Updates cleartext-secrets RBAC Permissions
- Adds an RBAC check when returning raw configdocs. Change-Id: Ia4967ba4e1dfc49d44a3914cfa151177a49c3799
This commit is contained in:
parent
03d7269b6a
commit
0cac1cbe2f
@ -368,9 +368,10 @@ conf:
|
|||||||
workflow_orchestrator:get_configdocs_status: rule:admin_read_access
|
workflow_orchestrator:get_configdocs_status: rule:admin_read_access
|
||||||
workflow_orchestrator:create_configdocs: rule:admin_create
|
workflow_orchestrator:create_configdocs: rule:admin_create
|
||||||
workflow_orchestrator:get_configdocs: rule:admin_read_access
|
workflow_orchestrator:get_configdocs: rule:admin_read_access
|
||||||
|
workflow_orchestrator:get_configdocs_cleartext: rule:admin_create
|
||||||
workflow_orchestrator:commit_configdocs: rule:admin_create
|
workflow_orchestrator:commit_configdocs: rule:admin_create
|
||||||
workflow_orchestrator:get_renderedconfigdocs: rule:admin_read_access
|
workflow_orchestrator:get_renderedconfigdocs: rule:admin_read_access
|
||||||
workflow_orchestrator:get_renderedconfigdocs_cleartext: rule:admin_read_access
|
workflow_orchestrator:get_renderedconfigdocs_cleartext: rule:admin_create
|
||||||
workflow_orchestrator:list_workflows: rule:admin_read_access
|
workflow_orchestrator:list_workflows: rule:admin_read_access
|
||||||
workflow_orchestrator:get_workflow: rule:admin_read_access
|
workflow_orchestrator:get_workflow: rule:admin_read_access
|
||||||
workflow_orchestrator:get_notedetails: rule:admin_read_access
|
workflow_orchestrator:get_notedetails: rule:admin_read_access
|
||||||
|
@ -677,8 +677,10 @@ differences between the 'committed' and 'buffer' revision (default behavior).
|
|||||||
collection, this will return an empty response (default)
|
collection, this will return an empty response (default)
|
||||||
|
|
||||||
\--cleartext-secrets
|
\--cleartext-secrets
|
||||||
Returns cleartext secrets in encrypted documents, otherwise those values
|
Returns secrets as cleartext for encrypted documents if the user has the
|
||||||
are redacted. Only impacts returned documents, not lists of documents.
|
appropriate permissions in the target environment. If the user does not
|
||||||
|
have the appropriate permissions and sets this flag to true an error is
|
||||||
|
returned. Only impacts returned documents, not lists of documents.
|
||||||
|
|
||||||
Sample
|
Sample
|
||||||
^^^^^^
|
^^^^^^
|
||||||
@ -745,8 +747,10 @@ applying Deckhand layering and substitution.
|
|||||||
prior commit. (default)
|
prior commit. (default)
|
||||||
|
|
||||||
\--cleartext-secrets
|
\--cleartext-secrets
|
||||||
Returns secrets as cleartext for encrypted documents if the user has the appropriate
|
Returns secrets as cleartext for encrypted documents if the user has the
|
||||||
permissions in the target environment.
|
appropriate permissions in the target environment. If the user does not
|
||||||
|
have the appropriate permissions and sets this flag to true an error is
|
||||||
|
returned.
|
||||||
|
|
||||||
Sample
|
Sample
|
||||||
^^^^^^
|
^^^^^^
|
||||||
|
@ -101,6 +101,11 @@ class ConfigDocsResource(BaseResource):
|
|||||||
cleartext_secrets = req.get_param_as_bool('cleartext-secrets') or False
|
cleartext_secrets = req.get_param_as_bool('cleartext-secrets') or False
|
||||||
self._validate_version_parameter(version)
|
self._validate_version_parameter(version)
|
||||||
helper = ConfigdocsHelper(req.context)
|
helper = ConfigdocsHelper(req.context)
|
||||||
|
|
||||||
|
# Check access to cleartext_secrets
|
||||||
|
if cleartext_secrets:
|
||||||
|
policy.check_auth(req.context, policy.GET_CONFIGDOCS_CLRTXT)
|
||||||
|
|
||||||
# Not reformatting to JSON or YAML since just passing through
|
# Not reformatting to JSON or YAML since just passing through
|
||||||
resp.body = self.get_collection(
|
resp.body = self.get_collection(
|
||||||
helper=helper, collection_id=collection_id, version=version,
|
helper=helper, collection_id=collection_id, version=version,
|
||||||
|
@ -36,6 +36,7 @@ INVOKE_ACTION_CONTROL = 'workflow_orchestrator:invoke_action_control'
|
|||||||
GET_CONFIGDOCS_STATUS = 'workflow_orchestrator:get_configdocs_status'
|
GET_CONFIGDOCS_STATUS = 'workflow_orchestrator:get_configdocs_status'
|
||||||
CREATE_CONFIGDOCS = 'workflow_orchestrator:create_configdocs'
|
CREATE_CONFIGDOCS = 'workflow_orchestrator:create_configdocs'
|
||||||
GET_CONFIGDOCS = 'workflow_orchestrator:get_configdocs'
|
GET_CONFIGDOCS = 'workflow_orchestrator:get_configdocs'
|
||||||
|
GET_CONFIGDOCS_CLRTXT = 'workflow_orchestrator:get_configdocs_cleartext'
|
||||||
COMMIT_CONFIGDOCS = 'workflow_orchestrator:commit_configdocs'
|
COMMIT_CONFIGDOCS = 'workflow_orchestrator:commit_configdocs'
|
||||||
GET_RENDEREDCONFIGDOCS = 'workflow_orchestrator:get_renderedconfigdocs'
|
GET_RENDEREDCONFIGDOCS = 'workflow_orchestrator:get_renderedconfigdocs'
|
||||||
GET_RENDEREDCONFIGDOCS_CLRTXT = 'workflow_orchestrator:get_renderedconfigdocs_cleartext' # noqa
|
GET_RENDEREDCONFIGDOCS_CLRTXT = 'workflow_orchestrator:get_renderedconfigdocs_cleartext' # noqa
|
||||||
@ -162,7 +163,18 @@ class ShipyardPolicy(object):
|
|||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
GET_CONFIGDOCS,
|
GET_CONFIGDOCS,
|
||||||
RULE_ADMIN_REQUIRED,
|
RULE_ADMIN_REQUIRED,
|
||||||
'Retrieve a collection of configuration documents',
|
('Retrieve a collection of configuration documents with redacted '
|
||||||
|
'secrets'),
|
||||||
|
[{
|
||||||
|
'path': '/api/v1.0/configdocs/{collection_id}',
|
||||||
|
'method': 'GET'
|
||||||
|
}]
|
||||||
|
),
|
||||||
|
policy.DocumentedRuleDefault(
|
||||||
|
GET_CONFIGDOCS_CLRTXT,
|
||||||
|
RULE_ADMIN_REQUIRED,
|
||||||
|
('Retrieve a collection of configuration documents with cleartext '
|
||||||
|
'secrets.'),
|
||||||
[{
|
[{
|
||||||
'path': '/api/v1.0/configdocs/{collection_id}',
|
'path': '/api/v1.0/configdocs/{collection_id}',
|
||||||
'method': 'GET'
|
'method': 'GET'
|
||||||
|
Loading…
Reference in New Issue
Block a user