diff options
| author | Dan Smith <dansmith@redhat.com> | 2021-11-01 10:05:08 -0700 |
|---|---|---|
| committer | Dan Smith <dansmith@redhat.com> | 2021-12-01 08:54:34 -0800 |
| commit | d9190912b95b788394864141b709e6e0dd2ebf27 (patch) | |
| tree | d390030580bbc7b615d359cdb2552cfb4bc40690 /nova/policies | |
| parent | 1850097ec177ed1fe03bd14d619a211a8f26d08f (diff) | |
| download | nova-d9190912b95b788394864141b709e6e0dd2ebf27.tar.gz | |
Revert project-specific APIs for servers
This attempts to move us back to just allowing project-scoped tokens
for project resources when scope checking is enabled. It does it for
servers and flavor_extra_specs, since the latter depends on the policy
of the former.
There is a lot more churn in here than just that conversion, as I
added a helper method and moved from using two lists for everything to
one. Had I known I was going to do that initially, I would have done
it in a refactor first, but alas getting things to work ended up being
easier if I used that approach, and thus did them together. That could
be pulled out (with some effort) if people feel strongly about it,
but hopefully this can just set the base for going forward.
This also adds a new test scenario to both servers and extra_specs,
which validates that we can enable the new rules without scope
checking enabled.
Change-Id: I395d97558c36200a6f6ba7c804ab2a9ac5e51d04
Diffstat (limited to 'nova/policies')
| -rw-r--r-- | nova/policies/base.py | 7 | ||||
| -rw-r--r-- | nova/policies/extended_server_attributes.py | 4 | ||||
| -rw-r--r-- | nova/policies/flavor_extra_specs.py | 8 | ||||
| -rw-r--r-- | nova/policies/servers.py | 116 |
4 files changed, 59 insertions, 76 deletions
diff --git a/nova/policies/base.py b/nova/policies/base.py index b04410425d..afa6e4c0c7 100644 --- a/nova/policies/base.py +++ b/nova/policies/base.py @@ -56,6 +56,7 @@ PROJECT_MEMBER = 'rule:project_member_api' PROJECT_READER = 'rule:project_reader_api' PROJECT_MEMBER_OR_SYSTEM_ADMIN = 'rule:system_admin_or_owner' PROJECT_READER_OR_SYSTEM_READER = 'rule:system_or_project_reader' +ADMIN = 'rule:context_is_admin' # NOTE(gmann): Below is the mapping of new roles and scope_types # with legacy roles:: @@ -88,7 +89,8 @@ rules = [ policy.RuleDefault( "context_is_admin", "role:admin", - "Decides what is required for the 'is_admin:True' check to succeed."), + "Decides what is required for the 'is_admin:True' check to succeed.", + deprecated_rule=DEPRECATED_ADMIN_POLICY), policy.RuleDefault( "admin_or_owner", "is_admin:True or project_id:%(project_id)s", @@ -126,7 +128,8 @@ rules = [ policy.RuleDefault( "project_reader_api", "role:reader and project_id:%(project_id)s", - "Default rule for Project level read only APIs."), + "Default rule for Project level read only APIs.", + deprecated_rule=DEPRECATED_ADMIN_OR_OWNER_POLICY), policy.RuleDefault( name="system_admin_or_owner", check_str="rule:system_admin_api or rule:project_member_api", diff --git a/nova/policies/extended_server_attributes.py b/nova/policies/extended_server_attributes.py index 93444219ff..ce5c531a73 100644 --- a/nova/policies/extended_server_attributes.py +++ b/nova/policies/extended_server_attributes.py @@ -24,7 +24,7 @@ BASE_POLICY_NAME = 'os_compute_api:os-extended-server-attributes' extended_server_attributes_policies = [ policy.DocumentedRuleDefault( name=BASE_POLICY_NAME, - check_str=base.SYSTEM_ADMIN, + check_str=base.PROJECT_ADMIN, description="""Return extended attributes for server. This rule will control the visibility for a set of servers attributes: @@ -66,7 +66,7 @@ is therefore deprecated and will be removed in a future release. 