diff options
| author | Ghanshyam Mann <gmann@ghanshyammann.com> | 2022-02-09 23:35:16 -0600 |
|---|---|---|
| committer | Ghanshyam Mann <gmann@ghanshyammann.com> | 2022-02-19 18:19:34 -0600 |
| commit | d7be635fb4a2f51f39cb62b08cc6b7569f5f60f8 (patch) | |
| tree | 36f27459d00b05a32a670139ed0c395c68a9b976 /nova/policies | |
| parent | 60c9e3edadb3497043d20361ff665ed72241301e (diff) | |
| download | nova-d7be635fb4a2f51f39cb62b08cc6b7569f5f60f8.tar.gz | |
Make more project level APIs scoped to project only
As per the RBAC new direction, we will allow
project resources operation to be performed by
the project scoped token only and system user will
be allowed to perform system level operation only
not project resources specific.
Details about new direction can be found in community-wide
goal
- https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html
This commit modify more projects level APIs to be scoped
to project only.
Also modifying and adding tests for four cases:
1. enforce_scope=False + legacy rule (current default policies)
2. enforce_scope=False + No legacy rule
3. enforce_scope=True + legacy rule
4. enforce_scope=True + no legacy rule (end goal of new RBAC)
Partial implement blueprint policy-defaults-refresh-2
Change-Id: I6731aa6edd0c6bed5edb9eaaaa98b5e43aaeeb74
Diffstat (limited to 'nova/policies')
| -rw-r--r-- | nova/policies/attach_interfaces.py | 16 | ||||
| -rw-r--r-- | nova/policies/floating_ips.py | 24 | ||||
| -rw-r--r-- | nova/policies/instance_actions.py | 16 | ||||
| -rw-r--r-- | nova/policies/ips.py | 8 | ||||
| -rw-r--r-- | nova/policies/networks.py | 8 | ||||
| -rw-r--r-- | nova/policies/quota_sets.py | 25 | ||||
| -rw-r--r-- | nova/policies/security_groups.py | 40 | ||||
| -rw-r--r-- | nova/policies/server_groups.py | 25 | ||||
| -rw-r--r-- | nova/policies/server_metadata.py | 24 | ||||
| -rw-r--r-- | nova/policies/server_password.py | 8 | ||||
| -rw-r--r-- | nova/policies/server_tags.py | 24 | ||||
| -rw-r--r-- | nova/policies/server_topology.py | 8 | ||||
| -rw-r--r-- | nova/policies/simple_tenant_usage.py | 8 | ||||
| -rw-r--r-- | nova/policies/tenant_networks.py | 8 | ||||
| -rw-r--r-- | nova/policies/volumes.py | 40 | ||||
| -rw-r--r-- | nova/policies/volumes_attachments.py | 31 |
16 files changed, 160 insertions, 153 deletions
diff --git a/nova/policies/attach_interfaces.py b/nova/policies/attach_interfaces.py index cabe525674..eb365fd99d 100644 --- a/nova/policies/attach_interfaces.py +++ b/nova/policies/attach_interfaces.py @@ -37,7 +37,7 @@ DEPRECATED_INTERFACES_POLICY = policy.DeprecatedRule( attach_interfaces_policies = [ policy.DocumentedRuleDefault( name=POLICY_ROOT % 'list', - check_str=base.PROJECT_READER_OR_SYSTEM_READER, + check_str=base.PROJECT_READER, description="List port interfaces attached to a server", operations=[ { @@ -45,11 +45,11 @@ attach_interfaces_policies = [ 'path': '/servers/{server_id}/os-interface' }, ], - scope_types=['system', 'project'], + scope_types=['project'], deprecated_rule=DEPRECATED_INTERFACES_POLICY), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'show', - check_str=base.PROJECT_READER_OR_SYSTEM_READER, + check_str=base.PROJECT_READER, description="Show details of a port interface attached to a server", operations=[ { @@ -57,11 +57,11 @@ attach_interfaces_policies = [ 'path': '/servers/{server_id}/os-interface/{port_id}' } ], - scope_types=['system', 'project'], + scope_types=['project'], deprecated_rule=DEPRECATED_INTERFACES_POLICY), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'create', - check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN, + check_str=base.PROJECT_MEMBER, description="Attach an interface to a server", operations=[ { @@ -69,11 +69,11 @@ attach_interfaces_policies = [ 'path': '/servers/{server_id}/os-interface' } ], - scope_types=['system', 'project'], + scope_types=['project'], deprecated_rule=DEPRECATED_INTERFACES_POLICY), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'delete', - check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN, + check_str=base.PROJECT_MEMBER, description="Detach an interface from a server", operations=[ { @@ -81,7 +81,7 @@ attach_interfaces_policies = [ 'path': '/servers/{server_id}/os-interface/{port_id}' } ], - scope_types=['system', 'project'], + scope_types=['project'], deprecated_rule=DEPRECATED_INTERFACES_POLICY) ] diff --git a/nova/policies/floating_ips.py b/nova/policies/floating_ips.py index 0b8d8c53f6..2cb5b34679 100644 --- a/nova/policies/floating_ips.py +++ b/nova/policies/floating_ips.py @@ -38,7 +38,7 @@ DEPRECATED_FIP_POLICY = policy.DeprecatedRule( floating_ips_policies = [ policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'add', - check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN, + check_str=base.PROJECT_MEMBER, description="Associate