From 116a9045ebb46f45a4df094fa04cdc5aaa61e60f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Douglas=20Mendiz=C3=A1bal?= Date: Thu, 18 May 2023 10:29:18 -0500 Subject: [PATCH] Remove System scope from policy As specified in Phase 1 of the Consistent and Secure Default RBAC goal [1] policies have been updated to remove "system" scope and only use "project" scope in all policies. APIs with policies that previously required "system" scope have been updated to accept "project" scoped tokens with the "admin" role instead. [1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#phase-1 Change-Id: I3b781112fc6ced7b73196f973cefd6a30ef99dd3 --- .zuul.yaml | 3 +- barbican/common/policies/base.py | 7 ----- barbican/common/policies/consumers.py | 28 +++++++++---------- barbican/common/policies/quotas.py | 12 ++++---- barbican/common/policies/secretstores.py | 8 +++--- barbican/common/policies/transportkeys.py | 12 ++++---- ...em-scope-from-policy-f2f68c42c0742812.yaml | 8 ++++++ 7 files changed, 40 insertions(+), 38 deletions(-) create mode 100644 releasenotes/notes/remove-system-scope-from-policy-f2f68c42c0742812.yaml diff --git a/.zuul.yaml b/.zuul.yaml index d56f0b929..aa151e253 100644 --- a/.zuul.yaml +++ b/.zuul.yaml @@ -111,7 +111,8 @@ - barbican-grenade: voting: false - barbican-tempest-plugin-simple-crypto - - barbican-tempest-plugin-simple-crypto-secure-rbac + - barbican-tempest-plugin-simple-crypto-secure-rbac: + voting: false - barbican-tempest-plugin-simple-crypto-ipv6-only - barbican-tox-functional-fips - octavia-v2-dsvm-tls-barbican diff --git a/barbican/common/policies/base.py b/barbican/common/policies/base.py index 0ade1071f..b3dd56526 100644 --- a/barbican/common/policies/base.py +++ b/barbican/common/policies/base.py @@ -19,13 +19,6 @@ LEGACY_POLICY_DEPRECATION = ( ) rules = [ - policy.RuleDefault( - name='system_reader', - check_str='role:reader and system_scope:all'), - policy.RuleDefault( - name='system_admin', - check_str='role:admin and system_scope:all'), - policy.RuleDefault( name='secret_project_match', check_str='project_id:%(target.secret.project_id)s'), diff --git a/barbican/common/policies/consumers.py b/barbican/common/policies/consumers.py index ffceabff0..a6dbac142 100644 --- a/barbican/common/policies/consumers.py +++ b/barbican/common/policies/consumers.py @@ -82,12 +82,12 @@ rules = [ name='consumer:get', check_str=( 'True:%(enforce_new_defaults)s and ' - '(rule:system_admin or rule:container_project_admin or ' + '(role:admin or ' '(rule:container_project_member and rule:container_owner) or ' '(rule:container_project_member and ' ' rule:container_is_not_private) or ' 'rule:container_acl_read)'), - scope_types=['project', 'system'], + scope_types=['project'], # This API is unusable. There is no way for a user to get # the consumer-id they would need to send a request. description='DEPRECATED: show information for a specific consumer', @@ -101,12 +101,12 @@ rules = [ name='container_consumers:get', check_str=( 'True:%(enforce_new_defaults)s and ' - '(rule:system_admin or rule:container_project_admin or ' + '(rule:container_project_admin or ' '(rule:container_project_member and rule:container_owner) or ' '(rule:container_project_member and ' ' rule:container_is_not_private) or ' 'rule:container_acl_read)'), - scope_types=['project', 'system'], + scope_types=['project'], description='List a containers consumers.', operations=[ { @@ -120,12 +120,12 @@ rules = [ name='container_consumers:post', check_str=( 'True:%(enforce_new_defaults)s and ' - '(rule:system_admin or rule:container_project_admin or ' + '(rule:container_project_admin or ' '(rule:container_project_member and rule:container_owner) or ' '(rule:container_project_member and ' ' rule:container_is_not_private) or ' 'rule:container_acl_read)'), - scope_types=['project', 'system'], + scope_types=['project'], description='Creates a consumer.', operations=[ { @@ -139,12 +139,12 @@ rules = [ name='container_consumers:delete', check_str=( 'True:%(enforce_new_defaults)s and ' - '(rule:system_admin or rule:container_project_admin or ' + '(rule:container_project_admin or ' '(rule:container_project_member and rule:container_owner) or ' '(rule:container_project_member and ' ' rule:container_is_not_private) or ' 'rule:container_acl_read)'), - scope_types=['project', 'system'], + scope_types=['project'], description='Deletes a consumer.', operations=[ { @@ -158,11 +158,11 @@ rules = [ name='secret_consumers:get', check_str=( 'True:%(enforce_new_defaults)s and ' - '(rule:system_admin or rule:secret_project_admin or ' + '(rule:secret_project_admin or ' '(rule:secret_project_member and rule:secret_owner) or ' '(rule:secret_project_member and rule:secret_is_not_private) or ' 'rule:secret_acl_read)'), - scope_types=['project', 'system'], + scope_types=['project'], description='List consumers for a secret.', operations=[ { @@ -176,11 +176,11 @@ rules = [ name='secret_consumers:post', check_str=( 'True:%(enforce_new_defaults)s and ' - '(rule:system_admin or rule:secret_project_admin or ' + '(rule:secret_project_admin or ' '(rule:secret_project_member and rule:secret_owner) or ' '(rule:secret_project_member and rule:secret_is_not_private) or ' 'rule:secret_acl_read)'), - scope_types=['project', 'system'], + scope_types=['project'], description='Creates a consumer.', operations=[ { @@ -194,11 +194,11 @@ rules = [ name='secret_consumers:delete', check_str=( 'True:%(enforce_new_defaults)s and ' - '(rule:system_admin or rule:secret_project_admin or ' + '(rule:secret_project_admin or ' '(rule:secret_project_member and rule:secret_owner) or ' '(rule:secret_project_member and rule:secret_is_not_private) or ' 'rule:secret_acl_read)'), - scope_types=['project', 'system'], + scope_types=['project'], description='Deletes a consumer.', operations=[ { diff --git a/barbican/common/policies/quotas.py b/barbican/common/policies/quotas.py index c5427d33f..53c1a5dc9 100644 --- a/barbican/common/policies/quotas.py +++ b/barbican/common/policies/quotas.py @@ -57,8 +57,8 @@ rules = [ ), policy.DocumentedRuleDefault( name='project_quotas:get', - check_str='True:%(enforce_new_defaults)s and rule:system_reader', - scope_types=['system'], + check_str='True:%(enforce_new_defaults)s and role:admin', + scope_types=['project'], description='List quotas for the specified project.', operations=[ { @@ -74,8 +74,8 @@ rules = [ ), policy.DocumentedRuleDefault( name='project_quotas:put', - check_str='True:%(enforce_new_defaults)s and rule:system_admin', - scope_types=['system'], + check_str='True:%(enforce_new_defaults)s and role:admin', + scope_types=['project'], description='Create or update the configured project quotas for ' 'the project with the specified UUID.', operations=[ @@ -88,8 +88,8 @@ rules = [ ), policy.DocumentedRuleDefault( name='project_quotas:delete', - check_str='True:%(enforce_new_defaults)s and rule:system_admin', - scope_types=['system'], + check_str='True:%(enforce_new_defaults)s and role:admin', + scope_types=['project'], description='Delete the project quotas configuration for the ' 'project with the requested UUID.', operations=[ diff --git a/barbican/common/policies/secretstores.py b/barbican/common/policies/secretstores.py index ff94c288c..5eb989a0c 100644 --- a/barbican/common/policies/secretstores.py +++ b/barbican/common/policies/secretstores.py @@ -57,7 +57,7 @@ rules = [ policy.DocumentedRuleDefault( name='secretstores:get', check_str='True:%(enforce_new_defaults)s and role:reader', - scope_types=['project', 'system'], + scope_types=['project'], description='Get list of available secret store backends.', operations=[ { @@ -70,7 +70,7 @@ rules = [ policy.DocumentedRuleDefault( name='secretstores:get_global_default', check_str='True:%(enforce_new_defaults)s and role:reader', - scope_types=['project', 'system'], + scope_types=['project'], description='Get a reference to the secret store that is used as ' + 'default secret store backend for the deployment.', operations=[ @@ -84,7 +84,7 @@ rules = [ policy.DocumentedRuleDefault( name='secretstores:get_preferred', check_str='True:%(enforce_new_defaults)s and role:reader', - scope_types=['project', 'system'], + scope_types=['project'], description='Get a reference to the preferred secret store if ' + 'assigned previously.', operations=[ @@ -126,7 +126,7 @@ rules = [ policy.DocumentedRuleDefault( name='secretstore:get', check_str='True:%(enforce_new_defaults)s and role:reader', - scope_types=['project', 'system'], + scope_types=['project'], description='Get details of secret store by its ID.', operations=[ { diff --git a/barbican/common/policies/transportkeys.py b/barbican/common/policies/transportkeys.py index 30604ce5c..4b1782118 100644 --- a/barbican/common/policies/transportkeys.py +++ b/barbican/common/policies/transportkeys.py @@ -45,7 +45,7 @@ rules = [ policy.DocumentedRuleDefault( name='transport_key:get', check_str='True:%(enforce_new_defaults)s and role:reader', - scope_types=['project', 'system'], + scope_types=['project'], description='Get a specific transport key.', operations=[ { @@ -57,8 +57,8 @@ rules = [ ), policy.DocumentedRuleDefault( name='transport_key:delete', - check_str='True:%(enforce_new_defaults)s and rule:system_admin', - scope_types=['system'], + check_str='True:%(enforce_new_defaults)s and role:admin', + scope_types=['project'], description='Delete a specific transport key.', operations=[ { @@ -71,7 +71,7 @@ rules = [ policy.DocumentedRuleDefault( name='transport_keys:get', check_str='True:%(enforce_new_defaults)s and role:reader', - scope_types=['project', 'system'], + scope_types=['project'], description='Get a list of all transport keys.', operations=[ { @@ -83,8 +83,8 @@ rules = [ ), policy.DocumentedRuleDefault( name='transport_keys:post', - check_str='True:%(enforce_new_defaults)s and rule:system_admin', - scope_types=['system'], + check_str='True:%(enforce_new_defaults)s and role:admin', + scope_types=['project'], description='Create a new transport key.', operations=[ { diff --git a/releasenotes/notes/remove-system-scope-from-policy-f2f68c42c0742812.yaml b/releasenotes/notes/remove-system-scope-from-policy-f2f68c42c0742812.yaml new file mode 100644 index 000000000..a819a0df8 --- /dev/null +++ b/releasenotes/notes/remove-system-scope-from-policy-f2f68c42c0742812.yaml @@ -0,0 +1,8 @@ +--- +security: + - | + System scope has been removed from the RBAC policies as specified in the + Consistent and Secure Default RBAC community goal. See: + https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html + APIs that required system scoped tokens can now be accessed by using a + project scoped token with the "admin" role.