'path': '/servers/{server_id}/action (rebuild)' } ], - scope_types=['system', 'project'] + scope_types=['project'] ), ] diff --git a/nova/policies/flavor_extra_specs.py b/nova/policies/flavor_extra_specs.py index 9355a9719d..7335763d4b 100644 --- a/nova/policies/flavor_extra_specs.py +++ b/nova/policies/flavor_extra_specs.py @@ -37,7 +37,7 @@ flavor_extra_specs_policies = [ ), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'create', - check_str=base.SYSTEM_ADMIN, + check_str=base.ADMIN, description="Create extra specs for a flavor", operations=[ { @@ -49,7 +49,7 @@ flavor_extra_specs_policies = [ ), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'update', - check_str=base.SYSTEM_ADMIN, + check_str=base.ADMIN, description="Update an extra spec for a flavor", operations=[ { @@ -62,7 +62,7 @@ flavor_extra_specs_policies = [ ), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'delete', - check_str=base.SYSTEM_ADMIN, + check_str=base.ADMIN, description="Delete an extra spec for a flavor", operations=[ { @@ -75,7 +75,7 @@ flavor_extra_specs_policies = [ ), policy.DocumentedRuleDefault( name=POLICY_ROOT % 'index', - check_str=base.PROJECT_READER_OR_SYSTEM_READER, + check_str=base.PROJECT_READER, description="List extra specs for a flavor. Starting with " "microversion 2.47, the flavor used for a server is also returned " "in the response when showing server details, updating a server or " diff --git a/nova/policies/servers.py b/nova/policies/servers.py index 54e5301fb9..c5b1592d8f 100644 --- a/nova/policies/servers.py +++ b/nova/policies/servers.py @@ -25,7 +25,7 @@ CROSS_CELL_RESIZE = 'compute:servers:resize:cross_cell' rules = [ policy.DocumentedRuleDefault( name=SERVERS % 'index', - check_str=base.PROJECT_READER_OR_SYSTEM_READER, + check_str=base.PROJECT_READER, description="List all servers", operations=[ { @@ -33,10 +33,10 @@ rules = [ 'path': '/servers' } ], - scope_types=['system', 'project']), + scope_types=['project']), policy.DocumentedRuleDefault( name=SERVERS % 'detail', - check_str=base.PROJECT_READER_OR_SYSTEM_READER, + check_str=base.PROJECT_READER, description="List all servers with detailed information", operations=[ { @@ -44,10 +44,10 @@ rules = [ 'path': '/servers/detail' } ], - scope_types=['system', 'project']), + scope_types=['project']), policy.DocumentedRuleDefault( name=SERVERS % 'index:get_all_tenants', - check_str=base.SYSTEM_READER, + check_str=base.PROJECT_ADMIN, description="List all servers for all projects", operations=[ { @@ -55,10 +55,11 @@ rules = [ 'path': '/servers' } ], - scope_types=['system']), + scope_types=['project']), + policy.DocumentedRuleDefault( name=SERVERS % 'detail:get_all_tenants', - check_str=base.SYSTEM_READER, + check_str=base.PROJECT_ADMIN, description="List all servers with detailed information for " " all projects", operations=[ @@ -67,10 +68,10 @@ rules = [ 'path': '/servers/detail' } ], - scope_types=['system']), + scope_types=['project']), policy.DocumentedRuleDefault( name=SERVERS % 'allow_all_filters', - check_str=base.SYSTEM_READER, + check_str=base.PROJECT_ADMIN, description="Allow all filters when listing servers", operations=[ { @@ -82,10 +83,10 @@ rules = [ 'path': '/servers/detail' } ], - scope_types=['system']), + scope_types=['project']), policy.DocumentedRuleDefault( name=SERVERS % 'show', - check_str=base.PROJECT_READER_OR_SYSTEM_READER, + check_str=base.PROJECT_READER, description="Show a server", operations=[ { @@ -93,12 +94,12 @@ rules = [ 'path': '/servers/{server_id}' } ], - scope_types=['system', 'project']), + scope_types=['project']), # the details in host_status are pretty sensitive, only admins # should do that by default. policy.DocumentedRuleDefault( name=SERVERS % 'show:host_status', - check_str=base.SYSTEM_ADMIN, + check_str=base.PROJECT_ADMIN, description=""" Show a server with additional host status information. @@ -129,10 +130,10 @@ API responses which are also controlled by this policy rule, like the 'path': '/servers/{server_id}/action (rebuild)' } ], - scope_types=['system', 'project']), + scope_types=['project']), policy.DocumentedRuleDefault( name=SERVERS % 'show:host_status:unknown-only', - check_str=base.SYSTEM_ADMIN, + check_str=base.PROJECT_ADMIN, description=""" Show a server with additional host status information, only if host status is UNKNOWN. @@ -162,7 +163,7 @@ allow everyone. 