Fix Secure RBAC policies for Containers API
This patch fixes the Consumers API policies to ensure that they are only evaluated when enforce_new_defaults = True Change-Id: I4e91ca55e3d4030dfdc55d78b92ec3ad3f94bd64
This commit is contained in:
Douglas Mendizábal
parent
b6002aa3d0
commit
6e53363f52
@ -10,21 +10,63 @@
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_log import versionutils
|
||||
from oslo_policy import policy
|
||||
|
||||
from barbican.common.policies import base
|
||||
|
||||
_READER = "role:reader"
|
||||
_MEMBER = "role:member"
|
||||
_ADMIN = "role:admin"
|
||||
_PROJECT_MEMBER = f"{_MEMBER} and project_id:%(target.container.project_id)s"
|
||||
_PROJECT_ADMIN = f"{_ADMIN} and project_id:%(target.container.project_id)s"
|
||||
_CONTAINER_CREATOR = "user_id:%(target.container.creator_id)s"
|
||||
_CONTAINER_IS_NOT_PRIVATE = "True:%(target.container.read_project_access)s"
|
||||
|
||||
deprecated_containers_post = policy.DeprecatedRule(
|
||||
name='containers:post',
|
||||
check_str='rule:admin_or_creator',
|
||||
deprecated_reason=base.LEGACY_POLICY_DEPRECATION,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
)
|
||||
deprecated_containers_get = policy.DeprecatedRule(
|
||||
name='containers:get',
|
||||
check_str='rule:all_but_audit',
|
||||
deprecated_reason=base.LEGACY_POLICY_DEPRECATION,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
)
|
||||
deprecated_container_get = policy.DeprecatedRule(
|
||||
name='container:get',
|
||||
check_str='rule:container_non_private_read or ' +
|
||||
'rule:container_project_creator or ' +
|
||||
'rule:container_project_admin or ' +
|
||||
'rule:container_acl_read',
|
||||
deprecated_reason=base.LEGACY_POLICY_DEPRECATION,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
)
|
||||
deprecated_container_delete = policy.DeprecatedRule(
|
||||
name='container:delete',
|
||||
check_str='rule:container_project_admin or ' +
|
||||
'rule:container_project_creator',
|
||||
deprecated_reason=base.LEGACY_POLICY_DEPRECATION,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
)
|
||||
deprecated_container_secret_post = policy.DeprecatedRule(
|
||||
name='container_secret:post',
|
||||
check_str='rule:container_project_admin or ' +
|
||||
'rule:container_project_creator or ' +
|
||||
'rule:container_project_creator_role and ' +
|
||||
'rule:container_non_private_read',
|
||||
deprecated_reason=base.LEGACY_POLICY_DEPRECATION,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
)
|
||||
deprecated_container_secret_delete = policy.DeprecatedRule(
|
||||
name='container_secret:delete',
|
||||
check_str='rule:container_project_admin or ' +
|
||||
'rule:container_project_creator or ' +
|
||||
'rule:container_project_creator_role and ' +
|
||||
'rule:container_non_private_read',
|
||||
deprecated_reason=base.LEGACY_POLICY_DEPRECATION,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
)
|
||||
|
||||
rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name='containers:post',
|
||||
check_str=f"rule:admin_or_creator or {_MEMBER}",
|
||||
check_str='True:%(enforce_new_defaults)s and role:member',
|
||||
scope_types=['project'],
|
||||
description='Creates a container.',
|
||||
operations=[
|
||||
@ -32,11 +74,12 @@ rules = [
|
||||
'path': '/v1/containers',
|
||||
'method': 'POST'
|
||||
}
|
||||
]
|
||||
],
|
||||
deprecated_rule=deprecated_containers_post
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='containers:get',
|
||||
check_str=f"rule:all_but_audit or {_MEMBER}",
|
||||
check_str='True:%(enforce_new_defaults)s and role:member',
|
||||
scope_types=['project'],
|
||||
description='Lists a projects containers.',
|
||||
operations=[
|
||||
@ -44,16 +87,18 @@ rules = [
|
||||
'path': '/v1/containers',
|
||||
'method': 'GET'
|
||||
}
|
||||
]
|
||||
],
|
||||
deprecated_rule=deprecated_containers_get
