diff options
author | Lance Bragstad <lbragstad@gmail.com> | 2020-11-23 21:15:26 +0000 |
---|---|---|
committer | Lance Bragstad <lbragstad@gmail.com> | 2020-11-24 04:08:05 +0000 |
commit | e9ecd1b5fedd0fed92c61c7fbcba1de5b9f28eb3 (patch) | |
tree | 551860e9a9001ef2e0950176f2f42b56e32612fb | |
parent | 5bab4daa36d39f09c343546797e2148d9168f848 (diff) | |
download | designate-e9ecd1b5fedd0fed92c61c7fbcba1de5b9f28eb3.tar.gz |
Implement secure RBAC for records
This commit updates the policies for records to understand scope
checking and account for a read-only role. This is part of a broader
series of changes across OpenStack to provide a consistent RBAC
experience and improve security.
Change-Id: I093223790b699e35fb151e17111e34c24153d4c4
-rw-r--r-- | designate/common/policies/record.py | 30 |
1 files changed, 27 insertions, 3 deletions
diff --git a/designate/common/policies/record.py b/designate/common/policies/record.py index 86ccca54..a7bd7b90 100644 --- a/designate/common/policies/record.py +++ b/designate/common/policies/record.py @@ -13,14 +13,30 @@ # under the License. +from oslo_log import versionutils from oslo_policy import policy from designate.common.policies import base +DEPRECATED_REASON = """ +The records API now supports system scope and default roles. +""" + +deprecated_find_records = policy.DeprecatedRule( + name="find_records", + check_str=base.RULE_ADMIN_OR_OWNER +) +deprecated_count_records = policy.DeprecatedRule( + name="count_records", + check_str=base.RULE_ADMIN_OR_OWNER +) + + rules = [ policy.DocumentedRuleDefault( name="find_records", - check_str=base.RULE_ADMIN_OR_OWNER, + check_str=base.SYSTEM_OR_PROJECT_READER, + scope_types=['system', 'project'], description='Find records.', operations=[ { @@ -30,11 +46,19 @@ rules = [ 'path': '/v2/reverse/floatingips', 'method': 'GET' } - ] + ], + deprecated_rule=deprecated_find_records, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.WALLABY ), policy.RuleDefault( name="count_records", - check_str=base.RULE_ADMIN_OR_OWNER) + check_str=base.SYSTEM_OR_PROJECT_READER, + scope_types=['system', 'project'], + deprecated_rule=deprecated_find_records, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.WALLABY + ) ] |