'path': '/servers/{server_id}/action (rebuild)' } ], - scope_types=['system', 'project'],), + scope_types=['project'],), policy.DocumentedRuleDefault( name=SERVERS % 'create', check_str=base.PROJECT_MEMBER, @@ -176,16 +177,6 @@ allow everyone. scope_types=['project']), policy.DocumentedRuleDefault( name=SERVERS % 'create:forced_host', - # TODO(gmann): We need to make it SYSTEM_ADMIN. - # PROJECT_ADMIN is added for now because create server - # policy is project scoped and there is no way to - # pass the project_id in request body for system scoped - # roles so that create server for other project with force host. - # To achieve that, we need to update the create server API to - # accept the project_id for whom the server needs to be created - # and then change the scope of this policy to system-only - # Because that is API change it needs to be done with new - # microversion. check_str=base.PROJECT_ADMIN, description=""" Create a server on the specified host and/or node. @@ -200,20 +191,9 @@ host and/or node by bypassing the scheduler filters unlike the 'path': '/servers' } ], - scope_types=['system', 'project']), + scope_types=['project']), policy.DocumentedRuleDefault( name=REQUESTED_DESTINATION, - # TODO(gmann): We need to make it SYSTEM_ADMIN. - # PROJECT_ADMIN is added for now because create server - # policy is project scoped and there is no way to - # pass the project_id in request body for system scoped - # roles so that create server for other project with requested - # destination. - # To achieve that, we need to update the create server API to - # accept the project_id for whom the server needs to be created - # and then change the scope of this policy to system-only - # Because that is API change it needs to be done with new - # microversion. check_str=base.PROJECT_ADMIN, description=""" Create a server on the requested compute service host and/or @@ -229,7 +209,7 @@ validated by the scheduler filters unlike the 'path': '/servers' } ], - scope_types=['system', 'project']), + scope_types=['project']), policy.DocumentedRuleDefault( name=SERVERS % 'create:attach_volume', check_str=base.PROJECT_MEMBER, @@ -288,7 +268,7 @@ https://bugs.launchpad.net/nova/+bug/1739646 for details. 'path': '/servers' } ], - scope_types=['system', 'project']), + scope_types=['project']), policy.DocumentedRuleDefault( name=NETWORK_ATTACH_EXTERNAL, check_str=base.PROJECT_ADMIN, @@ -305,10 +285,10 @@ https://bugs.launchpad.net/nova/+bug/1739646 for details. 'path': '/servers/{server_id}/os-interface' } ], - scope_types=['system', 'project']), + scope_types=['project']), policy.DocumentedRuleDefault( name=SERVERS % 'delete', - check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN, + check_str=base.PROJECT_MEMBER, description="Delete a server", operations=[ { @@ -316,10 +296,10 @@ https://bugs.launchpad.net/nova/+bug/1739646 for details. 'path': '/servers/{server_id}' } ], - scope_types=['system', 'project']), + scope_types=['project']), policy.DocumentedRuleDefault( name=SERVERS % 'update', - check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN, + check_str=base.PROJECT_MEMBER, description="Update a server", operations=[ { @@ -327,10 +307,10 @@ https://bugs.launchpad.net/nova/+bug/1739646 for details. 'path': '/servers/{server_id}' } ], - scope_types=['system', 'project']), + scope_types=['project']), policy.DocumentedRuleDefault( name=SERVERS % 'confirm_resize', - check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN, + check_str=base.PROJECT_MEMBER, description="Confirm a server resize", operations=[ { @@ -338,10 +318,10 @@ https://bugs.launchpad.net/nova/+bug/1739646 for details. 'path': '/servers/{server_id}/action (confirmResize)' } ], - scope_types=['system', 'project']), + scope_types=['project']), policy.DocumentedRuleDefault( name=SERVERS % 'revert_resize', - check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN, + check_str=base.PROJECT_MEMBER, description="Revert a server resize", operations=[ { @@ -349,10 +329,10 @@ https://bugs.launchpad.net/nova/+bug/1739646 for details. 