floating IPs to server. " " This API is deprecated.", operations=[ @@ -47,11 +47,11 @@ floating_ips_policies = [ 'path': '/servers/{server_id}/action (addFloatingIp)' } ], - scope_types=['system', 'project'], + scope_types=['project'], deprecated_rule=DEPRECATED_FIP_POLICY), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'remove', - check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN, + check_str=base.PROJECT_MEMBER, description="Disassociate floating IPs to server. " " This API is deprecated.", operations=[ @@ -60,11 +60,11 @@ floating_ips_policies = [ 'path': '/servers/{server_id}/action (removeFloatingIp)' } ], - scope_types=['system', 'project'], + scope_types=['project'], deprecated_rule=DEPRECATED_FIP_POLICY), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'list', - check_str=base.PROJECT_READER_OR_SYSTEM_READER, + check_str=base.PROJECT_READER, description="List floating IPs. This API is deprecated.", operations=[ { @@ -72,11 +72,11 @@ floating_ips_policies = [ 'path': '/os-floating-ips' } ], - scope_types=['system', 'project'], + scope_types=['project'], deprecated_rule=DEPRECATED_FIP_POLICY), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'create', - check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN, + check_str=base.PROJECT_MEMBER, description="Create floating IPs. This API is deprecated.", operations=[ { @@ -84,11 +84,11 @@ floating_ips_policies = [ 'path': '/os-floating-ips' } ], - scope_types=['system', 'project'], + scope_types=['project'], deprecated_rule=DEPRECATED_FIP_POLICY), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'show', - check_str=base.PROJECT_READER_OR_SYSTEM_READER, + check_str=base.PROJECT_READER, description="Show floating IPs. This API is deprecated.", operations=[ { @@ -96,11 +96,11 @@ floating_ips_policies = [ 'path': '/os-floating-ips/{floating_ip_id}' } ], - scope_types=['system', 'project'], + scope_types=['project'], deprecated_rule=DEPRECATED_FIP_POLICY), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'delete', - check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN, + check_str=base.PROJECT_MEMBER, description="Delete floating IPs. This API is deprecated.", operations=[ { @@ -108,7 +108,7 @@ floating_ips_policies = [ 'path': '/os-floating-ips/{floating_ip_id}' } ], - scope_types=['system', 'project'], + scope_types=['project'], deprecated_rule=DEPRECATED_FIP_POLICY), ] diff --git a/nova/policies/instance_actions.py b/nova/policies/instance_actions.py index 0447005b1d..85e2f63244 100644 --- a/nova/policies/instance_actions.py +++ b/nova/policies/instance_actions.py @@ -38,7 +38,7 @@ DEPRECATED_INSTANCE_ACTION_POLICY = policy.DeprecatedRule( instance_actions_policies = [ policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'events:details', - check_str=base.SYSTEM_READER, + check_str=base.PROJECT_ADMIN, description="""Add "details" key in action events for a server. This check is performed only after the check @@ -56,10 +56,10 @@ but in the other hand it might leak information about the deployment 'path': '/servers/{server_id}/os-instance-actions/{request_id}' } ], - scope_types=['system', 'project']), + scope_types=['project']), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'events', - check_str=base.SYSTEM_READER, + check_str=base.PROJECT_ADMIN, description="""Add events details in action details for a server. This check is performed only after the check os_compute_api:os-instance-actions:show passes. Beginning with Microversion @@ -73,10 +73,10 @@ passes, the name of the host.""", 'path': '/servers/{server_id}/os-instance-actions/{request_id}' } ], - scope_types=['system', 'project']), + scope_types=['project']), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'list', - check_str=base.PROJECT_READER_OR_SYSTEM_READER, + check_str=base.PROJECT_READER, description="""List actions for a server.""", operations=[ { @@ -84,11 +84,11 @@ passes, the name of the host.""", 'path': '/servers/{server_id}/os-instance-actions' } ], - scope_types=['system', 'project'], + scope_types=['project'], deprecated_rule=DEPRECATED_INSTANCE_ACTION_POLICY), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'show', - check_str=base.PROJECT_READER_OR_SYSTEM_READER, + check_str=base.PROJECT_READER, description="""Show action details for a server.""", operations=[ { @@ -96,7 +96,7 @@ passes, the name of the host.""", 'path': '/servers/{server_id}/os-instance-actions/{request_id}' } ], - scope_types=['system', 'project'], + scope_types=['project'], deprecated_rule=DEPRECATED_INSTANCE_ACTION_POLICY), ] diff --git a/nova/policies/ips.py b/nova/policies/ips.py index aeee77ceaf..d63c345389 100644 --- a/nova/policies/ips.py +++ b/nova/policies/ips.py @@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:ips:%s' ips_policies = [ policy.DocumentedRuleDefault( name=POLICY_ROOT % 'show', - check_str=base.PROJECT_READER_OR_SYSTEM_READER, + check_str=base.PROJECT_READER, description="Show IP addresses details for a network label of a " " server", operations=[ @@ -33,10 +33,10 @@ ips_policies = [ 'path': '/servers/{server_id}/ips/{network_label}' } ], - scope_types=['system', 'project']), + scope_types=['project']), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'index', - check_str=base.PROJECT_READER_OR_SYSTEM_READER, + check_str=base.PROJECT_READER, description="List IP addresses that are assigned to a server", operations=[ { @@ -44,7 +44,7 @@ ips_policies = [ 'path': '/servers/{server_id}/ips' } ], - scope_types=['system', 'project']), + scope_types=['project']), ] diff --git a/nova/policies/networks.py b/nova/policies/networks.py index 59fb166708..ab0ce1512b 100644 --- a/nova/policies/networks.py +++ b/nova/policies/networks.py @@ -38,7 +38,7 @@ DEPRECATED_POLICY = policy.DeprecatedRule( networks_policies = [ policy.DocumentedRuleDefault( name=POLICY_ROOT % 'list', - check_str=base.PROJECT_READER_OR_SYSTEM_READER, + check_str=base.PROJECT_READER, description="""List networks for the project. This API is proxy calls to the Network service. This is deprecated.""", @@ -48,11 +48,11 @@ This API is proxy calls to the Network service. This is deprecated.""", 'path': '/os-networks' } ], - scope_types=['system', 'project'], + scope_types=['project'], deprecated_rule=DEPRECATED_POLICY), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'show', - check_str=base.PROJECT_READER_OR_SYSTEM_READER, + check_str=base.PROJECT_READER, description="""Show network details. This API is proxy calls to the Network service. This is deprecated.""", @@ -62,7 +62,7 @@ This API is proxy calls to the Network service. This is deprecated.""", 'path': '/os-networks/{network_id}' } ], - scope_types=['system', 'project'], + scope_types=['project'], deprecated_rule=DEPRECATED_POLICY), ] diff --git a/nova/policies/quota_sets.py b/nova/policies/quota_sets.py index ac141a2c24..2aa7439390 100644 --- a/nova/policies/quota_sets.py +++ b/nova/policies/quota_sets.py @@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:os-quota-sets:%s' quota_sets_policies = [ policy.DocumentedRuleDefault( name=POLICY_ROOT % 'update', - check_str=base.SYSTEM_ADMIN, + check_str=base.PROJECT_ADMIN, description="Update the quotas", operations=[ { @@ -32,7 +32,7 @@ quota_sets_policies = [ 'path': '/os-quota-sets/{tenant_id}' } ], - scope_types=['system']), + scope_types=['project']), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'defaults', check_str=base.RULE_ANY, @@ -46,7 +46,13 @@ quota_sets_policies = [ scope_types=['system', 'project']), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'show', - check_str=base.PROJECT_READER_OR_SYSTEM_READER, + # TODO(gmann): Until we have domain admin or so to get other project's + # data, allow admin role(with scope check it will be project admin) to + # get other project quota. We cannot use PROJECT_ADMIN here as + # project_id passed in request url is used as policy targets which + # would not match with context's project_id fetched for rule + # PROJECT_ADMIN check. + check_str='(' + base.PROJECT_READER + ') or role:admin', description="Show a quota", operations=[ { @@ -54,10 +60,10 @@ quota_sets_policies = [ 'path': '/os-quota-sets/{tenant_id}' } ], - scope_types=['system', 'project']), + scope_types=['project']), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'delete', - check_str=base.SYSTEM_ADMIN, + check_str=base.PROJECT_ADMIN, description="Revert quotas to defaults", operations=[ { @@ -65,10 +71,13 @@ quota_sets_policies = [ 'path': '/os-quota-sets/{tenant_id}' } ], - scope_types=['system']), + scope_types=['project']), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'detail', - check_str=base.PROJECT_READER_OR_SYSTEM_READER, + # TODO(gmann): Until we have domain admin or so to get other project's + # data, allow admin role(with scope check it will be project admin) to + # get other project quota. + check_str='(' + base.PROJECT_READER + ') or role:admin', description="Show the detail of quota", operations=[ { @@ -76,7 +85,7 @@ quota_sets_policies = [ 'path': '/os-quota-sets/{tenant_id}/detail' } ], - scope_types=['system', 'project']), + scope_types=['project']), ] diff --git a/nova/policies/security_groups.py b/nova/policies/security_groups.py index b09a6632c3..e5649d5da5 100644 --- a/nova/policies/security_groups.py +++ b/nova/policies/security_groups.py @@ -38,7 +38,7 @@ DEPRECATED_POLICY = policy.DeprecatedRule( security_groups_policies = [ policy.DocumentedRuleDefault( name=POLICY_NAME % 'get', - check_str=base.PROJECT_READER_OR_SYSTEM_READER, + check_str=base.PROJECT_READER, description="List security groups. This API is deprecated.", operations=[ { @@ -46,11 +46,11 @@ security_groups_policies = [ 'path': '/os-security-groups' } ], - scope_types=['system', 'project'], + scope_types=['project'], deprecated_rule=DEPRECATED_POLICY), policy.DocumentedRuleDefault( name=POLICY_NAME % 'show', - check_str=base.PROJECT_READER_OR_SYSTEM_READER, + check_str=base.PROJECT_READER, description="Show security group. This API is deprecated.", operations=[ { @@ -58,11 +58,11 @@ security_groups_policies = [ 'path': '/os-security-groups/{security_group_id}' } ], - scope_types=['system', 'project'], + scope_types=['project'], deprecated_rule=DEPRECATED_POLICY), policy.DocumentedRuleDefault( name=POLICY_NAME % 'create', - check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN, + check_str=base.PROJECT_MEMBER, description="Create security group. This API is deprecated.", operations=[ { @@ -70,11 +70,11 @@ security_groups_policies = [ 'path': '/os-security-groups' } ], - scope_types=['system', 'project'], + scope_types=['project'], deprecated_rule=DEPRECATED_POLICY), policy.DocumentedRuleDefault( name=POLICY_NAME % 'update', - check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN, + check_str=base.PROJECT_MEMBER, description="Update security group. This API is deprecated.", operations=[ { @@ -82,11 +82,11 @@ security_groups_policies = [ 'path': '/os-security-groups/{security_group_id}' } ], - scope_types=['system', 'project'], + scope_types=['project'], deprecated_rule=DEPRECATED_POLICY), policy.DocumentedRuleDefault( name=POLICY_NAME % 'delete', - check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN, + check_str=base.PROJECT_MEMBER, description="Delete security group. This API is deprecated.", operations=[ { @@ -94,11 +94,11 @@ security_groups_policies = [ 'path': '/os-security-groups/{security_group_id}' }, ], - scope_types=['system', 'project'], + scope_types=['project'], deprecated_rule=DEPRECATED_POLICY), policy.DocumentedRuleDefault( name=POLICY_NAME % 'rule:create', - check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN, + check_str=base.PROJECT_MEMBER, description="Create security group Rule. This API is deprecated.", operations=[ { @@ -106,11 +106,11 @@ security_groups_policies = [ 'path': '/os-security-group-rules' } ], - scope_types=['system', 'project'], + scope_types=['project'], deprecated_rule=DEPRECATED_POLICY), policy.DocumentedRuleDefault( name=POLICY_NAME % 'rule:delete', - check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN, + check_str=base.PROJECT_MEMBER, description="Delete security group Rule. This API is deprecated.", operations=[ { @@ -118,11 +118,11 @@ security_groups_policies = [ 'path': '/os-security-group-rules/{security_group_id}' }, ], - scope_types=['system', 'project'], + scope_types=['project'], deprecated_rule=DEPRECATED_POLICY), policy.DocumentedRuleDefault( name=POLICY_NAME % 'list', - check_str=base.PROJECT_READER_OR_SYSTEM_READER, + check_str=base.PROJECT_READER, description="List security groups of server.", operations=[ { @@ -130,11 +130,11 @@ security_groups_policies = [ 'path': '/servers/{server_id}/os-security-groups' }, ], - scope_types=['system', 'project'], + scope_types=['project'], deprecated_rule=DEPRECATED_POLICY), policy.DocumentedRuleDefault( name=POLICY_NAME % 'add', - check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN, + check_str=base.PROJECT_MEMBER, description="Add security groups to server.", operations=[ { @@ -142,11 +142,11 @@ security_groups_policies = [ 'path': '/servers/{server_id}/action (addSecurityGroup)' }, ], - scope_types=['system', 'project'], + scope_types=['project'], deprecated_rule=DEPRECATED_POLICY), policy.DocumentedRuleDefault( name=POLICY_NAME % 'remove', - check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN, + check_str=base.PROJECT_MEMBER, description="Remove security groups from server.", operations=[ { @@ -154,7 +154,7 @@ security_groups_policies = [ 'path': '/servers/{server_id}/action (removeSecurityGroup)' }, ], - scope_types=['system', 'project'], + scope_types=['project'], deprecated_rule=DEPRECATED_POLICY), ] diff --git a/nova/policies/server_groups.py b/nova/policies/server_groups.py index 55176b8a6a..be1cb62835 100644 --- a/nova/policies/server_groups.py +++ b/nova/policies/server_groups.py @@ -32,20 +32,11 @@ server_groups_policies = [ 'method': 'POST' } ], - # (NOTE)gmann: Reason for 'project' only scope: - # POST SG need project_id to create the serve groups - # system scope members do not have project id for which - # SG needs to be created. - # If we allow system scope role also then created SG will have - # project_id of system role, not the one he/she wants to create the SG - # for (nobody can create the SG for other projects because API does - # not take project id in request ). So keeping this scoped to project - # only as these roles are