Implement secure RBAC for records

This commit updates the policies for records to understand scope
checking and account for a read-only role. This is part of a broader
series of changes across OpenStack to provide a consistent RBAC
experience and improve security.

Change-Id: I093223790b699e35fb151e17111e34c24153d4c4

1 files changed, 27 insertions, 3 deletions

diff --git a/designate/common/policies/record.py b/designate/common/policies/record.py
index 86ccca54..a7bd7b90 100644
--- a/designate/common/policies/record.py
+++ b/designate/common/policies/record.py
@@ -13,14 +13,30 @@
 #    under the License.
 
 
+from oslo_log import versionutils
 from oslo_policy import policy
 
 from designate.common.policies import base
 
+DEPRECATED_REASON = """
+The records API now supports system scope and default roles.
+"""
+
+deprecated_find_records = policy.DeprecatedRule(
+    name="find_records",
+    check_str=base.RULE_ADMIN_OR_OWNER
+)
+deprecated_count_records = policy.DeprecatedRule(
+    name="count_records",
+    check_str=base.RULE_ADMIN_OR_OWNER
+)
+
+
 rules = [
     policy.DocumentedRuleDefault(
         name="find_records",
-        check_str=base.RULE_ADMIN_OR_OWNER,
+        check_str=base.SYSTEM_OR_PROJECT_READER,
+        scope_types=['system', 'project'],
         description='Find records.',
         operations=[
             {
@@ -30,11 +46,19 @@ rules = [
                 'path': '/v2/reverse/floatingips',
                 'method': 'GET'
             }
-        ]
+        ],
+        deprecated_rule=deprecated_find_records,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since=versionutils.deprecated.WALLABY
     ),
     policy.RuleDefault(
         name="count_records",
-        check_str=base.RULE_ADMIN_OR_OWNER)
+        check_str=base.SYSTEM_OR_PROJECT_READER,
+        scope_types=['system', 'project'],
+        deprecated_rule=deprecated_find_records,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since=versionutils.deprecated.WALLABY
+    )
 ]