diff options
author | Lance Bragstad <lbragstad@gmail.com> | 2020-12-01 20:03:33 +0000 |
---|---|---|
committer | ramishra <ramishra@redhat.com> | 2021-03-02 09:32:41 +0530 |
commit | 93594c30eca3a52366e8138a583a00dbe5927d7d (patch) | |
tree | dc156219e5b954329d64c5a156bd1e8abde9e5fd /heat/policies/software_configs.py | |
parent | 8daa7e938985e0fc34f603debf3a8ba1413d8ff7 (diff) | |
download | heat-93594c30eca3a52366e8138a583a00dbe5927d7d.tar.gz |
Implement secure RBAC
This commit updates default policies to account for system scope
and default roles. This is part of a broader change to provide a
consistent and secure authorization experience across OpenStack
projects.
- Introduces basic/reusable check strings in base.py
- Implements secure RBAC for build info API
- Implements secure RBAC for the action API
- Implements secure RBAC for cloud formations
- Implements secure RBAC for events
- Implements secure RBAC for the resource API
- Implements secure RBAC for the service API
- Implements secure RBAC for software configs
- Implements secure RBAC for software deployments
- Implements secure RBAC for stacks
- Adds unit tests for legacy and new secure-rbac policies.
Change-Id: Iff1e39481ea3b1f00bd89dba4a00aed30334ecec
Diffstat (limited to 'heat/policies/software_configs.py')
-rw-r--r-- | heat/policies/software_configs.py | 66 |
1 files changed, 56 insertions, 10 deletions
diff --git a/heat/policies/software_configs.py b/heat/policies/software_configs.py index 72f6f2c99..5de6535fb 100644 --- a/heat/policies/software_configs.py +++ b/heat/policies/software_configs.py @@ -10,67 +10,113 @@ # License for the specific language governing permissions and limitations # under the License. +from oslo_log import versionutils from oslo_policy import policy from heat.policies import base +DEPRECATED_REASON = """ +The software configuration API now support system scope and default roles. +""" + POLICY_ROOT = 'software_configs:%s' +deprecated_global_index = policy.DeprecatedRule( + name=POLICY_ROOT % 'global_index', + check_str=base.RULE_DENY_EVERYBODY +) +deprecated_index = policy.DeprecatedRule( + name=POLICY_ROOT % 'index', + check_str=base.RULE_DENY_STACK_USER +) +deprecated_create = policy.DeprecatedRule( + name=POLICY_ROOT % 'create', + check_str=base.RULE_DENY_STACK_USER +) +deprecated_show = policy.DeprecatedRule( + name=POLICY_ROOT % 'show', + check_str=base.RULE_DENY_STACK_USER +) +deprecated_delete = policy.DeprecatedRule( + name=POLICY_ROOT % 'delete', + check_str=base.RULE_DENY_STACK_USER +) + software_configs_policies = [ policy.DocumentedRuleDefault( name=POLICY_ROOT % 'global_index', - check_str=base.RULE_DENY_EVERYBODY, + check_str=base.SYSTEM_READER, + scope_types=['system', 'project'], description='List configs globally.', operations=[ { 'path': '/v1/{tenant_id}/software_configs', 'method': 'GET' } - ] + ], + deprecated_rule=deprecated_global_index, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.WALLABY ), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'index', - check_str=base.RULE_DENY_STACK_USER, + check_str=base.SYSTEM_OR_PROJECT_READER, + scope_types=['system', 'project'], description='List configs.', operations=[ { 'path': '/v1/{tenant_id}/software_configs', 'method': 'GET' } - ] + ], + deprecated_rule=deprecated_index, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.WALLABY ), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'create', - check_str=base.RULE_DENY_STACK_USER, + check_str=base.SYSTEM_OR_PROJECT_READER, + scope_types=['system', 'project'], description='Create config.', operations=[ { 'path': '/v1/{tenant_id}/software_configs', 'method': 'POST' } - ] + ], + deprecated_rule=deprecated_create, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.WALLABY ), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'show', - check_str=base.RULE_DENY_STACK_USER, + check_str=base.SYSTEM_OR_PROJECT_READER, + scope_types=['system', 'project'], description='Show config details.', operations=[ { 'path': '/v1/{tenant_id}/software_configs/{config_id}', 'method': 'GET' } - ] + ], + deprecated_rule=deprecated_show, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.WALLABY ), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'delete', - check_str=base.RULE_DENY_STACK_USER, + check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER, + scope_types=['system', 'project'], description='Delete config.', operations=[ { 'path': '/v1/{tenant_id}/software_configs/{config_id}', 'method': 'DELETE' } - ] + ], + deprecated_rule=deprecated_delete, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.WALLABY ) ] |