the only ones who will be creating SG. scope_types=['project'] ), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'delete', - check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN, + check_str=base.PROJECT_MEMBER, description="Delete a server group", operations=[ { @@ -53,11 +44,11 @@ server_groups_policies = [ 'method': 'DELETE' } ], - scope_types=['system', 'project'] + scope_types=['project'] ), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'index', - check_str=base.PROJECT_READER_OR_SYSTEM_READER, + check_str=base.PROJECT_READER, description="List all server groups", operations=[ { @@ -65,11 +56,11 @@ server_groups_policies = [ 'method': 'GET' } ], - scope_types=['system', 'project'] + scope_types=['project'] ), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'index:all_projects', - check_str=base.SYSTEM_READER, + check_str=base.PROJECT_ADMIN, description="List all server groups for all projects", operations=[ { @@ -77,11 +68,11 @@ server_groups_policies = [ 'method': 'GET' } ], - scope_types=['system'] + scope_types=['project'] ), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'show', - check_str=base.PROJECT_READER_OR_SYSTEM_READER, + check_str=base.PROJECT_READER, description="Show details of a server group", operations=[ { @@ -89,7 +80,7 @@ server_groups_policies = [ 'method': 'GET' } ], - scope_types=['system', 'project'] + scope_types=['project'] ), ] diff --git a/nova/policies/server_metadata.py b/nova/policies/server_metadata.py index 198e6e4643..1e6b525cb6 100644 --- a/nova/policies/server_metadata.py +++ b/nova/policies/server_metadata.py @@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:server-metadata:%s' server_metadata_policies = [ policy.DocumentedRuleDefault( name=POLICY_ROOT % 'index', - check_str=base.PROJECT_READER_OR_SYSTEM_READER, + check_str=base.PROJECT_READER, description="List all metadata of a server", operations=[ { @@ -32,11 +32,11 @@ server_metadata_policies = [ 'method': 'GET' } ], - scope_types=['system', 'project'] + scope_types=['project'] ), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'show', - check_str=base.PROJECT_READER_OR_SYSTEM_READER, + check_str=base.PROJECT_READER, description="Show metadata for a server", operations=[ { @@ -44,11 +44,11 @@ server_metadata_policies = [ 'method': 'GET' } ], - scope_types=['system', 'project'] + scope_types=['project'] ), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'create', - check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN, + check_str=base.PROJECT_MEMBER, description="Create metadata for a server", operations=[ { @@ -56,11 +56,11 @@ server_metadata_policies = [ 'method': 'POST' } ], - scope_types=['system', 'project'] + scope_types=['project'] ), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'update_all', - check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN, + check_str=base.PROJECT_MEMBER, description="Replace metadata for a server", operations=[ { @@ -68,11 +68,11 @@ server_metadata_policies = [ 'method': 'PUT' } ], - scope_types=['system', 'project'] + scope_types=['project'] ), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'update', - check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN, + check_str=base.PROJECT_MEMBER, description="Update metadata from a server", operations=[ { @@ -80,11 +80,11 @@ server_metadata_policies = [ 'method': 'PUT' } ], - scope_types=['system', 'project'] + scope_types=['project'] ), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'delete', - check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN, + check_str=base.PROJECT_MEMBER, description="Delete metadata from a server", operations=[ { @@ -92,7 +92,7 @@ server_metadata_policies = [ 'method': 'DELETE' } ], - scope_types=['system', 'project'] + scope_types=['project'] ), ] diff --git a/nova/policies/server_password.py b/nova/policies/server_password.py index a861d3086c..95fa95830c 100644 --- a/nova/policies/server_password.py +++ b/nova/policies/server_password.py @@ -37,7 +37,7 @@ DEPRECATED_POLICY = policy.DeprecatedRule( server_password_policies = [ policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'show', - check_str=base.PROJECT_READER_OR_SYSTEM_READER, + check_str=base.PROJECT_READER, description="Show the encrypted administrative " "password of a server", operations=[ @@ -46,11 +46,11 @@ server_password_policies = [ 'path': '/servers/{server_id}/os-server-password' }, ], - scope_types=['system', 'project'], + scope_types=['project'], deprecated_rule=DEPRECATED_POLICY), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'clear', - check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN, + check_str=base.PROJECT_MEMBER, description="Clear the encrypted administrative " "password of a server", operations=[ @@ -59,7 +59,7 @@ server_password_policies = [ 'path': '/servers/{server_id}/os-server-password' } ], - scope_types=['system', 'project'], + scope_types=['project'], deprecated_rule=DEPRECATED_POLICY), ] diff --git a/nova/policies/server_tags.py b/nova/policies/server_tags.py index 619941f759..014c8d1488 100644 --- a/nova/policies/server_tags.py +++ b/nova/policies/server_tags.py @@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:os-server-tags:%s' server_tags_policies = [ policy.DocumentedRuleDefault( name=POLICY_ROOT % 'delete_all', - check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN, + check_str=base.PROJECT_MEMBER, description="Delete all the server tags", operations=[ { @@ -32,10 +32,10 @@ server_tags_policies = [ 'path': '/servers/{server_id}/tags' } ], - scope_types=['system', 'project']), + scope_types=['project']), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'index', - check_str=base.PROJECT_READER_OR_SYSTEM_READER, + check_str=base.PROJECT_READER, description="List all tags for given server", operations=[ { @@ -43,10 +43,10 @@ server_tags_policies = [ 'path': '/servers/{server_id}/tags' } ], - scope_types=['system', 'project']), + scope_types=['project']), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'update_all', - check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN, + check_str=base.PROJECT_MEMBER, description="Replace all tags on specified server with the new set " "of tags.", operations=[ @@ -56,10 +56,10 @@ server_tags_policies = [ } ], - scope_types=['system', 'project']), + scope_types=['project']), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'delete', - check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN, + check_str=base.PROJECT_MEMBER, description="Delete a single tag from the specified server", operations=[ { @@ -67,11 +67,11 @@ server_tags_policies = [ 'path': '/servers/{server_id}/tags/{tag}' } ], - scope_types=['system', 'project'] + scope_types=['project'] ), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'update', - check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN, + check_str=base.PROJECT_MEMBER, description="Add a single tag to the server if server has no " "specified tag", operations=[ @@ -80,11 +80,11 @@ server_tags_policies = [ 'path': '/servers/{server_id}/tags/{tag}' } ], - scope_types=['system', 'project'] + scope_types=['project'] ), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'show', - check_str=base.PROJECT_READER_OR_SYSTEM_READER, + check_str=base.PROJECT_READER, description="Check tag existence on the server.", operations=[ { @@ -92,7 +92,7 @@ server_tags_policies = [ 'path': '/servers/{server_id}/tags/{tag}' } ], - scope_types=['system', 'project'] + scope_types=['project'] ), ] diff --git a/nova/policies/server_topology.py b/nova/policies/server_topology.py index 4ebbc43888..7b68e67481 100644 --- a/nova/policies/server_topology.py +++ b/nova/policies/server_topology.py @@ -21,7 +21,7 @@ BASE_POLICY_NAME = 'compute:server:topology:%s' server_topology_policies = [ policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'index', - check_str=base.PROJECT_READER_OR_SYSTEM_READER, + check_str=base.PROJECT_READER, description="Show the NUMA topology data for a server", operations=[ { @@ -29,11 +29,11 @@ server_topology_policies = [ 'path': '/servers/{server_id}/topology' } ], - scope_types=['system', 'project']), + scope_types=['project']), policy.DocumentedRuleDefault( # Control host NUMA node and cpu pinning information name=BASE_POLICY_NAME % 'host:index', - check_str=base.SYSTEM_READER, + check_str=base.PROJECT_ADMIN, description="Show the NUMA topology data for a server with host " "NUMA ID and CPU pinning information", operations=[ @@ -42,7 +42,7 @@ server_topology_policies = [ 'path': '/servers/{server_id}/topology' } ], - scope_types=['system']), + scope_types=['project']), ] diff --git a/nova/policies/simple_tenant_usage.py b/nova/policies/simple_tenant_usage.py index 85ebffbb30..d97d5909eb 100644 --- a/nova/policies/simple_tenant_usage.py +++ b/nova/policies/simple_tenant_usage.py @@ -24,7 +24,7 @@ POLICY_ROOT = 'os_compute_api:os-simple-tenant-usage:%s' simple_tenant_usage_policies = [ policy.DocumentedRuleDefault( name=POLICY_ROOT % 'show', - check_str=base.PROJECT_READER_OR_SYSTEM_READER, + check_str=base.PROJECT_READER, description="Show usage statistics for a specific tenant", operations=[ { @@ -32,10 +32,10 @@ simple_tenant_usage_policies = [ 'path': '/os-simple-tenant-usage/{tenant_id}' } ], - scope_types=['system', 'project']), + scope_types=['project']), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'list', - check_str=base.SYSTEM_READER, + check_str=base.PROJECT_ADMIN, description="List per tenant usage statistics for all tenants", operations=[ { @@ -43,7 +43,7 @@ simple_tenant_usage_policies = [ 