Merge "Introduce common personas for secure RBAC"

1 files changed, 50 insertions, 0 deletions

diff --git a/ironic/common/policy.py b/ironic/common/policy.py
index efb92c5a5..80fd47c1c 100644
--- a/ironic/common/policy.py
+++ b/ironic/common/policy.py
@@ -37,6 +37,55 @@ LOG = log.getLogger(__name__)
 DEFAULT_POLICY_FILE = 'policy.yaml'
 opts.set_defaults(cfg.CONF, DEFAULT_POLICY_FILE)
 
+# Generic policy check string for system administrators. These are the people
+# who need the highest level of authorization to operate the deployment.
+# They're allowed to create, read, update, or delete any system-specific
+# resource. They can also operate on project-specific resources where
+# applicable (e.g., cleaning up baremetal hosts)
+SYSTEM_ADMIN = 'role:admin and system_scope:all'
+
+# Generic policy check string for system users who don't require all the
+# authorization that system administrators typically have. This persona, or
+# check string, typically isn't used by default, but it's existence it useful
+# in the event a deployment wants to offload some administrative action from
+# system administrator to system members
+SYSTEM_MEMBER = 'role:member and system_scope:all'
+
+# Generic policy check string for read-only access to system-level resources.
+# This persona is useful for someone who needs access for auditing or even
+# support. These uses are also able to view project-specific resources where
+# applicable (e.g., listing all volumes in the deployment, regardless of the
+# project they belong to).
+SYSTEM_READER = 'role:reader and system_scope:all'
+
+# This check string is reserved for actions that require the highest level of
+# authorization on a project or resources within the project (e.g., setting the
+# default volume type for a project)
+PROJECT_ADMIN = ('role:admin and '
+                 'project_id:%(node.owner)s')
+# This check string is the primary use case for typical end-users, who are
+# working with resources that belong to a project (e.g., creating volumes and
+# backups).
+PROJECT_MEMBER = ('role:member and '
+                  '(project_id:%(node.owner)s or project_id:%(node.lessee)s)')
+
+# This check string should only be used to protect read-only project-specific
+# resources. It should not be used to protect APIs that make writable changes
+# (e.g., updating a volume or deleting a backup).
+PROJECT_READER = ('role:reader and '
+                  '(project_id:%(node.owner)s or project_id:%(node.lessee)s)')
+
+# The following are common composite check strings that are useful for
+# protecting APIs designed to operate with multiple scopes (e.g., a system
+# administrator should be able to delete any baremetal host in the deployment,
+# a project member should only be able to delete hosts in their project).
+SYSTEM_ADMIN_OR_PROJECT_MEMBER = (
+    '(' + SYSTEM_ADMIN + ') or (' + PROJECT_MEMBER + ')'
+)
+SYSTEM_OR_PROJECT_READER = (
+    '(' + SYSTEM_READER + ') or (' + PROJECT_READER + ')'
+)
+
 default_policies = [
     # Legacy setting, don't remove. Likely to be overridden by operators who
     # forget to update their policy.json configuration file.
@@ -62,6 +111,7 @@ default_policies = [
                        '!',
                        description='Show or mask secrets within instance information in API responses'),  # noqa
     # Roles likely to be overridden by operator
+    # TODO(TheJulia): Lets nuke demo from high orbit.
     policy.RuleDefault('is_member',
                        '(project_domain_id:default or project_domain_id:None) and (project_name:demo or project_name:baremetal)',  # noqa
                        description='May be used to restrict access to specific projects'),  # noqa