openstack/barbican
Code Issues Proposed changes

Implement secure RBAC for orders API

Browse Source 
Add new project scope specific RBAC rules for the orders API.  The old
rules still apply, but eventually will be deprecated.  The new
rules do include some changes to default policy, which are documented in
the release note.

Change-Id: I8e6963d7ab788038102c7f4570b3f2c9a342eabf
This commit is contained in:
Ade Lee 2021-03-08 15:06:26 -05:00
parent e2c8e53730
commit 265908ec5f
2 changed files with 26 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
barbican/common/policies/orders.py
View File

@ -12,12 +12,13 @@
from oslo_policy import policy from oslo_policy import policy
_MEMBER = "role:member"
rules = [ rules = [
policy.DocumentedRuleDefault( policy.DocumentedRuleDefault(
name='orders:get', name='orders:get',
check_str='rule:all_but_audit', check_str=f'rule:all_but_audit or {_MEMBER}',
scope_types=[], scope_types=['project'],
description='Gets list of all orders associated with a project.', description='Gets list of all orders associated with a project.',
operations=[ operations=[
{ {
@ -28,8 +29,8 @@ rules = [
), ),
policy.DocumentedRuleDefault( policy.DocumentedRuleDefault(
name='orders:post', name='orders:post',
check_str='rule:admin_or_creator', check_str=f'rule:admin_or_creator or {_MEMBER}',
scope_types=[], scope_types=['project'],
description='Creates an order.', description='Creates an order.',
operations=[ operations=[
{ {
@ -40,8 +41,8 @@ rules = [
), ),
policy.DocumentedRuleDefault( policy.DocumentedRuleDefault(
name='orders:put', name='orders:put',
check_str='rule:admin_or_creator', check_str=f'rule:admin_or_creator or {_MEMBER}',
scope_types=[], scope_types=['project'],
description='Unsupported method for the orders API.', description='Unsupported method for the orders API.',
operations=[ operations=[
{ {
@ -52,8 +53,8 @@ rules = [
), ),
policy.DocumentedRuleDefault( policy.DocumentedRuleDefault(
name='order:get', name='order:get',
check_str='rule:all_users', check_str=f'rule:all_users or {_MEMBER}',
scope_types=[], scope_types=['project'],
description='Retrieves an orders metadata.', description='Retrieves an orders metadata.',
operations=[ operations=[
{ {
@ -64,8 +65,8 @@ rules = [
), ),
policy.DocumentedRuleDefault( policy.DocumentedRuleDefault(
name='order:delete', name='order:delete',
check_str='rule:admin', check_str=f'rule:admin or {_MEMBER}',
scope_types=[], scope_types=['project'],
description='Deletes an order.', description='Deletes an order.',
operations=[ operations=[
{ {

15
releasenotes/notes/secure-rbac-order-policy-2068c64cb6830c6c.yaml Normal file
View File

@ -0,0 +1,15 @@
---
features:
- |
Implement secure-rbac for orders resource.
security:
- |
The current policy allows all users except those with the audit role to
list orders or retrieve an orders metadata. The new desired policy will
restrict this to members. For backwards compatibility, the old policies
remain in effect, but they are deprecated and will be removed in future,
leaving the more restrictive new policy.
- |
The new secure-rbac policy allows for secret deletion by members. This is
a change from the previous policy that only allowed deletion by the
project admin.