Merge "Remove System scope from policy"
This commit is contained in:
Zuul
Gerrit Code Review
commit
5a1b80f38a
@ -111,7 +111,8 @@
|
||||
- barbican-grenade:
|
||||
voting: false
|
||||
- barbican-tempest-plugin-simple-crypto
|
||||
- barbican-tempest-plugin-simple-crypto-secure-rbac
|
||||
- barbican-tempest-plugin-simple-crypto-secure-rbac:
|
||||
voting: false
|
||||
- barbican-tempest-plugin-simple-crypto-ipv6-only
|
||||
- barbican-tox-functional-fips:
|
||||
voting: false
|
||||
|
||||
@ -19,13 +19,6 @@ LEGACY_POLICY_DEPRECATION = (
|
||||
)
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault(
|
||||
name='system_reader',
|
||||
check_str='role:reader and system_scope:all'),
|
||||
policy.RuleDefault(
|
||||
name='system_admin',
|
||||
check_str='role:admin and system_scope:all'),
|
||||
|
||||
policy.RuleDefault(
|
||||
name='secret_project_match',
|
||||
check_str='project_id:%(target.secret.project_id)s'),
|
||||
|
||||
@ -82,12 +82,12 @@ rules = [
|
||||
name='consumer:get',
|
||||
check_str=(
|
||||
'True:%(enforce_new_defaults)s and '
|
||||
'(rule:system_admin or rule:container_project_admin or '
|
||||
'(role:admin or '
|
||||
'(rule:container_project_member and rule:container_owner) or '
|
||||
'(rule:container_project_member and '
|
||||
' rule:container_is_not_private) or '
|
||||
'rule:container_acl_read)'),
|
||||
scope_types=['project', 'system'],
|
||||
scope_types=['project'],
|
||||
# This API is unusable. There is no way for a user to get
|
||||
# the consumer-id they would need to send a request.
|
||||
description='DEPRECATED: show information for a specific consumer',
|
||||
@ -101,12 +101,12 @@ rules = [
|
||||
name='container_consumers:get',
|
||||
check_str=(
|
||||
'True:%(enforce_new_defaults)s and '
|
||||
'(rule:system_admin or rule:container_project_admin or '
|
||||
'(rule:container_project_admin or '
|
||||
'(rule:container_project_member and rule:container_owner) or '
|
||||
'(rule:container_project_member and '
|
||||
' rule:container_is_not_private) or '
|
||||
'rule:container_acl_read)'),
|
||||
scope_types=['project', 'system'],
|
||||
scope_types=['project'],
|
||||
description='List a containers consumers.',
|
||||
operations=[
|
||||
{
|
||||
@ -120,12 +120,12 @@ rules = [
|
||||
name='container_consumers:post',
|
||||
check_str=(
|
||||
'True:%(enforce_new_defaults)s and '
|
||||
'(rule:system_admin or rule:container_project_admin or '
|
||||
'(rule:container_project_admin or '
|
||||
'(rule:container_project_member and rule:container_owner) or '
|
||||
'(rule:container_project_member and '
|
||||
' rule:container_is_not_private) or '
|
||||
'rule:container_acl_read)'),
|
||||
scope_types=['project', 'system'],
|
||||
scope_types=['project'],
|
||||
description='Creates a consumer.',
|
||||
operations=[
|
||||
{
|
||||
@ -139,12 +139,12 @@ rules = [
|
||||
name='container_consumers:delete',
|
||||
check_str=(
|
||||
'True:%(enforce_new_defaults)s and '
|
||||
'(rule:system_admin or rule:container_project_admin or '
|
||||
'(rule:container_project_admin or '
|
||||
'(rule:container_project_member and rule:container_owner) or '
|
||||
'(rule:container_project_member and '
|
||||
' rule:container_is_not_private) or '
|
||||
'rule:container_acl_read)'),
|
||||
scope_types=['project', 'system'],
|
||||
scope_types=['project'],
|
||||
description='Deletes a consumer.',
|
||||
operations=[
|
||||
{
|
||||
@ -158,11 +158,11 @@ rules = [
|
||||
name='secret_consumers:get',
|
||||
check_str=(
|
||||
'True:%(enforce_new_defaults)s and '
|
||||
'(rule:system_admin or rule:secret_project_admin or '
|
||||
'(rule:secret_project_admin or '
|
||||
'(rule:secret_project_member and rule:secret_owner) or '
|
||||
'(rule:secret_project_member and rule:secret_is_not_private) or '
|
||||
'rule:secret_acl_read)'),
|
||||
scope_types=['project', 'system'],
|
||||
scope_types=['project'],
|
||||
description='List consumers for a secret.',
|
||||
operations=[
|
||||
{
|
||||
@ -176,11 +176,11 @@ rules = [
|
||||
name='secret_consumers:post',
|
||||
check_str=(
|
||||
'True:%(enforce_new_defaults)s and '
|
||||
'(rule:system_admin or rule:secret_project_admin or '
|
||||
'(rule:secret_project_admin or '
|
||||
'(rule:secret_project_member and rule:secret_owner) or '
|
||||
'(rule:secret_project_member and rule:secret_is_not_private) or '
|
||||
'rule:secret_acl_read)'),
|
||||
scope_types=['project', 'system'],
|
||||
scope_types=['project'],
|
||||
description='Creates a consumer.',
|
||||
operations=[
|
||||
{
|
||||
@ -194,11 +194,11 @@ rules = [
|
||||
name='secret_consumers:delete',
|
||||
check_str=(
|
||||
'True:%(enforce_new_defaults)s and '
|
||||
'(rule:system_admin or rule:secret_project_admin or '
|
||||
'(rule:secret_project_admin or '
|
||||
'(rule:secret_project_member and rule:secret_owner) or '
|
||||
