diff options
| author | Lance Bragstad <lbragstad@gmail.com> | 2020-11-23 22:31:26 +0000 |
|---|---|---|
| committer | Lance Bragstad <lbragstad@gmail.com> | 2020-11-24 04:08:05 +0000 |
| commit | 40eb2626f0a1ab6d07c3913c6e03a92e70f112e3 (patch) | |
| tree | c63a327f634b1b5e371d9289b28fa7ebbe51d8c9 | |
| parent | d9ee5be3b9f13489cfcbdcb0ec200254a254df08 (diff) | |
| download | designate-40eb2626f0a1ab6d07c3913c6e03a92e70f112e3.tar.gz | |
Implement secure RBAC for zone imports
This commit updates the policies for zone imports to understand scope
checking and account for a read-only role. This is part of a broader
series of changes across OpenStack to provide a consistent RBAC
experience and improve security.
Change-Id: I319b2398de9bd9d841bfb3bbdbe8f50434762602
| -rw-r--r-- | designate/common/policies/zone_import.py | 66 |
1 files changed, 56 insertions, 10 deletions
diff --git a/designate/common/policies/zone_import.py b/designate/common/policies/zone_import.py index 1aaa64fd..8fe4562b 100644 --- a/designate/common/policies/zone_import.py +++ b/designate/common/policies/zone_import.py @@ -13,66 +13,112 @@ # under the License. +from oslo_log import versionutils from oslo_policy import policy from designate.common.policies import base +DEPRECATED_REASON = """ +The zone import API now supports system scope and default roles. +""" + +deprecated_create_zone_import = policy.DeprecatedRule( + name="create_zone_import", + check_str=base.RULE_ADMIN_OR_OWNER +) +deprecated_find_zone_imports = policy.DeprecatedRule( + name="find_zone_imports", + check_str=base.RULE_ADMIN_OR_OWNER +) +deprecated_get_zone_import = policy.DeprecatedRule( + name="get_zone_import", + check_str=base.RULE_ADMIN_OR_OWNER +) +deprecated_update_zone_import = policy.DeprecatedRule( + name="update_zone_import", + check_str=base.RULE_ADMIN_OR_OWNER +) +deprecated_delete_zone_import = policy.DeprecatedRule( + name="delete_zone_import", + check_str=base.RULE_ADMIN_OR_OWNER +) + rules = [ policy.DocumentedRuleDefault( name="create_zone_import", - check_str=base.RULE_ADMIN_OR_OWNER, + check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER, + scope_types=['system', 'project'], description="Create Zone Import", operations=[ { 'path': '/v2/zones/tasks/imports', 'method': 'POST' } - ] + ], + deprecated_rule=deprecated_create_zone_import, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.WALLABY ), policy.DocumentedRuleDefault( name="find_zone_imports", - check_str=base.RULE_ADMIN_OR_OWNER, + check_str=base.SYSTEM_OR_PROJECT_READER, + scope_types=['system', 'project'], description="List all Zone Imports", operations=[ { 'path': '/v2/zones/tasks/imports', 'method': 'GET' } - ] + ], + deprecated_rule=deprecated_find_zone_imports, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.WALLABY ), policy.DocumentedRuleDefault( name="get_zone_import", - check_str=base.RULE_ADMIN_OR_OWNER, + check_str=base.SYSTEM_OR_PROJECT_READER, + scope_types=['system', 'project'], description="Get Zone Imports", operations=[ { 'path': '/v2/zones/tasks/imports/{zone_import_id}', 'method': 'GET' } - ] + ], + deprecated_rule=deprecated_get_zone_import, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.WALLABY ), policy.DocumentedRuleDefault( name="update_zone_import", - check_str=base.RULE_ADMIN_OR_OWNER, + check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER, + scope_types=['system', 'project'], description="Update Zone Imports", operations=[ { 'path': '/v2/zones/tasks/imports', 'method': 'POST' } - ] + ], + deprecated_rule=deprecated_update_zone_import, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.WALLABY ), policy.DocumentedRuleDefault( name="delete_zone_import", - check_str=base.RULE_ADMIN_OR_OWNER, + check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER, + scope_types=['system', 'project'], description="Delete a Zone Import", operations=[ { 'path': '/v2/zones/tasks/imports/{zone_import_id}', 'method': 'GET' } - ] + ], + deprecated_rule=deprecated_delete_zone_import, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.WALLABY ) ] |