From bacd2c039345dd12f22b0474b8a0f6a691a8ed98 Mon Sep 17 00:00:00 2001
From: Ghanshyam Mann <gmann@ghanshyammann.com>
Date: Sun, 13 Nov 2022 23:17:35 -0600
Subject: [PATCH] Policy defaults improvement spec

This spec is to improve the policies default
as per the community wide goal
- https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html

APIImpact

Partial implement blueprint policy-defaults-improvement

Change-Id: I12dce16a7f18bb065e1412d2f2d9bd91452d8672
---
 .../approved/policy-defaults-improvement.rst  | 160 ++++++++++++++++++
 doc/source/specs/index.rst                    |  16 ++
 2 files changed, 176 insertions(+)
 create mode 100644 doc/source/specs/2023.1/approved/policy-defaults-improvement.rst

diff --git a/doc/source/specs/2023.1/approved/policy-defaults-improvement.rst b/doc/source/specs/2023.1/approved/policy-defaults-improvement.rst
new file mode 100644
index 000000000..93152c23f
--- /dev/null
+++ b/doc/source/specs/2023.1/approved/policy-defaults-improvement.rst
@@ -0,0 +1,160 @@
+..
+ This work is licensed under a Creative Commons Attribution 3.0 Unported
+ License.
+
+ http://creativecommons.org/licenses/by/3.0/legalcode
+
+===========================
+Policy Defaults Improvement
+===========================
+
+https://blueprints.launchpad.net/placement/+spec/policy-defaults-improvement
+
+This spec is to improve the placement APIs policy as the directions
+decided in `RBAC community-wide goal
+<https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html>`_
+
+Problem description
+===================
+
+While discussing the new RBAC (scope_type and project admin vs
+system admin things) with operators in berlin ops meetup and
+via emails, and policy popup meetings, we got the feedback that
+we need to keep the legacy admin behaviour same as it is otherwise
+it is going to be a big breaking change for many of the operators.
+Same feedback for scope_type.
+
+- https://etherpad.opendev.org/p/BER-2022-OPS-SRBAC
+- https://etherpad.opendev.org/p/rbac-operator-feedback
+
+By considering the feedback, we decided to make all the policy
+to be project scoped, release project reader role, and not to
+change the legacy admin behaviour.
+
+Use Cases
+---------
+
+Ideally most operators should be able to run without modifying policy, as
+such we need to have defaults closure to the usage.
+
+Proposed change
+===============
+
+The `RBAC community-wide goal
+<https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html>`_
+defines all the direction and implementation usage of policy. This proposal
+is to implement the phase 1 and phase 2 of the `RBAC community-wide goal
+<https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html>`_
+
+Alternatives
+------------
+
+Keep the policy defaults same as it is and expect operators to override
+them to behave as per their usage.
+
+Data model impact
+-----------------
+
+None
+
+REST API impact
+---------------
+
+The placement APIs policy will modified to add reader roles, scoped to
+projects, and keep legacy behaviour same as it is. Most of the policies
+will be default to 'admin-or-service' role but we will review every
+policy rule default while doing the code change.
+
+Security impact
+---------------
+
+Easier to understand policy defaults will help keep the system secure.
+
+Notifications impact
+--------------------
+
+None
+
+Other end user impact
+---------------------
+
+None
+
+Performance Impact
+------------------
+
+None
+
+Other deployer impact
+---------------------
+
+None
+
+Developer impact
+----------------
+
+New APIs must add policies that follow the new pattern.
+
+Upgrade impact
+--------------
+
+The scope_type of all the policy rules will be ``project`` if any
+deployement is running with enforce_scope enabled and with system
+scope token then they need to use the project scope token.
+
+Also, if any API policy defaults have been modified to ``service``
+role only (most of the policies will be default to admin-or-service)
+then the deployment using such APIs need to override them in policy.yaml
+to continue working for them.
+
+Implementation
+==============
+
+Assignee(s)
+-----------
+
+Primary assignee:
+  gmann
+
+Feature Liaison
+---------------
+
+Feature liaison:
+  dansmith
+
+Work Items
+----------
+
+* Scope all policy to project
+* Add project reader role in policy
+* Modify policy rule unit tests
+
+Dependencies
+============
+
+None
+
+Testing
+=======
+
+Modify or add the policy unit tests.
+
+Documentation Impact
+====================
+
+API Reference should be kept consistent with any policy changes, in particular
+around the default reader role.
+
+References
+==========
+
+History
+=======
+
+.. list-table:: Revisions
+   :header-rows: 1
+
+   * - Release Name
+     - Description
+   * - 2023.1
+     - Introduced
diff --git a/doc/source/specs/index.rst b/doc/source/specs/index.rst
index 9add0b4d4..a516144ea 100644
--- a/doc/source/specs/index.rst
+++ b/doc/source/specs/index.rst
@@ -118,6 +118,22 @@ In Progress
 
    zed/approved/*
 
+2023.1
+------
+
+Implemented
+~~~~~~~~~~~
+
+
+In Progress
+~~~~~~~~~~~
+
+.. toctree::
+   :maxdepth: 1
+   :glob:
+
+   2023.1/approved/*
+
 .. toctree::
    :hidden: