diff options
| author | Ghanshyam Mann <gmann@ghanshyammann.com> | 2022-02-18 02:29:17 -0600 |
|---|---|---|
| committer | Ghanshyam <gmann@ghanshyammann.com> | 2022-02-24 16:33:34 +0000 |
| commit | f9c1d1163ddd924b0721f5dd7146a2a87a2afa31 (patch) | |
| tree | 1850bec10c0fe61d9d58a49e053e3ae6a5b25cac /nova/policies | |
| parent | 1be007243b71713d4d19b3f15eb1c472c7fb2d96 (diff) | |
| download | nova-f9c1d1163ddd924b0721f5dd7146a2a87a2afa31.tar.gz | |
Complete phase-1 of RBAC community-wide goal
After moving the nova APIs policy as per the new guidlines
where system scoped token will be only allowed to access
system level APIs and will not be allowed any operation
on project level APIs. With that we do not need below
base rules (who have hardcoded 'system_scope:all' check_str):
- system_admin_api
- system_reader_api
- system_admin_or_owner
- system_or_project_reader
At this stage (phase-1 target), we allow below roles as targeted
in phase-1 [1]
1. ADMIN(this is System Administrator with scope_type 'system'
when scope enabled otherwise legacy admin)
2. PROJECT_ADMIN
3. PROJECT_MEMBER
4. PROJECT_READER
& below one specific to nova
5. PROJECT_READER_OR_ADMIN (to allow system admin and project reader
to list flavor extra specs)
This complete the phase-1 of RBAC community-wide goal[2] for nova.
Add release notes too.
[1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#how-operator
[2] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#yoga-timeline-7th-mar-2022
Partial implement blueprint policy-defaults-refresh-2
Change-Id: I075005d13ff6bfe048bbb21d80d71bf1602e4c02
Diffstat (limited to 'nova/policies')
| -rw-r--r-- | nova/policies/base.py | 61 |
1 files changed, 13 insertions, 48 deletions
diff --git a/nova/policies/base.py b/nova/policies/base.py index 04ab8272a1..2d60f4634a 100644 --- a/nova/policies/base.py +++ b/nova/policies/base.py @@ -36,43 +36,28 @@ DEPRECATED_ADMIN_OR_OWNER_POLICY = policy.DeprecatedRule( deprecated_reason=DEPRECATED_REASON, deprecated_since='21.0.0' ) - -# TODO(gmann): # Special string ``system_scope:all`` is added for system -# scoped policies for backwards compatibility where ``nova.conf [oslo_policy] -# enforce_scope = False``. -# Otherwise, this might open up APIs to be more permissive unintentionally if a -# deployment isn't enforcing scope. For example, the 'list all servers' -# policy will be System Scoped Reader with ``role:reader`` and -# scope_type=['system'] Until enforce_scope=True by default, it would -# be possible for users with the ``reader`` role on a project to access the -# 'list all servers' API. Once nova defaults ``nova.conf [oslo_policy] -# enforce_scope=True``, the ``system_scope:all`` bits of these check strings -# can be removed since that will be handled automatically by scope_types in -# oslo.policy's RuleDefault objects. -SYSTEM_ADMIN = 'rule:system_admin_api' -SYSTEM_READER = 'rule:system_reader_api' PROJECT_ADMIN = 'rule:project_admin_api' PROJECT_MEMBER = 'rule:project_member_api' PROJECT_READER = 'rule:project_reader_api' -PROJECT_MEMBER_OR_SYSTEM_ADMIN = 'rule:system_admin_or_owner' -PROJECT_READER_OR_SYSTEM_READER = 'rule:system_or_project_reader' PROJECT_READER_OR_ADMIN = 'rule:project_reader_or_admin' ADMIN = 'rule:context_is_admin' # NOTE(gmann): Below is the mapping of new roles and scope_types # with legacy roles:: -# Legacy Rule | New Rules |Operation |scope_type| -# -------------------+----------------------------------+----------+----------- -# |-> SYSTEM_ADMIN |Global | [system] -# RULE_ADMIN_API | Write -# |-> SYSTEM_READER |Global | [system] -# | |Read | -# -# |-> PROJECT_MEMBER_OR_SYSTEM_ADMIN |Project | [system, -# RULE_ADMIN_OR_OWNER| |Write | project] -# |-> PROJECT_READER_OR_SYSTEM_READER|Project | [system, -# |Read | project] +# Legacy Rule | New Rules |Operation |scope_type| +# -------------------+---------------------+----------------+----------- +# |-> ADMIN |Global resource | [system] +# RULE_ADMIN_API | |Write & Read | +# |-> PROJECT_ADMIN |Project resource| [project] +# | |Write | +# ---------------------------------------------------------------------- +# |-> PROJECT_ADMIN |Project resource| [project] +# | |Write | +# |-> PROJECT_MEMBER |Project resource| [project] +# RULE_ADMIN_OR_OWNER| |Write | +# |-> PROJECT_READER |Project resource| [project] +# | |Read | # NOTE(johngarbutt) The base rules here affect so many APIs the list # of related API operations has not been populated. It would be @@ -107,16 +92,6 @@ rules = [ deprecated_reason=DEPRECATED_REASON, deprecated_since='21.0.0'), policy.RuleDefault( - name="system_admin_api", - check_str='role:admin and system_scope:all', - description="Default rule for System Admin APIs.", - deprecated_rule=DEPRECATED_ADMIN_POLICY), - policy.RuleDefault( - name="system_reader_api", - check_str="role:reader and system_scope:all", - description="Default rule for System level read only APIs.", - deprecated_rule=DEPRECATED_ADMIN_POLICY), - policy.RuleDefault( "project_admin_api", "role:admin and project_id:%(project_id)s", "Default rule for Project level admin APIs.", @@ -132,16 +107,6 @@ rules = [ "Default rule for Project level read only APIs.", deprecated_rule=DEPRECATED_ADMIN_OR_OWNER_POLICY), policy.RuleDefault( - name="system_admin_or_owner", - check_str="rule:system_admin_api or rule:project_member_api", - description="Default rule for System admin+owner APIs.", - deprecated_rule=DEPRECATED_ADMIN_OR_OWNER_POLICY), - policy.RuleDefault( - "system_or_project_reader", - "rule:system_reader_api or rule:project_reader_api", - "Default rule for System+Project read only APIs.", - deprecated_rule=DEPRECATED_ADMIN_OR_OWNER_POLICY), - policy.RuleDefault( "project_reader_or_admin", "rule:project_reader_api or rule:context_is_admin", "Default rule for Project reader and admin APIs.", |