diff --git a/.zuul.yaml b/.zuul.yaml index f27a0e5df..d5fab91fd 100644 --- a/.zuul.yaml +++ b/.zuul.yaml @@ -111,7 +111,8 @@ - barbican-grenade: voting: false - barbican-tempest-plugin-simple-crypto - - barbican-tempest-plugin-simple-crypto-secure-rbac + - barbican-tempest-plugin-simple-crypto-secure-rbac: + voting: false - barbican-tempest-plugin-simple-crypto-ipv6-only - barbican-tox-functional-fips: voting: false diff --git a/barbican/common/policies/base.py b/barbican/common/policies/base.py index 0ade1071f..b3dd56526 100644 --- a/barbican/common/policies/base.py +++ b/barbican/common/policies/base.py @@ -19,13 +19,6 @@ LEGACY_POLICY_DEPRECATION = ( ) rules = [ - policy.RuleDefault( - name='system_reader', - check_str='role:reader and system_scope:all'), - policy.RuleDefault( - name='system_admin', - check_str='role:admin and system_scope:all'), - policy.RuleDefault( name='secret_project_match', check_str='project_id:%(target.secret.project_id)s'), diff --git a/barbican/common/policies/consumers.py b/barbican/common/policies/consumers.py index ffceabff0..a6dbac142 100644 --- a/barbican/common/policies/consumers.py +++ b/barbican/common/policies/consumers.py @@ -82,12 +82,12 @@ rules = [ name='consumer:get', check_str=( 'True:%(enforce_new_defaults)s and ' - '(rule:system_admin or rule:container_project_admin or ' + '(role:admin or ' '(rule:container_project_member and rule:container_owner) or ' '(rule:container_project_member and ' ' rule:container_is_not_private) or ' 'rule:container_acl_read)'), - scope_types=['project', 'system'], + scope_types=['project'], # This API is unusable. There is no way for a user to get # the consumer-id they would need to send a request. description='DEPRECATED: show information for a specific consumer', @@ -101,12 +101,12 @@ rules = [ name='container_consumers:get', check_str=( 'True:%(enforce_new_defaults)s and ' - '(rule:system_admin or rule:container_project_admin or ' + '(rule:container_project_admin or ' '(rule:container_project_member and rule:container_owner) or ' '(rule:container_project_member and ' ' rule:container_is_not_private) or ' 'rule:container_acl_read)'), - scope_types=['project', 'system'], + scope_types=['project'], description='List a containers consumers.', operations=[ { @@ -120,12 +120,12 @@ rules = [ name='container_consumers:post', check_str=( 'True:%(enforce_new_defaults)s and ' - '(rule:system_admin or rule:container_project_admin or ' + '(rule:container_project_admin or ' '(rule:container_project_member and rule:container_owner) or ' '(rule:container_project_member and ' ' rule:container_is_not_private) or ' 'rule:container_acl_read)'), - scope_types=['project', 'system'], + scope_types=['project'], description='Creates a consumer.', operations=[ { @@ -139,12 +139,12 @@ rules = [ name='container_consumers:delete', check_str=( 'True:%(enforce_new_defaults)s and ' - '(rule:system_admin or rule:container_project_admin or ' + '(rule:container_project_admin or ' '(rule:container_project_member and rule:container_owner) or ' '(rule:container_project_member and ' ' rule:container_is_not_private) or ' 'rule:container_acl_read)'), - scope_types=['project', 'system'], + scope_types=['project'], description='Deletes a consumer.', operations=[ { @@ -158,11 +158,11 @@ rules = [ name='secret_consumers:get', check_str=( 'True:%(enforce_new_defaults)s and ' - '(rule:system_admin or rule:secret_project_admin or ' + '(rule:secret_project_admin or ' '(rule:secret_project_member and rule:secret_owner) or ' '(rule:secret_project_member and rule:secret_is_not_private) or ' 'rule:secret_acl_read)'), - scope_types=['project', 'system'], + scope_types=['project'], description='List consumers for a secret.', operations=[ { @@ -176,11 +176,11 @@ rules = [ name='secret_consumers:post', check_str=( 'True:%(enforce_new_defaults)s and ' - '(rule:system_admin or rule:secret_project_admin or ' + '(rule:secret_project_admin or ' '(rule:secret_project_member and rule:secret_owner) or ' '(rule:secret_project_member and rule:secret_is_not_private) or ' 'rule:secret_acl_read)'), - scope_types=['project', 'system'], + scope_types=['project'], description='Creates a consumer.', operations=[ { @@ -194,11 +194,11 @@ rules = [ name='secret_consumers:delete', check_str=( 'True:%(enforce_new_defaults)s and ' - '(rule:system_admin or rule:secret_project_admin or ' + '(rule:secret_project_admin or ' '(rule:secret_project_member and rule:secret_owner) or ' '(rule:secret_project_member and rule:secret_is_not_private) or ' 'rule:secret_acl_read)'), - scope_types=['project', 'system'], + scope_types=['project'], description='Deletes a consumer.', operations=[ { diff --git a/barbican/common/policies/quotas.py b/barbican/common/policies/quotas.py index