'path': '/servers/{server_id}/action (revertResize)' } ], - scope_types=['system', 'project']), + scope_types=['project']), policy.DocumentedRuleDefault( name=SERVERS % 'reboot', - check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN, + check_str=base.PROJECT_MEMBER, description="Reboot a server", operations=[ { @@ -360,10 +340,10 @@ https://bugs.launchpad.net/nova/+bug/1739646 for details. 'path': '/servers/{server_id}/action (reboot)' } ], - scope_types=['system', 'project']), + scope_types=['project']), policy.DocumentedRuleDefault( name=SERVERS % 'resize', - check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN, + check_str=base.PROJECT_MEMBER, description="Resize a server", operations=[ { @@ -371,7 +351,7 @@ https://bugs.launchpad.net/nova/+bug/1739646 for details. 'path': '/servers/{server_id}/action (resize)' } ], - scope_types=['system', 'project']), + scope_types=['project']), policy.DocumentedRuleDefault( name=CROSS_CELL_RESIZE, check_str=base.RULE_NOBODY, @@ -386,10 +366,10 @@ https://bugs.launchpad.net/nova/+bug/1739646 for details. 'path': '/servers/{server_id}/action (resize)' } ], - scope_types=['system', 'project']), + scope_types=['project']), policy.DocumentedRuleDefault( name=SERVERS % 'rebuild', - check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN, + check_str=base.PROJECT_MEMBER, description="Rebuild a server", operations=[ { @@ -397,10 +377,10 @@ https://bugs.launchpad.net/nova/+bug/1739646 for details. 'path': '/servers/{server_id}/action (rebuild)' } ], - scope_types=['system', 'project']), + scope_types=['project']), policy.DocumentedRuleDefault( name=SERVERS % 'rebuild:trusted_certs', - check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN, + check_str=base.PROJECT_MEMBER, description="Rebuild a server with trusted image certificate IDs", operations=[ { @@ -408,10 +388,10 @@ https://bugs.launchpad.net/nova/+bug/1739646 for details. 'path': '/servers/{server_id}/action (rebuild)' } ], - scope_types=['system', 'project']), + scope_types=['project']), policy.DocumentedRuleDefault( name=SERVERS % 'create_image', - check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN, + check_str=base.PROJECT_MEMBER, description="Create an image from a server", operations=[ { @@ -419,10 +399,10 @@ https://bugs.launchpad.net/nova/+bug/1739646 for details. 'path': '/servers/{server_id}/action (createImage)' } ], - scope_types=['system', 'project']), + scope_types=['project']), policy.DocumentedRuleDefault( name=SERVERS % 'create_image:allow_volume_backed', - check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN, + check_str=base.PROJECT_MEMBER, description="Create an image from a volume backed server", operations=[ { @@ -430,10 +410,10 @@ https://bugs.launchpad.net/nova/+bug/1739646 for details. 'path': '/servers/{server_id}/action (createImage)' } ], - scope_types=['system', 'project']), + scope_types=['project']), policy.DocumentedRuleDefault( name=SERVERS % 'start', - check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN, + check_str=base.PROJECT_MEMBER, description="Start a server", operations=[ { @@ -441,10 +421,10 @@ https://bugs.launchpad.net/nova/+bug/1739646 for details. 'path': '/servers/{server_id}/action (os-start)' } ], - scope_types=['system', 'project']), + scope_types=['project']), policy.DocumentedRuleDefault( name=SERVERS % 'stop', - check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN, + check_str=base.PROJECT_MEMBER, description="Stop a server", operations=[ { @@ -452,10 +432,10 @@ https://bugs.launchpad.net/nova/+bug/1739646 for details. 'path': '/servers/{server_id}/action (os-stop)' } ], - scope_types=['system', 'project']), + scope_types=['project']), policy.DocumentedRuleDefault( name=SERVERS % 'trigger_crash_dump', - check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN, + check_str=base.PROJECT_MEMBER, description="Trigger crash dump in a server", operations=[ { @@ -463,7 +443,7 @@ https://bugs.launchpad.net/nova/+bug/1739646 for details. 'path': '/servers/{server_id}/action (trigger_crash_dump)' } ], - scope_types=['system', 'project']), + scope_types=['project']), ] |