allowed tenant action on object

Example Entries

A legacy shared qos policy:

  • object_id = <some_qos policy_id>
  • target_tenant = ‘*’
  • action = ‘access_as_shared’
  • id = <uuid> # auto generated
  • tenant_id = <uuid-of-policy-creator> # generated by API

A qos policy shared to a specific tenant:

  • object_id = <some_qos policy_id>
  • target_tenant = <some_tenant_id>
  • action = ‘access_as_shared’
  • id = <uuid> # auto generated
  • tenant_id = <uuid-of-policy-creator> # generated by API

All entries are to allow the action they describe. There won’t be any ‘deny’ rules at this time.

The object ID is simply the UUID of the policies to which the RBAC entry will be applied.

The target_tenant will be the tenant (a.k.a. project) ID to which the RBAC entry is granting permission to perform an action on the target object. This entry may also be an asterisk to represent that it applies to all tenants.

The action will describe what the tenant can do with the object. This specification deals with only one action - ‘access_as_shared’ to indicate that the tenant can access it like it would a shared policy. This could then be extended in the future to include something like ‘deny’ to provide RBAC for blacklisting as well. Supported actions are discoverable via the API.

Finally, each RBAC entry will also have a tenant ID that indicates the tenant that created the policy itself. This will normally be the same tenant as the object being shared, but it might not be in the case of admin-created policies for other tenants.

REST API Impact

Existing RBAC API’s will be extended to take new parameter - a new ‘object-type’ option would be added to the existing CLI.

{
    'rbac_policy': {
        'action': 'access_as_shared',
        'tenant_id': 'cc4abd64f6e5409da3ae6c04124f6d37',
        'object_type': 'qos-policy',
        'target_tenant': '1b245fd28a13435bb075dadac5951f8d',
        'object_id': 'f60eb0dc-ce07-419c-aa80-1114aafd38a7',
    }
}

Security Impact

Tenants will be able to share qos policies with each other. This shouldn’t be a major issue, since the ownership will never change. Effectively, each tenant will be responsible for its policy utilization.

Notifications Impact

N/A

Other End User Impact

The end user will be able to specify the qos policy as object-type. A new ‘object-type’ option would be added to the existing CLI. No new CLI is required.

Attach a new RBAC to an existing qos-policy:

neutron rbac-create <qos-policy-uuid|qos-policy-name> --type qos-policy --target-tenant \
    <tenant-uuid> --action access_as_shared <RBAC_OBJECT>

There should be no impact to the regular global shared qos policy workflow. The new API usage will only be required for fine-grained entries.

From the perspective of a tenant that has a policy shared to it, the policy will show up as ‘shared’ just like a globally shared policy would.

Performance Impact

Checking the ‘shared’ attribute for the qos-policy will now involve a join to another table. Same goes with respect to policy listing and updating.

IPv6 Impact

N/A

Developer Impact

N/A

Community Impact

This change shouldn’t impact the community in any major way as the legacy API remains.

Work Items

  • Add the DB model.
  • Adjust existing ‘shared’ attribute to use rbac and add migration script.
  • Update the client to CRUD the new RBACs type.
  • Add UTs to Neutron server.
  • Add API tests.

Dependencies

N/A

Testing

Tempest Tests

No tests are required. API tests should be sufficient.

Functional Tests

No functional test is likely necessary for this work. All of this is at the API layer without impacting the dataplane.

API Tests

  • Excercise basic CRUD of RBAC entries.
  • Make sure qos policies are revealed and hidden as RBAC entries are changed

Documentation Impact

User Documentation

The workflow for adding RBAC for qos policy entries will need to be added to [3].