Implement secure RBAC for zone transfer accepts

This commit updates the policies for zone transfer accepts to understand scope checking and account for a read-only role. This is part of a broader series of changes across OpenStack to provide a consistent RBAC experience and improve security. Change-Id: If1329182043001e27713457c2d591e6c55ad3e87
author: Lance Bragstad <lbragstad@gmail.com> 2020-11-23 22:39:49 +0000
committer: Lance Bragstad <lbragstad@gmail.com> 2020-11-24 04:08:05 +0000
commit: 62cef160c02b3523b48f04809f7b0dcbd69039c8 (patch)
tree: 0f0957e2158589f64e0ed60f70e6102d50771127
parent: 40eb2626f0a1ab6d07c3913c6e03a92e70f112e3 (diff)
download: designate-62cef160c02b3523b48f04809f7b0dcbd69039c8.tar.gz
1 files changed, 59 insertions, 8 deletions
diff --git a/designate/common/policies/zone_transfer_accept.py b/designate/common/policies/zone_transfer_accept.py
index d7616fef..9ee5026a 100644
--- a/designate/common/policies/zone_transfer_accept.py
+++ b/designate/common/policies/zone_transfer_accept.py
@@ -13,10 +13,41 @@
 #    under the License.
 
 
+from oslo_log import versionutils
 from oslo_policy import policy
 
 from designate.common.policies import base
 
+DEPRECATED_REASON = """
+The zone transfer accept API now supports system scope and default roles.
+"""
+
+deprecated_create_zone_transfer_accept = policy.DeprecatedRule(
+    name="create_zone_transfer_accept",
+    check_str=base.RULE_ZONE_TRANSFER
+)
+deprecated_get_zone_transfer_accept = policy.DeprecatedRule(
+    name="get_zone_transfer_accept",
+    check_str=base.RULE_ADMIN_OR_OWNER
+)
+deprecated_find_zone_transfer_accepts = policy.DeprecatedRule(
+    name="find_zone_transfer_accepts",
+    check_str=base.RULE_ADMIN
+)
+deprecated_find_zone_transfer_accept = policy.DeprecatedRule(
+    name="find_zone_transfer_accept",
+    check_str=base.RULE_ADMIN
+)
+deprecated_update_zone_transfer_accept = policy.DeprecatedRule(
+    name="update_zone_transfer_accept",
+    check_str=base.RULE_ADMIN
+)
+deprecated_delete_zone_transfer_accept = policy.DeprecatedRule(
+    name="delete_zone_transfer_accept",
+    check_str=base.RULE_ADMIN
+)
+
+
 rules = [
     policy.DocumentedRuleDefault(
         name="create_zone_transfer_accept",
@@ -31,44 +62,64 @@ rules = [
     ),
     policy.DocumentedRuleDefault(
         name="get_zone_transfer_accept",
-        check_str=base.RULE_ADMIN_OR_OWNER,
+        check_str=base.SYSTEM_OR_PROJECT_READER,
+        scope_types=['system', 'project'],
         description="Get Zone Transfer Accept",
         operations=[
             {
                 'path': '/v2/zones/tasks/transfer_requests/{zone_transfer_accept_id}',  # noqa
                 'method': 'GET'
             }
-        ]
+        ],
+        deprecated_rule=deprecated_get_zone_transfer_accept,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since=versionutils.deprecated.WALLABY
     ),
     policy.DocumentedRuleDefault(
         name="find_zone_transfer_accepts",
-        check_str=base.RULE_ADMIN,
+        check_str=base.SYSTEM_READER,
+        scope_types=['system'],
         description="List Zone Transfer Accepts",
         operations=[
             {
                 'path': '/v2/zones/tasks/transfer_accepts',
                 'method': 'GET'
             }
-        ]
+        ],
+        deprecated_rule=deprecated_find_zone_transfer_accepts,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since=versionutils.deprecated.WALLABY
     ),
     policy.RuleDefault(
         name="find_zone_transfer_accept",
-        check_str=base.RULE_ADMIN
+        check_str=base.SYSTEM_READER,
+        scope_types=['system'],
+        deprecated_rule=deprecated_find_zone_transfer_accept,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since=versionutils.deprecated.WALLABY
     ),
     policy.DocumentedRuleDefault(
         name="update_zone_transfer_accept",
-        check_str=base.RULE_ADMIN,
+        check_str=base.SYSTEM_ADMIN,
+        scope_types=['system'],
         description="Update a Zone Transfer Accept",
         operations=[
             {
                 'path': '/v2/zones/tasks/transfer_accepts',
                 'method': 'POST'
             }
-        ]
+        ],
+        deprecated_rule=deprecated_update_zone_transfer_accept,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since=versionutils.deprecated.WALLABY
     ),
     policy.RuleDefault(
         name="delete_zone_transfer_accept",
-        check_str=base.RULE_ADMIN
+        check_str=base.SYSTEM_ADMIN,
+        scope_types=['system'],
+        deprecated_rule=deprecated_delete_zone_transfer_accept,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since=versionutils.deprecated.WALLABY
     )
 ]
author	Lance Bragstad <lbragstad@gmail.com>	2020-11-23 22:39:49 +0000
committer	Lance Bragstad <lbragstad@gmail.com>	2020-11-24 04:08:05 +0000
commit	62cef160c02b3523b48f04809f7b0dcbd69039c8 (patch)
tree	0f0957e2158589f64e0ed60f70e6102d50771127
parent	40eb2626f0a1ab6d07c3913c6e03a92e70f112e3 (diff)
download	designate-62cef160c02b3523b48f04809f7b0dcbd69039c8.tar.gz