diff options
author | Lance Bragstad <lbragstad@gmail.com> | 2020-11-23 19:20:57 +0000 |
---|---|---|
committer | Nicolas Bock <nicolas.bock@canonical.com> | 2020-11-23 18:02:56 -0700 |
commit | f4d35c02dfd3850596b6188b52051567fbb895a7 (patch) | |
tree | 413c5520a8278da4c1124c5861eb22b6f7009ccc | |
parent | 11d03924e73cd152e377e24304905a072cc4366e (diff) | |
download | designate-f4d35c02dfd3850596b6188b52051567fbb895a7.tar.gz |
Add useful common policies to base.py
These common check strings are useful for implementing consistent
policy checks across OpenStack by adhering to a common persona. This
also includes support for a default read-only role.
Subsequent changes will update the policies to use these check strings
where applicable.
Change-Id: Ica9db41939e17fcd67b97dce5191e75bfb396330
-rw-r--r-- | designate/common/policies/base.py | 34 |
1 files changed, 34 insertions, 0 deletions
diff --git a/designate/common/policies/base.py b/designate/common/policies/base.py index 84021351..adb2a6c6 100644 --- a/designate/common/policies/base.py +++ b/designate/common/policies/base.py @@ -25,6 +25,40 @@ RULE_ZONE_TRANSFER = "rule:admin_or_owner OR tenant:%(target_tenant_id)s " \ "OR None:%(target_tenant_id)s" RULE_ANY = "@" +# Generic policy check string for system administrators. These are the people +# who need the highest level of authorization to operate the deployment. +# They're allowed to create, read, update, or delete any system-specific +# resource. They can also operate on project-specific resources where +# applicable (e.g., cleaning up blacklists) +SYSTEM_ADMIN = 'role:admin and system_scope:all' + +# Generic policy check string for read-only access to system-level resources. +# This persona is useful for someone who needs access for auditing or even +# support. These uses are also able to view project-specific resources where +# applicable (e.g., listing all pools) +SYSTEM_READER = 'role:reader and system_scope:all' + +# This check string is reserved for actions that require the highest level of +# authorization on a project or resources within the project +PROJECT_ADMIN = 'role:admin and project_id:%(project_id)s' + +# This check string is the primary use case for typical end-users, who are +# working with resources that belong to a project (e.g., creating DNS zones) +PROJECT_MEMBER = 'role:member and project_id:%(project_id)s' + +# This check string should only be used to protect read-only project-specific +# resources. It should not be used to protect APIs that make writable changes. +PROJECT_READER = 'role:reader and project_id:%(project_id)s' + +# The following are common composite check strings that are useful for +# protecting APIs designed to operate with multiple scopes +SYSTEM_ADMIN_OR_PROJECT_MEMBER = ( + '(' + SYSTEM_ADMIN + ') or (' + PROJECT_MEMBER + ')' +) +SYSTEM_OR_PROJECT_READER = ( + '(' + SYSTEM_READER + ') or (' + PROJECT_READER + ')' +) + rules = [ policy.RuleDefault( name="admin", |