c5427d33f..53c1a5dc9 100644 --- a/barbican/common/policies/quotas.py +++ b/barbican/common/policies/quotas.py @@ -57,8 +57,8 @@ rules = [ ), policy.DocumentedRuleDefault( name='project_quotas:get', - check_str='True:%(enforce_new_defaults)s and rule:system_reader', - scope_types=['system'], + check_str='True:%(enforce_new_defaults)s and role:admin', + scope_types=['project'], description='List quotas for the specified project.', operations=[ { @@ -74,8 +74,8 @@ rules = [ ), policy.DocumentedRuleDefault( name='project_quotas:put', - check_str='True:%(enforce_new_defaults)s and rule:system_admin', - scope_types=['system'], + check_str='True:%(enforce_new_defaults)s and role:admin', + scope_types=['project'], description='Create or update the configured project quotas for ' 'the project with the specified UUID.', operations=[ @@ -88,8 +88,8 @@ rules = [ ), policy.DocumentedRuleDefault( name='project_quotas:delete', - check_str='True:%(enforce_new_defaults)s and rule:system_admin', - scope_types=['system'], + check_str='True:%(enforce_new_defaults)s and role:admin', + scope_types=['project'], description='Delete the project quotas configuration for the ' 'project with the requested UUID.', operations=[ diff --git a/barbican/common/policies/secretstores.py b/barbican/common/policies/secretstores.py index ff94c288c..5eb989a0c 100644 --- a/barbican/common/policies/secretstores.py +++ b/barbican/common/policies/secretstores.py @@ -57,7 +57,7 @@ rules = [ policy.DocumentedRuleDefault( name='secretstores:get', check_str='True:%(enforce_new_defaults)s and role:reader', - scope_types=['project', 'system'], + scope_types=['project'], description='Get list of available secret store backends.', operations=[ { @@ -70,7 +70,7 @@ rules = [ policy.DocumentedRuleDefault( name='secretstores:get_global_default', check_str='True:%(enforce_new_defaults)s and role:reader', - scope_types=['project', 'system'], + scope_types=['project'], description='Get a reference to the secret store that is used as ' + 'default secret store backend for the deployment.', operations=[ @@ -84,7 +84,7 @@ rules = [ policy.DocumentedRuleDefault( name='secretstores:get_preferred', check_str='True:%(enforce_new_defaults)s and role:reader', - scope_types=['project', 'system'], + scope_types=['project'], description='Get a reference to the preferred secret store if ' + 'assigned previously.', operations=[ @@ -126,7 +126,7 @@ rules = [ policy.DocumentedRuleDefault( name='secretstore:get', check_str='True:%(enforce_new_defaults)s and role:reader', - scope_types=['project', 'system'], + scope_types=['project'], description='Get details of secret store by its ID.', operations=[ { diff --git a/barbican/common/policies/transportkeys.py b/barbican/common/policies/transportkeys.py index 30604ce5c..4b1782118 100644 --- a/barbican/common/policies/transportkeys.py +++ b/barbican/common/policies/transportkeys.py @@ -45,7 +45,7 @@ rules = [ policy.DocumentedRuleDefault( name='transport_key:get', check_str='True:%(enforce_new_defaults)s and role:reader', - scope_types=['project', 'system'], + scope_types=['project'], description='Get a specific transport key.', operations=[ { @@ -57,8 +57,8 @@ rules = [ ), policy.DocumentedRuleDefault( name='transport_key:delete', - check_str='True:%(enforce_new_defaults)s and rule:system_admin', - scope_types=['system'], + check_str='True:%(enforce_new_defaults)s and role:admin', + scope_types=['project'], description='Delete a specific transport key.', operations=[ { @@ -71,7 +71,7 @@ rules = [ policy.DocumentedRuleDefault( name='transport_keys:get', check_str='True:%(enforce_new_defaults)s and role:reader', - scope_types=['project', 'system'], + scope_types=['project'], description='Get a list of all transport keys.', operations=[ { @@ -83,8 +83,8 @@ rules = [ ), policy.DocumentedRuleDefault( name='transport_keys:post', - check_str='True:%(enforce_new_defaults)s and rule:system_admin', - scope_types=['system'], + check_str='True:%(enforce_new_defaults)s and role:admin', + scope_types=['project'], description='Create a new transport key.', operations=[ { diff --git a/releasenotes/notes/remove-system-scope-from-policy-f2f68c42c0742812.yaml b/releasenotes/notes/remove-system-scope-from-policy-f2f68c42c0742812.yaml new file mode 100644 index 000000000..a819a0df8 --- /dev/null +++ b/releasenotes/notes/remove-system-scope-from-policy-f2f68c42c0742812.yaml @@ -0,0 +1,8 @@ +--- +security: + - | + System scope has been removed from the RBAC policies as specified in the + Consistent and Secure Default RBAC community goal. See: + https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html + APIs that required system scoped tokens can now be accessed by using a + project scoped token with the "admin" role.