'path': '/os-simple-tenant-usage' } ], - scope_types=['system']), + scope_types=['project']), ] diff --git a/nova/policies/tenant_networks.py b/nova/policies/tenant_networks.py index a3eace29b4..ee5bd66cdf 100644 --- a/nova/policies/tenant_networks.py +++ b/nova/policies/tenant_networks.py @@ -38,7 +38,7 @@ DEPRECATED_POLICY = policy.DeprecatedRule( tenant_networks_policies = [ policy.DocumentedRuleDefault( name=POLICY_NAME % 'list', - check_str=base.PROJECT_READER_OR_SYSTEM_READER, + check_str=base.PROJECT_READER, description="""List project networks. This API is proxy calls to the Network service. This is deprecated.""", @@ -48,11 +48,11 @@ This API is proxy calls to the Network service. This is deprecated.""", 'path': '/os-tenant-networks' }, ], - scope_types=['system', 'project'], + scope_types=['project'], deprecated_rule=DEPRECATED_POLICY), policy.DocumentedRuleDefault( name=POLICY_NAME % 'show', - check_str=base.PROJECT_READER_OR_SYSTEM_READER, + check_str=base.PROJECT_READER, description="""Show project network details. This API is proxy calls to the Network service. This is deprecated.""", @@ -62,7 +62,7 @@ This API is proxy calls to the Network service. This is deprecated.""", 'path': '/os-tenant-networks/{network_id}' }, ], - scope_types=['system', 'project'], + scope_types=['project'], deprecated_rule=DEPRECATED_POLICY), ] diff --git a/nova/policies/volumes.py b/nova/policies/volumes.py index a4237a14e6..0ee941074d 100644 --- a/nova/policies/volumes.py +++ b/nova/policies/volumes.py @@ -38,7 +38,7 @@ DEPRECATED_POLICY = policy.DeprecatedRule( volumes_policies = [ policy.DocumentedRuleDefault( name=POLICY_NAME % 'list', - check_str=base.PROJECT_READER_OR_SYSTEM_READER, + check_str=base.PROJECT_READER, description="""List volumes. This API is a proxy call to the Volume service. It is deprecated.""", @@ -48,11 +48,11 @@ This API is a proxy call to the Volume service. It is deprecated.""", 'path': '/os-volumes' }, ], - scope_types=['system', 'project'], + scope_types=['project'], deprecated_rule=DEPRECATED_POLICY), policy.DocumentedRuleDefault( name=POLICY_NAME % 'create', - check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN, + check_str=base.PROJECT_MEMBER, description="""Create volume. This API is a proxy call to the Volume service. It is deprecated.""", @@ -62,11 +62,11 @@ This API is a proxy call to the Volume service. It is deprecated.""", 'path': '/os-volumes' }, ], - scope_types=['system', 'project'], + scope_types=['project'], deprecated_rule=DEPRECATED_POLICY), policy.DocumentedRuleDefault( name=POLICY_NAME % 'detail', - check_str=base.PROJECT_READER_OR_SYSTEM_READER, + check_str=base.PROJECT_READER, description="""List volumes detail. This API is a proxy call to the Volume service. It is deprecated.""", @@ -76,11 +76,11 @@ This API is a proxy call to the Volume service. It is deprecated.""", 'path': '/os-volumes/detail' }, ], - scope_types=['system', 'project'], + scope_types=['project'], deprecated_rule=DEPRECATED_POLICY), policy.DocumentedRuleDefault( name=POLICY_NAME % 'show', - check_str=base.PROJECT_READER_OR_SYSTEM_READER, + check_str=base.PROJECT_READER, description="""Show volume. This API is a proxy call to the Volume service. It is deprecated.""", @@ -90,11 +90,11 @@ This API is a proxy call to the Volume service. It is deprecated.""", 'path': '/os-volumes/{volume_id}' }, ], - scope_types=['system', 'project'], + scope_types=['project'], deprecated_rule=DEPRECATED_POLICY), policy.DocumentedRuleDefault( name=POLICY_NAME % 'delete', - check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN, + check_str=base.PROJECT_MEMBER, description="""Delete volume. This API is a proxy call to the Volume service. It is deprecated.""", @@ -104,11 +104,11 @@ This API is a proxy call to the Volume service. It is deprecated.""", 'path': '/os-volumes/{volume_id}' }, ], - scope_types=['system', 'project'], + scope_types=['project'], deprecated_rule=DEPRECATED_POLICY), policy.DocumentedRuleDefault( name=POLICY_NAME % 'snapshots:list', - check_str=base.PROJECT_READER_OR_SYSTEM_READER, + check_str=base.PROJECT_READER, description="""List snapshots. This API is a proxy call to the Volume service. It is deprecated.""", @@ -118,11 +118,11 @@ This API is a proxy call to the Volume service. It is deprecated.""", 'path': '/os-snapshots' }, ], - scope_types=['system', 'project'], + scope_types=['project'], deprecated_rule=DEPRECATED_POLICY), policy.DocumentedRuleDefault( name=POLICY_NAME % 'snapshots:create', - check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN, + check_str=base.PROJECT_MEMBER, description="""Create snapshots. This API is a proxy call to the Volume service. It is deprecated.""", @@ -132,11 +132,11 @@ This API is a proxy call to the Volume service. It is deprecated.""", 'path': '/os-snapshots' }, ], - scope_types=['system', 