Browse Source

Merge "Updates cleartext-secrets RBAC Permissions"

changes/86/628286/1
Zuul 7 months ago
parent
commit
c1b12b9a9e

+ 2
- 1
charts/shipyard/values.yaml View File

@@ -368,9 +368,10 @@ conf:
368 368
     workflow_orchestrator:get_configdocs_status: rule:admin_read_access
369 369
     workflow_orchestrator:create_configdocs: rule:admin_create
370 370
     workflow_orchestrator:get_configdocs: rule:admin_read_access
371
+    workflow_orchestrator:get_configdocs_cleartext: rule:admin_create
371 372
     workflow_orchestrator:commit_configdocs: rule:admin_create
372 373
     workflow_orchestrator:get_renderedconfigdocs: rule:admin_read_access
373
-    workflow_orchestrator:get_renderedconfigdocs_cleartext: rule:admin_read_access
374
+    workflow_orchestrator:get_renderedconfigdocs_cleartext: rule:admin_create
374 375
     workflow_orchestrator:list_workflows: rule:admin_read_access
375 376
     workflow_orchestrator:get_workflow: rule:admin_read_access
376 377
     workflow_orchestrator:get_notedetails: rule:admin_read_access

+ 8
- 4
doc/source/CLI.rst View File

@@ -682,8 +682,10 @@ differences between the 'committed' and 'buffer' revision (default behavior).
682 682
   collection, this will return an empty response (default)
683 683
 
684 684
 \--cleartext-secrets
685
-  Returns cleartext secrets in encrypted documents, otherwise those values
686
-  are redacted. Only impacts returned documents, not lists of documents.
685
+  Returns secrets as cleartext for encrypted documents if the user has the
686
+  appropriate permissions in the target environment.  If the user does not
687
+  have the appropriate permissions and sets this flag to true an error is
688
+  returned.  Only impacts returned documents, not lists of documents.
687 689
 
688 690
 Sample
689 691
 ^^^^^^
@@ -750,8 +752,10 @@ applying Deckhand layering and substitution.
750 752
   prior commit. (default)
751 753
 
752 754
 \--cleartext-secrets
753
-  Returns secrets as cleartext for encrypted documents if the user has the appropriate
754
-  permissions in the target environment.
755
+  Returns secrets as cleartext for encrypted documents if the user has the
756
+  appropriate permissions in the target environment.  If the user does not
757
+  have the appropriate permissions and sets this flag to true an error is
758
+  returned.
755 759
 
756 760
 Sample
757 761
 ^^^^^^

+ 5
- 0
src/bin/shipyard_airflow/shipyard_airflow/control/configdocs/configdocs_api.py View File

@@ -123,6 +123,11 @@ class ConfigDocsResource(BaseResource):
123 123
         cleartext_secrets = req.get_param_as_bool('cleartext-secrets') or False
124 124
         self._validate_version_parameter(version)
125 125
         helper = ConfigdocsHelper(req.context)
126
+
127
+        # Check access to cleartext_secrets
128
+        if cleartext_secrets:
129
+            policy.check_auth(req.context, policy.GET_CONFIGDOCS_CLRTXT)
130
+
126 131
         # Not reformatting to JSON or YAML since just passing through
127 132
         resp.body = self.get_collection(
128 133
             helper=helper, collection_id=collection_id, version=version,

+ 13
- 1
src/bin/shipyard_airflow/shipyard_airflow/policy.py View File

@@ -36,6 +36,7 @@ INVOKE_ACTION_CONTROL = 'workflow_orchestrator:invoke_action_control'
36 36
 GET_CONFIGDOCS_STATUS = 'workflow_orchestrator:get_configdocs_status'
37 37
 CREATE_CONFIGDOCS = 'workflow_orchestrator:create_configdocs'
38 38
 GET_CONFIGDOCS = 'workflow_orchestrator:get_configdocs'
39
+GET_CONFIGDOCS_CLRTXT = 'workflow_orchestrator:get_configdocs_cleartext'
39 40
 COMMIT_CONFIGDOCS = 'workflow_orchestrator:commit_configdocs'
40 41
 GET_RENDEREDCONFIGDOCS = 'workflow_orchestrator:get_renderedconfigdocs'
41 42
 GET_RENDEREDCONFIGDOCS_CLRTXT = 'workflow_orchestrator:get_renderedconfigdocs_cleartext'  # noqa
@@ -162,7 +163,18 @@ class ShipyardPolicy(object):
162 163
         policy.DocumentedRuleDefault(
163 164
             GET_CONFIGDOCS,
164 165
             RULE_ADMIN_REQUIRED,
165
-            'Retrieve a collection of configuration documents',
166
+            ('Retrieve a collection of configuration documents with redacted '
167
+             'secrets'),
168
+            [{
169
+                'path': '/api/v1.0/configdocs/{collection_id}',
170
+                'method': 'GET'
171
+            }]
172
+        ),
173
+        policy.DocumentedRuleDefault(
174
+            GET_CONFIGDOCS_CLRTXT,
175
+            RULE_ADMIN_REQUIRED,
176
+            ('Retrieve a collection of configuration documents with cleartext '
177
+             'secrets.'),
166 178
             [{
167 179
                 'path': '/api/v1.0/configdocs/{collection_id}',
168 180
                 'method': 'GET'

Loading…
Cancel
Save