Merge "Fix Secure RBAC policies for Consumers"
This commit is contained in:
commit
81ede2b9f8
@ -19,6 +19,9 @@ LEGACY_POLICY_DEPRECATION = (
|
||||
)
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault(
|
||||
name='system_admin',
|
||||
check_str='role:amdin and system_scope:all'),
|
||||
policy.RuleDefault(
|
||||
name='admin',
|
||||
check_str='role:admin'),
|
||||
|
@ -10,41 +10,83 @@
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_log import versionutils
|
||||
from oslo_policy import policy
|
||||
|
||||
from barbican.common.policies import base
|
||||
|
||||
# FIXME(hrybacki): Note that the GET rules have the same check strings.
|
||||
# The POST/DELETE rules also share the check stirngs.
|
||||
# These can probably be turned into constants in base
|
||||
|
||||
|
||||
_READER = "role:reader"
|
||||
_MEMBER = "role:member"
|
||||
_ADMIN = "role:admin"
|
||||
_SYSTEM_ADMIN = "role:admin and system_scope:all"
|
||||
|
||||
_SECRET_CREATOR = "user_id:%(target.secret.creator_id)s"
|
||||
_SECRET_PROJECT = "project_id:%(target.secret.project_id)s"
|
||||
_SECRET_MEMBER = f"{_MEMBER} and {_SECRET_PROJECT}"
|
||||
_SECRET_ADMIN = f"{_ADMIN} and {_SECRET_PROJECT}"
|
||||
_SECRET_ACCESS = (f"{_SECRET_CREATOR} or ({_SECRET_MEMBER} and "
|
||||
f"True:%(target.secret.read_project_access)s)")
|
||||
|
||||
_CONTAINER_CREATOR = "user_id:%(target.container.creator_id)s"
|
||||
_CONTAINER_PROJECT = "project_id:%(target.container.project_id)s"
|
||||
_CONTAINER_MEMBER = f"{_MEMBER} and {_CONTAINER_PROJECT}"
|
||||
_CONTAINER_ADMIN = f"{_ADMIN} and {_CONTAINER_PROJECT}"
|
||||
_CONTAINER_ACCESS = (f"{_CONTAINER_CREATOR} or ({_CONTAINER_MEMBER} and "
|
||||
f"True:%(target.container.read_project_access)s)")
|
||||
deprecated_consumer_get = policy.DeprecatedRule(
|
||||
name='consumer:get',
|
||||
check_str='rule:admin or rule:observer or rule:creator or ' +
|
||||
'rule:audit or rule:container_non_private_read or ' +
|
||||
'rule:container_project_creator or ' +
|
||||
'rule:container_project_admin or rule:container_acl_read',
|
||||
deprecated_reason=base.LEGACY_POLICY_DEPRECATION,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
)
|
||||
deprecated_container_consumers_get = policy.DeprecatedRule(
|
||||
name='container_consumers:get',
|
||||
check_str='rule:container_non_private_read or ' +
|
||||
'rule:container_project_creator or ' +
|
||||
'rule:container_project_admin or rule:container_acl_read',
|
||||
deprecated_reason=base.LEGACY_POLICY_DEPRECATION,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
)
|
||||
deprecated_container_consumers_post = policy.DeprecatedRule(
|
||||
name='container_consumers:post',
|
||||
check_str='rule:container_non_private_read or ' +
|
||||
'rule:container_project_creator or ' +
|
||||
'rule:container_project_admin or rule:container_acl_read ',
|
||||
deprecated_reason=base.LEGACY_POLICY_DEPRECATION,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
)
|
||||
deprecated_container_consumers_delete = policy.DeprecatedRule(
|
||||
name='container_consumers:delete',
|
||||
check_str='rule:container_non_private_read or ' +
|
||||
'rule:container_project_creator or ' +
|
||||
'rule:container_project_admin or rule:container_acl_read ',
|
||||
deprecated_reason=base.LEGACY_POLICY_DEPRECATION,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
)
|
||||
deprecated_secret_consumers_get = policy.DeprecatedRule(
|
||||
name='secret_consumers:get',
|
||||
check_str='rule:secret_non_private_read or ' +
|
||||
'rule:secret_project_creator or ' +
|
||||
'rule:secret_project_admin or rule:secret_acl_read',