'project'], + scope_types=['project'], deprecated_rule=DEPRECATED_POLICY), policy.DocumentedRuleDefault( name=POLICY_NAME % 'snapshots:detail', - check_str=base.PROJECT_READER_OR_SYSTEM_READER, + check_str=base.PROJECT_READER, description="""List snapshots details. This API is a proxy call to the Volume service. It is deprecated.""", @@ -146,11 +146,11 @@ This API is a proxy call to the Volume service. It is deprecated.""", 'path': '/os-snapshots/detail' }, ], - scope_types=['system', 'project'], + scope_types=['project'], deprecated_rule=DEPRECATED_POLICY), policy.DocumentedRuleDefault( name=POLICY_NAME % 'snapshots:show', - check_str=base.PROJECT_READER_OR_SYSTEM_READER, + check_str=base.PROJECT_READER, description="""Show snapshot. This API is a proxy call to the Volume service. It is deprecated.""", @@ -160,11 +160,11 @@ This API is a proxy call to the Volume service. It is deprecated.""", 'path': '/os-snapshots/{snapshot_id}' }, ], - scope_types=['system', 'project'], + scope_types=['project'], deprecated_rule=DEPRECATED_POLICY), policy.DocumentedRuleDefault( name=POLICY_NAME % 'snapshots:delete', - check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN, + check_str=base.PROJECT_MEMBER, description="""Delete snapshot. This API is a proxy call to the Volume service. It is deprecated.""", @@ -174,7 +174,7 @@ This API is a proxy call to the Volume service. It is deprecated.""", 'path': '/os-snapshots/{snapshot_id}' } ], - scope_types=['system', 'project'], + scope_types=['project'], deprecated_rule=DEPRECATED_POLICY), ] diff --git a/nova/policies/volumes_attachments.py b/nova/policies/volumes_attachments.py index 7b229f598f..20b3a2f3e6 100644 --- a/nova/policies/volumes_attachments.py +++ b/nova/policies/volumes_attachments.py @@ -24,17 +24,17 @@ POLICY_ROOT = 'os_compute_api:os-volumes-attachments:%s' volumes_attachments_policies = [ policy.DocumentedRuleDefault( name=POLICY_ROOT % 'index', - check_str=base.PROJECT_READER_OR_SYSTEM_READER, + check_str=base.PROJECT_READER, description="List volume attachments for an instance", operations=[ {'method': 'GET', 'path': '/servers/{server_id}/os-volume_attachments' } ], - scope_types=['system', 'project']), + scope_types=['project']), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'create', - check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN, + check_str=base.PROJECT_MEMBER, description="Attach a volume to an instance", operations=[ { @@ -42,10 +42,10 @@ volumes_attachments_policies = [ 'path': '/servers/{server_id}/os-volume_attachments' } ], - scope_types=['system', 'project']), + scope_types=['project']), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'show', - check_str=base.PROJECT_READER_OR_SYSTEM_READER, + check_str=base.PROJECT_READER, description="Show details of a volume attachment", operations=[ { @@ -54,10 +54,10 @@ volumes_attachments_policies = [ '/servers/{server_id}/os-volume_attachments/{volume_id}' } ], - scope_types=['system', 'project']), + scope_types=['project']), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'update', - check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN, + check_str=base.PROJECT_MEMBER, description="""Update a volume attachment. New 'update' policy about 'swap + update' request (which is possible only >2.85) only <swap policy> is checked. We expect <swap policy> to be @@ -70,10 +70,17 @@ always superset of this policy permission. '/servers/{server_id}/os-volume_attachments/{volume_id}' } ], - scope_types=['system', 'project']), + scope_types=['project']), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'swap', - check_str=base.SYSTEM_ADMIN, + # TODO(gmann): This is internal API policy and supposed to be called + # only by cinder. Add 'service' role in this policy so that cinder + # can call it with user having 'service' role (not having server's + # project_id). That is for phase-2 of RBAC goal and until then, + # we keep it open for all admin in any project. We cannot default it to + # PROJECT_ADMIN which has the project_id in check_str and will fail + # if cinder call it with other project_id. + check_str=base.ADMIN, description="Update a volume attachment with a different volumeId", operations=[ { @@ -82,10 +89,10 @@ always superset of this policy permission. '/servers/{server_id}/os-volume_attachments/{volume_id}' } ], - scope_types=['system']), + scope_types=['project']), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'delete', - check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN, + check_str=base.PROJECT_MEMBER, description="Detach a volume from an instance", operations=[ { @@ -94,7 +101,7 @@ always superset of this policy permission. '/servers/{server_id}/os-volume_attachments/{volume_id}' } ], - scope_types=['system', 'project']), + scope_types=['project']), ] |