Feature Overview
Cyborg's current RBAC implementation is inconsistent. While "Device Profiles"
have been modernized, the majority of the API still relies on legacy rules
(e.g., "admin_or_owner") defined in base.py. This feature involves a full
audit of all Cyborg API routes—including ARQs, Accelerators, and Deployables—to
implement the OpenStack community standard for Secure and Consistent RBAC.
By moving away from hardcoded "admin" checks toward personas, we
ensure that Cyborg provides secure multi-tenancy and granular access control
aligned with the rest of the OpenStack ecosystem.

Goals
1. Full Policy Audit: Identify all API endpoints currently using legacy
permissions and map them to appropriate Project scoped roles.
2. Standardized Access: Transition from "admin_or_owner" logic to granular
Admin, Service, Project-Manager, Project-Member, and Project-Reader personas.
3. Consistency: Ensure all resources (ARQs, Accelerators, etc.) follow the
pattern already established in the Device Profiles implementation.
4. Backward Compatibility: Support the 'enforce_new_defaults' and
'enforce_scope' configuration options to allow a smooth transition for
existing deployments.

Requirements

Acceptance Criteria

• A complete audit document exists mapping every Cyborg API endpoint to its
  new policy default.
• All API endpoints (ARQs, Deployables, Attributes, etc.) are refactored
  to use oslo.policy DocumentedRuleDefault.
• Project-scoped tokens (Manager/Member/Reader) are strictly isolated to their own
  resources, verified across all refactored routes.
• The system correctly handles the 'enforce_new_defaults' toggle, allowing
  operators to opt-in to the new behavior.
• Documentation is automatically generated from the new code-based
  policy defaults
• all routes need at least reader access, no more usage of generic allow outside the micoverion endpoint

Use Cases

• Infrastructure Monitoring: A system-reader lists all deployables across
  the cloud to monitor hardware health without needing project-level access.
• Secure Multi-tenancy: A project-member in Project A is denied access
  when attempting to view ARQs belonging to Project B, even if they have
  the UUID.
• Read-Only Auditing: A user with the 'reader' role on a project can
  view their accelerator requests but is blocked from creating new
  device profiles.

Out of Scope

• Implementation of custom or domain-specific roles outside the standard
  OpenStack personas.
• system-scope

Documentation Considerations

• Update the "Cyborg Policy Guide" to include the full list of scoped
  defaults.
• Provide a transition map in the release notes showing how legacy
  "admin_or_owner" rules map to the new system/project roles.
• Reference: https://governance.openstack.org/tc/goals/selected/consistent-
  and-secure-rbac.html

Questions to Answer

• Are there any "admin-only" actions in Cyborg that should strictly
  remain System-Admin only and never be available to Project-Admins?
• How should we handle existing custom policy.yaml files that override
  the legacy "default" rule?

Background and Strategic Fit
Cyborg is currently in a "partially migrated" state. While device_profiles.py
follows the new standard, the rest of the service (common/policy.py and
base.py) remains tied to legacy logic. Completing this audit and
implementation resolves Bug 1954886 and ensures Cyborg is not a
security outlier in modern OpenStack deployments.

Customer Considerations
Operators relying on the legacy "admin_or_owner" behaviour will need clear
warning logs and documentation. The change must be toggle-able to prevent
breaking existing workflows during the upgrade cycle.
the defautl will change in 2027.1

Team Sign Off