Implement secure RBAC

This commit updates default policies to account for system scope and default roles. This is part of a broader change to provide a consistent and secure authorization experience across OpenStack projects. - Introduces basic/reusable check strings in base.py - Implements secure RBAC for build info API - Implements secure RBAC for the action API - Implements secure RBAC for cloud formations - Implements secure RBAC for events - Implements secure RBAC for the resource API - Implements secure RBAC for the service API - Implements secure RBAC for software configs - Implements secure RBAC for software deployments - Implements secure RBAC for stacks - Adds unit tests for legacy and new secure-rbac policies. Change-Id: Iff1e39481ea3b1f00bd89dba4a00aed30334ecec
author: Lance Bragstad <lbragstad@gmail.com> 2020-12-01 20:03:33 +0000
committer: ramishra <ramishra@redhat.com> 2021-03-02 09:32:41 +0530
commit: 93594c30eca3a52366e8138a583a00dbe5927d7d (patch)
tree: dc156219e5b954329d64c5a156bd1e8abde9e5fd /heat/policies/software_configs.py
parent: 8daa7e938985e0fc34f603debf3a8ba1413d8ff7 (diff)
download: heat-93594c30eca3a52366e8138a583a00dbe5927d7d.tar.gz
1 files changed, 56 insertions, 10 deletions
diff --git a/heat/policies/software_configs.py b/heat/policies/software_configs.py
index 72f6f2c99..5de6535fb 100644
--- a/heat/policies/software_configs.py
+++ b/heat/policies/software_configs.py
@@ -10,67 +10,113 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+from oslo_log import versionutils
 from oslo_policy import policy
 
 from heat.policies import base
 
+DEPRECATED_REASON = """
+The software configuration API now support system scope and default roles.
+"""
+
 POLICY_ROOT = 'software_configs:%s'
 
+deprecated_global_index = policy.DeprecatedRule(
+    name=POLICY_ROOT % 'global_index',
+    check_str=base.RULE_DENY_EVERYBODY
+)
+deprecated_index = policy.DeprecatedRule(
+    name=POLICY_ROOT % 'index',
+    check_str=base.RULE_DENY_STACK_USER
+)
+deprecated_create = policy.DeprecatedRule(
+    name=POLICY_ROOT % 'create',
+    check_str=base.RULE_DENY_STACK_USER
+)
+deprecated_show = policy.DeprecatedRule(
+    name=POLICY_ROOT % 'show',
+    check_str=base.RULE_DENY_STACK_USER
+)
+deprecated_delete = policy.DeprecatedRule(
+    name=POLICY_ROOT % 'delete',
+    check_str=base.RULE_DENY_STACK_USER
+)
+
 software_configs_policies = [
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'global_index',
-        check_str=base.RULE_DENY_EVERYBODY,
+        check_str=base.SYSTEM_READER,
+        scope_types=['system', 'project'],
         description='List configs globally.',
         operations=[
             {
                 'path': '/v1/{tenant_id}/software_configs',
                 'method': 'GET'
             }
-        ]
+        ],
+        deprecated_rule=deprecated_global_index,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since=versionutils.deprecated.WALLABY
     ),
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'index',
-        check_str=base.RULE_DENY_STACK_USER,
+        check_str=base.SYSTEM_OR_PROJECT_READER,
+        scope_types=['system', 'project'],
         description='List configs.',
         operations=[
             {
                 'path': '/v1/{tenant_id}/software_configs',
                 'method': 'GET'
             }
-        ]
+        ],
+        deprecated_rule=deprecated_index,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since=versionutils.deprecated.WALLABY
     ),
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'create',
-        check_str=base.RULE_DENY_STACK_USER,
+        check_str=base.SYSTEM_OR_PROJECT_READER,
+        scope_types=['system', 'project'],
         description='Create config.',
         operations=[
             {
                 'path': '/v1/{tenant_id}/software_configs',
                 'method': 'POST'
             }
-        ]
+        ],
+        deprecated_rule=deprecated_create,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since=versionutils.deprecated.WALLABY
     ),
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'show',
-        check_str=base.RULE_DENY_STACK_USER,
+        check_str=base.SYSTEM_OR_PROJECT_READER,
+        scope_types=['system', 'project'],
         description='Show config details.',
         operations=[
             {
                 'path': '/v1/{tenant_id}/software_configs/{config_id}',
                 'method': 'GET'
             }
-        ]
+        ],
+        deprecated_rule=deprecated_show,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since=versionutils.deprecated.WALLABY
     ),
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'delete',
-        check_str=base.RULE_DENY_STACK_USER,
+        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
+        scope_types=['system', 'project'],
         description='Delete config.',
         operations=[
             {
                 'path': '/v1/{tenant_id}/software_configs/{config_id}',
                 'method': 'DELETE'
             }
-        ]
+        ],
+        deprecated_rule=deprecated_delete,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since=versionutils.deprecated.WALLABY
     )
 ]
author	Lance Bragstad <lbragstad@gmail.com>	2020-12-01 20:03:33 +0000
committer	ramishra <ramishra@redhat.com>	2021-03-02 09:32:41 +0530
commit	93594c30eca3a52366e8138a583a00dbe5927d7d (patch)
tree	dc156219e5b954329d64c5a156bd1e8abde9e5fd /heat/policies/software_configs.py
parent	8daa7e938985e0fc34f603debf3a8ba1413d8ff7 (diff)
download	heat-93594c30eca3a52366e8138a583a00dbe5927d7d.tar.gz