'(rule:secret_project_member and rule:secret_is_not_private) or '
|
||||
'rule:secret_acl_read)'),
|
||||
scope_types=['project', 'system'],
|
||||
scope_types=['project'],
|
||||
description='Deletes a consumer.',
|
||||
operations=[
|
||||
{
|
||||
|
||||
@ -57,8 +57,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='project_quotas:get',
|
||||
check_str='True:%(enforce_new_defaults)s and rule:system_reader',
|
||||
scope_types=['system'],
|
||||
check_str='True:%(enforce_new_defaults)s and role:admin',
|
||||
scope_types=['project'],
|
||||
description='List quotas for the specified project.',
|
||||
operations=[
|
||||
{
|
||||
@ -74,8 +74,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='project_quotas:put',
|
||||
check_str='True:%(enforce_new_defaults)s and rule:system_admin',
|
||||
scope_types=['system'],
|
||||
check_str='True:%(enforce_new_defaults)s and role:admin',
|
||||
scope_types=['project'],
|
||||
description='Create or update the configured project quotas for '
|
||||
'the project with the specified UUID.',
|
||||
operations=[
|
||||
@ -88,8 +88,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='project_quotas:delete',
|
||||
check_str='True:%(enforce_new_defaults)s and rule:system_admin',
|
||||
scope_types=['system'],
|
||||
check_str='True:%(enforce_new_defaults)s and role:admin',
|
||||
scope_types=['project'],
|
||||
description='Delete the project quotas configuration for the '
|
||||
'project with the requested UUID.',
|
||||
operations=[
|
||||
|
||||
@ -57,7 +57,7 @@ rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name='secretstores:get',
|
||||
check_str='True:%(enforce_new_defaults)s and role:reader',
|
||||
scope_types=['project', 'system'],
|
||||
scope_types=['project'],
|
||||
description='Get list of available secret store backends.',
|
||||
operations=[
|
||||
{
|
||||
@ -70,7 +70,7 @@ rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name='secretstores:get_global_default',
|
||||
check_str='True:%(enforce_new_defaults)s and role:reader',
|
||||
scope_types=['project', 'system'],
|
||||
scope_types=['project'],
|
||||
description='Get a reference to the secret store that is used as ' +
|
||||
'default secret store backend for the deployment.',
|
||||
operations=[
|
||||
@ -84,7 +84,7 @@ rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name='secretstores:get_preferred',
|
||||
check_str='True:%(enforce_new_defaults)s and role:reader',
|
||||
scope_types=['project', 'system'],
|
||||
scope_types=['project'],
|
||||
description='Get a reference to the preferred secret store if ' +
|
||||
'assigned previously.',
|
||||
operations=[
|
||||
@ -126,7 +126,7 @@ rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name='secretstore:get',
|
||||
check_str='True:%(enforce_new_defaults)s and role:reader',
|
||||
scope_types=['project', 'system'],
|
||||
scope_types=['project'],
|
||||
description='Get details of secret store by its ID.',
|
||||
operations=[
|
||||
{
|
||||
|
||||
@ -45,7 +45,7 @@ rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name='transport_key:get',
|
||||
check_str='True:%(enforce_new_defaults)s and role:reader',
|
||||
scope_types=['project', 'system'],
|
||||
scope_types=['project'],
|
||||
description='Get a specific transport key.',
|
||||
operations=[
|
||||
{
|
||||
@ -57,8 +57,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='transport_key:delete',
|
||||
check_str='True:%(enforce_new_defaults)s and rule:system_admin',
|
||||
scope_types=['system'],
|
||||
check_str='True:%(enforce_new_defaults)s and role:admin',
|
||||
scope_types=['project'],
|
||||
description='Delete a specific transport key.',
|
||||
operations=[
|
||||
{
|
||||
@ -71,7 +71,7 @@ rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name='transport_keys:get',
|
||||
check_str='True:%(enforce_new_defaults)s and role:reader',
|
||||
scope_types=['project', 'system'],
|
||||
scope_types=['project'],
|
||||
description='Get a list of all transport keys.',
|
||||
operations=[
|
||||
{
|
||||
@ -83,8 +83,8 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='transport_keys:post',
|
||||
check_str='True:%(enforce_new_defaults)s and rule:system_admin',
|
||||
scope_types=['system'],
|
||||
check_str='True:%(enforce_new_defaults)s and role:admin',
|
||||
scope_types=['project'],
|
||||
description='Create a new transport key.',
|
||||
operations=[
|
||||
{
|
||||
|
||||
@ -0,0 +1,8 @@
|
||||
---
|
||||
security:
|
||||
- |
|
||||
System scope has been removed from the RBAC policies as specified in the
|
||||
Consistent and Secure Default RBAC community goal. See:
|
||||
https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html
|
||||
APIs that required system scoped tokens can now be accessed by using a
|
||||
project scoped token with the "admin" role.
|
||||
Loading…
Reference in New Issue
Block a user