1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_policy import policy
RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner' # Admins or owners of the resource
RULE_ADMIN_API = 'rule:admin_api' # Allow only users with the admin role
RULE_ANY = '@' # Any user is allowed to perform the action.
RULE_NOBODY = '!' # No users are allowed to perform the action.
DEPRECATED_REASON = """
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
"""
DEPRECATED_ADMIN_POLICY = policy.DeprecatedRule(
name=RULE_ADMIN_API,
check_str='is_admin:True',
deprecated_reason=DEPRECATED_REASON,
deprecated_since='21.0.0'
)
DEPRECATED_ADMIN_OR_OWNER_POLICY = policy.DeprecatedRule(
name=RULE_ADMIN_OR_OWNER,
check_str='is_admin:True or project_id:%(project_id)s',
deprecated_reason=DEPRECATED_REASON,
deprecated_since='21.0.0'
)
# TODO(gmann): # Special string ``system_scope:all`` is added for system
# scoped policies for backwards compatibility where ``nova.conf [oslo_policy]
# enforce_scope = False``.
# Otherwise, this might open up APIs to be more permissive unintentionally if a
# deployment isn't enforcing scope. For example, the 'list all servers'
# policy will be System Scoped Reader with ``role:reader`` and
# scope_type=['system'] Until enforce_scope=True by default, it would
# be possible for users with the ``reader`` role on a project to access the
# 'list all servers' API. Once nova defaults ``nova.conf [oslo_policy]
# enforce_scope=True``, the ``system_scope:all`` bits of these check strings
# can be removed since that will be handled automatically by scope_types in
# oslo.policy's RuleDefault objects.
SYSTEM_ADMIN = 'rule:system_admin_api'
SYSTEM_READER = 'rule:system_reader_api'
PROJECT_ADMIN = 'rule:project_admin_api'
PROJECT_MEMBER = 'rule:project_member_api'
PROJECT_READER = 'rule:project_reader_api'
PROJECT_MEMBER_OR_SYSTEM_ADMIN = 'rule:system_admin_or_owner'
PROJECT_READER_OR_SYSTEM_READER = 'rule:system_or_project_reader'
# NOTE(gmann): Below is the mapping of new roles and scope_types
# with legacy roles::
# Legacy Rule | New Rules |Operation |scope_type|
# -------------------+----------------------------------+----------+-----------
# |-> SYSTEM_ADMIN |Global | [system]
# RULE_ADMIN_API | Write
# |-> SYSTEM_READER |Global | [system]
# | |Read |
#
# |-> PROJECT_MEMBER_OR_SYSTEM_ADMIN |Project | [system,
# RULE_ADMIN_OR_OWNER| |Write | project]
# |-> PROJECT_READER_OR_SYSTEM_READER|Project | [system,
# |Read | project]
# NOTE(johngarbutt) The base rules here affect so many APIs the list
# of related API operations has not been populated. It would be
# crazy hard to manually maintain such a list.
# NOTE(gmann): Keystone already support implied roles means assignment
# of one role implies the assignment of another. New defaults roles
# `reader`, `member` also has been added in bootstrap. If the bootstrap
# process is re-run, and a `reader`, `member`, or `admin` role already
# exists, a role implication chain will be created: `admin` implies
# `member` implies `reader`.
# For example: If we give access to 'reader' it means the 'admin' and
# 'member' also get access.
rules = [
policy.RuleDefault(
"context_is_admin",
"role:admin",
"Decides what is required for the 'is_admin:True' check to succeed."),
policy.RuleDefault(
"admin_or_owner",
"is_admin:True or project_id:%(project_id)s",
"Default rule for most non-Admin APIs.",
deprecated_for_removal=True,
deprecated_reason=DEPRECATED_REASON,
deprecated_since='21.0.0'),
policy.RuleDefault(
"admin_api",
"is_admin:True",
"Default rule for most Admin APIs.",
deprecated_for_removal=True,
deprecated_reason=DEPRECATED_REASON,
deprecated_since='21.0.0'),
policy.RuleDefault(
name="system_admin_api",
check_str='role:admin and system_scope:all',
description="Default rule for System Admin APIs.",
deprecated_rule=DEPRECATED_ADMIN_POLICY),
policy.RuleDefault(
name="system_reader_api",
check_str="role:reader and system_scope:all",
description="Default rule for System level read only APIs.",
deprecated_rule=DEPRECATED_ADMIN_POLICY),
policy.RuleDefault(
"project_admin_api",
"role:admin and project_id:%(project_id)s",
"Default rule for Project level admin APIs.",
deprecated_rule=DEPRECATED_ADMIN_POLICY),
policy.RuleDefault(
"project_member_api",
"role:member and project_id:%(project_id)s",
"Default rule for Project level non admin APIs.",
deprecated_rule=DEPRECATED_ADMIN_OR_OWNER_POLICY),
policy.RuleDefault(
"project_reader_api",
"role:reader and project_id:%(project_id)s",
"Default rule for Project level read only APIs."),
policy.RuleDefault(
name="system_admin_or_owner",
check_str="rule:system_admin_api or rule:project_member_api",
description="Default rule for System admin+owner APIs.",
deprecated_rule=DEPRECATED_ADMIN_OR_OWNER_POLICY),
policy.RuleDefault(
"system_or_project_reader",
"rule:system_reader_api or rule:project_reader_api",
"Default rule for System+Project read only APIs.",
deprecated_rule=DEPRECATED_ADMIN_OR_OWNER_POLICY)
]
def list_rules():
return rules
|
