Merge "Implement secure RBAC for quota API"

This commit is contained in:
Zuul 2021-03-11 22:46:57 +00:00 committed by Gerrit Code Review
commit 5408a62802
2 changed files with 23 additions and 8 deletions

View File

@ -13,11 +13,15 @@
from oslo_policy import policy
_READER = "role:reader"
_SYSTEM_ADMIN = "role:admin and system_scope:all"
_SYSTEM_READER = "role:reader and system_scope:all"
rules = [
policy.DocumentedRuleDefault(
name='quotas:get',
check_str='rule:all_users',
scope_types=[],
check_str=f'rule:all_users or {_READER}',
scope_types=['project'],
description='List quotas for the project the user belongs to.',
operations=[
{
@ -28,8 +32,8 @@ rules = [
),
policy.DocumentedRuleDefault(
name='project_quotas:get',
check_str='rule:service_admin',
scope_types=[],
check_str=f'rule:service_admin or {_SYSTEM_READER}',
scope_types=['system'],
description='List quotas for the specified project.',
operations=[
{
@ -44,8 +48,8 @@ rules = [
),
policy.DocumentedRuleDefault(
name='project_quotas:put',
check_str='rule:service_admin',
scope_types=[],
check_str=f'rule:service_admin or {_SYSTEM_ADMIN}',
scope_types=['system'],
description='Create or update the configured project quotas for '
'the project with the specified UUID.',
operations=[
@ -57,8 +61,8 @@ rules = [
),
policy.DocumentedRuleDefault(
name='project_quotas:delete',
check_str='rule:service_admin',
scope_types=[],
check_str=f'rule:service_admin or {_SYSTEM_ADMIN}',
scope_types=['system'],
description='Delete the project quotas configuration for the '
'project with the requested UUID.',
operations=[

View File

@ -0,0 +1,11 @@
---
features:
- |
Implement secure-rbac for quotas resource.
security:
- |
The current policy only allows users with the key-manager:service-admin
role to list, get, add, update or delete project quotas. The new
policy allows system readers to list quotas and get quotas for specific
projects and system admins (role:admin and system_scope:all) to add,
update and delete project quotas.