Implement secure RBAC for orders API

Add new project scope specific RBAC rules for the orders API.  The old
rules still apply, but eventually will be deprecated.  The new
rules do include some changes to default policy, which are documented in
the release note.

Change-Id: I8e6963d7ab788038102c7f4570b3f2c9a342eabf
This commit is contained in:
Ade Lee 2021-03-08 15:06:26 -05:00
parent e2c8e53730
commit 265908ec5f
2 changed files with 26 additions and 10 deletions

View File

@ -12,12 +12,13 @@
from oslo_policy import policy
_MEMBER = "role:member"
rules = [
policy.DocumentedRuleDefault(
name='orders:get',
check_str='rule:all_but_audit',
scope_types=[],
check_str=f'rule:all_but_audit or {_MEMBER}',
scope_types=['project'],
description='Gets list of all orders associated with a project.',
operations=[
{
@ -28,8 +29,8 @@ rules = [
),
policy.DocumentedRuleDefault(
name='orders:post',
check_str='rule:admin_or_creator',
scope_types=[],
check_str=f'rule:admin_or_creator or {_MEMBER}',
scope_types=['project'],
description='Creates an order.',
operations=[
{
@ -40,8 +41,8 @@ rules = [
),
policy.DocumentedRuleDefault(
name='orders:put',
check_str='rule:admin_or_creator',
scope_types=[],
check_str=f'rule:admin_or_creator or {_MEMBER}',
scope_types=['project'],
description='Unsupported method for the orders API.',
operations=[
{
@ -52,8 +53,8 @@ rules = [
),
policy.DocumentedRuleDefault(
name='order:get',
check_str='rule:all_users',
scope_types=[],
check_str=f'rule:all_users or {_MEMBER}',
scope_types=['project'],
description='Retrieves an orders metadata.',
operations=[
{
@ -64,8 +65,8 @@ rules = [
),
policy.DocumentedRuleDefault(
name='order:delete',
check_str='rule:admin',
scope_types=[],
check_str=f'rule:admin or {_MEMBER}',
scope_types=['project'],
description='Deletes an order.',
operations=[
{

View File

@ -0,0 +1,15 @@
---
features:
- |
Implement secure-rbac for orders resource.
security:
- |
The current policy allows all users except those with the audit role to
list orders or retrieve an orders metadata. The new desired policy will
restrict this to members. For backwards compatibility, the old policies
remain in effect, but they are deprecated and will be removed in future,
leaving the more restrictive new policy.
- |
The new secure-rbac policy allows for secret deletion by members. This is
a change from the previous policy that only allowed deletion by the
project admin.