diff options
author | Lance Bragstad <lbragstad@gmail.com> | 2020-11-23 22:39:49 +0000 |
---|---|---|
committer | Lance Bragstad <lbragstad@gmail.com> | 2020-11-24 04:08:05 +0000 |
commit | 62cef160c02b3523b48f04809f7b0dcbd69039c8 (patch) | |
tree | 0f0957e2158589f64e0ed60f70e6102d50771127 | |
parent | 40eb2626f0a1ab6d07c3913c6e03a92e70f112e3 (diff) | |
download | designate-62cef160c02b3523b48f04809f7b0dcbd69039c8.tar.gz |
Implement secure RBAC for zone transfer accepts
This commit updates the policies for zone transfer accepts to
understand scope checking and account for a read-only role. This is
part of a broader series of changes across OpenStack to provide a
consistent RBAC experience and improve security.
Change-Id: If1329182043001e27713457c2d591e6c55ad3e87
-rw-r--r-- | designate/common/policies/zone_transfer_accept.py | 67 |
1 files changed, 59 insertions, 8 deletions
diff --git a/designate/common/policies/zone_transfer_accept.py b/designate/common/policies/zone_transfer_accept.py index d7616fef..9ee5026a 100644 --- a/designate/common/policies/zone_transfer_accept.py +++ b/designate/common/policies/zone_transfer_accept.py @@ -13,10 +13,41 @@ # under the License. +from oslo_log import versionutils from oslo_policy import policy from designate.common.policies import base +DEPRECATED_REASON = """ +The zone transfer accept API now supports system scope and default roles. +""" + +deprecated_create_zone_transfer_accept = policy.DeprecatedRule( + name="create_zone_transfer_accept", + check_str=base.RULE_ZONE_TRANSFER +) +deprecated_get_zone_transfer_accept = policy.DeprecatedRule( + name="get_zone_transfer_accept", + check_str=base.RULE_ADMIN_OR_OWNER +) +deprecated_find_zone_transfer_accepts = policy.DeprecatedRule( + name="find_zone_transfer_accepts", + check_str=base.RULE_ADMIN +) +deprecated_find_zone_transfer_accept = policy.DeprecatedRule( + name="find_zone_transfer_accept", + check_str=base.RULE_ADMIN +) +deprecated_update_zone_transfer_accept = policy.DeprecatedRule( + name="update_zone_transfer_accept", + check_str=base.RULE_ADMIN +) +deprecated_delete_zone_transfer_accept = policy.DeprecatedRule( + name="delete_zone_transfer_accept", + check_str=base.RULE_ADMIN +) + + rules = [ policy.DocumentedRuleDefault( name="create_zone_transfer_accept", @@ -31,44 +62,64 @@ rules = [ ), policy.DocumentedRuleDefault( name="get_zone_transfer_accept", - check_str=base.RULE_ADMIN_OR_OWNER, + check_str=base.SYSTEM_OR_PROJECT_READER, + scope_types=['system', 'project'], description="Get Zone Transfer Accept", operations=[ { 'path': '/v2/zones/tasks/transfer_requests/{zone_transfer_accept_id}', # noqa 'method': 'GET' } - ] + ], + deprecated_rule=deprecated_get_zone_transfer_accept, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.WALLABY ), policy.DocumentedRuleDefault( name="find_zone_transfer_accepts", - check_str=base.RULE_ADMIN, + check_str=base.SYSTEM_READER, + scope_types=['system'], description="List Zone Transfer Accepts", operations=[ { 'path': '/v2/zones/tasks/transfer_accepts', 'method': 'GET' } - ] + ], + deprecated_rule=deprecated_find_zone_transfer_accepts, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.WALLABY ), policy.RuleDefault( name="find_zone_transfer_accept", - check_str=base.RULE_ADMIN + check_str=base.SYSTEM_READER, + scope_types=['system'], + deprecated_rule=deprecated_find_zone_transfer_accept, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.WALLABY ), policy.DocumentedRuleDefault( name="update_zone_transfer_accept", - check_str=base.RULE_ADMIN, + check_str=base.SYSTEM_ADMIN, + scope_types=['system'], description="Update a Zone Transfer Accept", operations=[ { 'path': '/v2/zones/tasks/transfer_accepts', 'method': 'POST' } - ] + ], + deprecated_rule=deprecated_update_zone_transfer_accept, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.WALLABY ), policy.RuleDefault( name="delete_zone_transfer_accept", - check_str=base.RULE_ADMIN + check_str=base.SYSTEM_ADMIN, + scope_types=['system'], + deprecated_rule=deprecated_delete_zone_transfer_accept, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.WALLABY ) ] |