diff options
| author | Lance Bragstad <lbragstad@gmail.com> | 2020-11-23 21:56:48 +0000 |
|---|---|---|
| committer | Lance Bragstad <lbragstad@gmail.com> | 2020-11-24 04:08:05 +0000 |
| commit | e99f3588f1624f806265b264db1f82bf56fdedb9 (patch) | |
| tree | f1294f618692208ab92fd6df0d29a7406f2da138 | |
| parent | e477cf33b4efd3d898b3698dacac5bbf0112d93c (diff) | |
| download | designate-e99f3588f1624f806265b264db1f82bf56fdedb9.tar.gz | |
Implement secure RBAC for top-level domains
This commit updates the policies for top-level domains to understand
scope checking and account for a read-only role. This is part of a
broader series of changes across OpenStack to provide a consistent
RBAC experience and improve security.
Change-Id: I0df00a826dcaf73c6a078a39585839022b71268a
| -rw-r--r-- | designate/common/policies/tld.py | 67 |
1 files changed, 57 insertions, 10 deletions
diff --git a/designate/common/policies/tld.py b/designate/common/policies/tld.py index a8e268b3..180ea9b2 100644 --- a/designate/common/policies/tld.py +++ b/designate/common/policies/tld.py @@ -13,65 +13,112 @@ # under the License. +from oslo_log import versionutils from oslo_policy import policy from designate.common.policies import base +DEPRECATED_REASON = """ +The top-level domain API now supports system scope and default roles. +""" + +deprecated_create_tld = policy.DeprecatedRule( + name="create_tld", + check_str=base.RULE_ADMIN +) +deprecated_find_tlds = policy.DeprecatedRule( + name="find_tlds", + check_str=base.RULE_ADMIN +) +deprecated_get_tld = policy.DeprecatedRule( + name="get_tld", + check_str=base.RULE_ADMIN +) +deprecated_update_tld = policy.DeprecatedRule( + name="update_tld", + check_str=base.RULE_ADMIN +) +deprecated_delete_tld = policy.DeprecatedRule( + name="delete_tld", + check_str=base.RULE_ADMIN +) + + rules = [ policy.DocumentedRuleDefault( name="create_tld", - check_str=base.RULE_ADMIN, + check_str=base.SYSTEM_ADMIN, + scope_types=['system'], description="Create Tld", operations=[ { 'path': '/v2/tlds', 'method': 'POST' } - ] + ], + deprecated_rule=deprecated_create_tld, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.WALLABY ), policy.DocumentedRuleDefault( name="find_tlds", - check_str=base.RULE_ADMIN, + check_str=base.SYSTEM_READER, + scope_types=['system'], description="List Tlds", operations=[ { 'path': '/v2/tlds', 'method': 'GET' } - ] + ], + deprecated_rule=deprecated_find_tlds, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.WALLABY ), policy.DocumentedRuleDefault( name="get_tld", - check_str=base.RULE_ADMIN, + check_str=base.SYSTEM_READER, + scope_types=['system'], description="Show Tld", operations=[ { 'path': '/v2/tlds/{tld_id}', 'method': 'GET' } - ] + ], + deprecated_rule=deprecated_get_tld, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.WALLABY ), policy.DocumentedRuleDefault( name="update_tld", - check_str=base.RULE_ADMIN, + check_str=base.SYSTEM_ADMIN, + scope_types=['system'], description="Update Tld", operations=[ { 'path': '/v2/tlds/{tld_id}', 'method': 'PATCH' } - ] + ], + deprecated_rule=deprecated_update_tld, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.WALLABY ), policy.DocumentedRuleDefault( name="delete_tld", - check_str=base.RULE_ADMIN, + check_str=base.SYSTEM_ADMIN, + scope_types=['system'], description="Delete Tld", operations=[ { 'path': '/v2/tlds/{tld_id}', 'method': 'DELETE' } - ] + ], + deprecated_rule=deprecated_delete_tld, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.WALLABY ) ] |