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='container:get',
|
||||
check_str='rule:container_non_private_read or ' +
|
||||
'rule:container_project_creator or ' +
|
||||
'rule:container_project_admin or ' +
|
||||
'rule:container_acl_read or ' +
|
||||
f"({_PROJECT_MEMBER} and ({_CONTAINER_CREATOR} or " +
|
||||
f"{_CONTAINER_IS_NOT_PRIVATE})) or {_PROJECT_ADMIN}",
|
||||
check_str=(
|
||||
'True:%(enforce_new_defaults)s and '
|
||||
'(rule:container_project_admin or '
|
||||
'(rule:container_project_member and rule:container_owner) or '
|
||||
'(rule:container_project_member and '
|
||||
' rule:container_is_not_private) or '
|
||||
'rule:container_acl_read)'),
|
||||
scope_types=['project'],
|
||||
description='Retrieves a single container.',
|
||||
operations=[
|
||||
@ -61,14 +106,17 @@ rules = [
|
||||
'path': '/v1/containers/{container-id}',
|
||||
'method': 'GET'
|
||||
}
|
||||
]
|
||||
],
|
||||
deprecated_rule=deprecated_container_get
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='container:delete',
|
||||
check_str='rule:container_project_admin or ' +
|
||||
'rule:container_project_creator or ' +
|
||||
f"({_PROJECT_MEMBER} and ({_CONTAINER_CREATOR} or " +
|
||||
f"{_CONTAINER_IS_NOT_PRIVATE})) or {_PROJECT_ADMIN}",
|
||||
check_str=(
|
||||
'True:%(enforce_new_defaults)s and '
|
||||
'(rule:container_project_admin or '
|
||||
'(rule:container_project_member and rule:container_owner) or '
|
||||
'(rule:container_project_member and '
|
||||
' rule:container_is_not_private))'),
|
||||
scope_types=['project'],
|
||||
description='Deletes a container.',
|
||||
operations=[
|
||||
@ -76,16 +124,17 @@ rules = [
|
||||
'path': '/v1/containers/{uuid}',
|
||||
'method': 'DELETE'
|
||||
}
|
||||
]
|
||||
],
|
||||
deprecated_rule=deprecated_container_delete
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='container_secret:post',
|
||||
check_str='rule:container_project_admin or ' +
|
||||
'rule:container_project_creator or ' +
|
||||
'rule:container_project_creator_role and ' +
|
||||
'rule:container_non_private_read or ' +
|
||||
f"({_PROJECT_MEMBER} and ({_CONTAINER_CREATOR} or " +
|
||||
f"{_CONTAINER_IS_NOT_PRIVATE})) or {_PROJECT_ADMIN}",
|
||||
check_str=(
|
||||
'True:%(enforce_new_defaults)s and '
|
||||
'(rule:container_project_admin or '
|
||||
'(rule:container_project_member and rule:container_owner) or '
|
||||
'(rule:container_project_member and '
|
||||
' rule:container_is_not_private))'),
|
||||
scope_types=['project'],
|
||||
description='Add a secret to an existing container.',
|
||||
operations=[
|
||||
@ -93,16 +142,17 @@ rules = [
|
||||
'path': '/v1/containers/{container-id}/secrets',
|
||||
'method': 'POST'
|
||||
}
|
||||
]
|
||||
],
|
||||
deprecated_rule=deprecated_container_secret_post
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='container_secret:delete',
|
||||
check_str='rule:container_project_admin or ' +
|
||||
'rule:container_project_creator or ' +
|
||||
'rule:container_project_creator_role and ' +
|
||||
'rule:container_non_private_read or ' +
|
||||
f"({_PROJECT_MEMBER} and ({_CONTAINER_CREATOR} or " +
|
||||
f"{_CONTAINER_IS_NOT_PRIVATE})) or {_PROJECT_ADMIN}",
|
||||
check_str=(
|
||||
'True:%(enforce_new_defaults)s and '
|
||||
'(rule:container_project_admin or '
|
||||
'(rule:container_project_member and rule:container_owner) or '
|
||||
'(rule:container_project_member and '
|
||||
' rule:container_is_not_private))'),
|
||||
scope_types=['project'],
|
||||
description='Remove a secret from a container.',
|
||||
operations=[
|
||||
@ -110,7 +160,8 @@ rules = [
|
||||
'path': '/v1/containers/{container-id}/secrets/{secret-id}',
|
||||
'method': 'DELETE'
|
||||
}
|
||||
]
|
||||
],
|
||||
deprecated_rule=deprecated_container_secret_delete
|
||||
),
|
||||
]
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user