summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLance Bragstad <lbragstad@gmail.com>2020-11-23 21:15:26 +0000
committerLance Bragstad <lbragstad@gmail.com>2020-11-24 04:08:05 +0000
commite9ecd1b5fedd0fed92c61c7fbcba1de5b9f28eb3 (patch)
tree551860e9a9001ef2e0950176f2f42b56e32612fb
parent5bab4daa36d39f09c343546797e2148d9168f848 (diff)
downloaddesignate-e9ecd1b5fedd0fed92c61c7fbcba1de5b9f28eb3.tar.gz
Implement secure RBAC for records
This commit updates the policies for records to understand scope checking and account for a read-only role. This is part of a broader series of changes across OpenStack to provide a consistent RBAC experience and improve security. Change-Id: I093223790b699e35fb151e17111e34c24153d4c4
-rw-r--r--designate/common/policies/record.py30
1 files changed, 27 insertions, 3 deletions
diff --git a/designate/common/policies/record.py b/designate/common/policies/record.py
index 86ccca54..a7bd7b90 100644
--- a/designate/common/policies/record.py
+++ b/designate/common/policies/record.py
@@ -13,14 +13,30 @@
# under the License.
+from oslo_log import versionutils
from oslo_policy import policy
from designate.common.policies import base
+DEPRECATED_REASON = """
+The records API now supports system scope and default roles.
+"""
+
+deprecated_find_records = policy.DeprecatedRule(
+ name="find_records",
+ check_str=base.RULE_ADMIN_OR_OWNER
+)
+deprecated_count_records = policy.DeprecatedRule(
+ name="count_records",
+ check_str=base.RULE_ADMIN_OR_OWNER
+)
+
+
rules = [
policy.DocumentedRuleDefault(
name="find_records",
- check_str=base.RULE_ADMIN_OR_OWNER,
+ check_str=base.SYSTEM_OR_PROJECT_READER,
+ scope_types=['system', 'project'],
description='Find records.',
operations=[
{
@@ -30,11 +46,19 @@ rules = [
'path': '/v2/reverse/floatingips',
'method': 'GET'
}
- ]
+ ],
+ deprecated_rule=deprecated_find_records,
+ deprecated_reason=DEPRECATED_REASON,
+ deprecated_since=versionutils.deprecated.WALLABY
),
policy.RuleDefault(
name="count_records",
- check_str=base.RULE_ADMIN_OR_OWNER)
+ check_str=base.SYSTEM_OR_PROJECT_READER,
+ scope_types=['system', 'project'],
+ deprecated_rule=deprecated_find_records,
+ deprecated_reason=DEPRECATED_REASON,
+ deprecated_since=versionutils.deprecated.WALLABY
+ )
]