|
||||
deprecated_reason=base.LEGACY_POLICY_DEPRECATION,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
)
|
||||
deprecated_secret_consumers_post = policy.DeprecatedRule(
|
||||
name='secret_consumers:post',
|
||||
check_str='rule:secret_non_private_read or ' +
|
||||
'rule:secret_project_creator or ' +
|
||||
'rule:secret_project_admin or rule:secret_acl_read',
|
||||
deprecated_reason=base.LEGACY_POLICY_DEPRECATION,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
)
|
||||
deprecated_secret_consumers_delete = policy.DeprecatedRule(
|
||||
name='secret_consumers:delete',
|
||||
check_str='rule:secret_non_private_read or ' +
|
||||
'rule:secret_project_creator or ' +
|
||||
'rule:secret_project_admin or rule:secret_acl_read',
|
||||
deprecated_reason=base.LEGACY_POLICY_DEPRECATION,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
)
|
||||
|
||||
rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name='consumer:get',
|
||||
check_str='rule:admin or rule:observer or rule:creator or ' +
|
||||
'rule:audit or rule:container_non_private_read or ' +
|
||||
'rule:container_project_creator or ' +
|
||||
'rule:container_project_admin or rule:container_acl_read' +
|
||||
f" or {_CONTAINER_ACCESS} or {_CONTAINER_ADMIN} or " +
|
||||
f"{_SYSTEM_ADMIN}",
|
||||
check_str=(
|
||||
'True:%(enforce_new_defaults)s and '
|
||||
'(rule:system_admin or rule:container_project_admin or '
|
||||
'(rule:container_project_member and rule:container_owner) or '
|
||||
'(rule:container_project_member and '
|
||||
' rule:container_is_not_private) or '
|
||||
'rule:container_acl_read)'),
|
||||
scope_types=['project', 'system'],
|
||||
# This API is unusable. There is no way for a user to get
|
||||
# the consumer-id they would need to send a request.
|
||||
@ -52,15 +94,18 @@ rules = [
|
||||
operations=[{
|
||||
'path': '/v1/containers/{container-id}/consumers/{consumer-id}',
|
||||
'method': 'GET'
|
||||
}]
|
||||
}],
|
||||
deprecated_rule=deprecated_consumer_get
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='container_consumers:get',
|
||||
check_str='rule:container_non_private_read or ' +
|
||||
'rule:container_project_creator or ' +
|
||||
'rule:container_project_admin or rule:container_acl_read ' +
|
||||
f" or {_CONTAINER_ACCESS} or {_CONTAINER_ADMIN} or " +
|
||||
f"{_SYSTEM_ADMIN}",
|
||||
check_str=(
|
||||
'True:%(enforce_new_defaults)s and '
|
||||
'(rule:system_admin or rule:container_project_admin or '
|
||||
'(rule:container_project_member and rule:container_owner) or '
|
||||
'(rule:container_project_member and '
|
||||
' rule:container_is_not_private) or '
|
||||
'rule:container_acl_read)'),
|
||||
scope_types=['project', 'system'],
|
||||
description='List a containers consumers.',
|
||||
operations=[
|
||||
@ -68,15 +113,18 @@ rules = [
|
||||
'path': '/v1/containers/{container-id}/consumers',
|
||||
'method': 'GET'
|
||||
}
|
||||
]
|
||||
],
|
||||
deprecated_rule=deprecated_container_consumers_get
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='container_consumers:post',
|
||||
check_str='rule:container_non_private_read or ' +
|
||||
'rule:container_project_creator or ' +
|
||||
'rule:container_project_admin or rule:container_acl_read ' +
|
||||
f" or {_CONTAINER_ACCESS} or {_CONTAINER_ADMIN} or " +
|
||||
f"{_SYSTEM_ADMIN}",
|
||||
check_str=(
|
||||
'True:%(enforce_new_defaults)s and '
|
||||
'(rule:system_admin or rule:container_project_admin or '
|
||||
'(rule:container_project_member and rule:container_owner) or '
|
||||
'(rule:container_project_member and '
|
||||
' rule:container_is_not_private) or '
|
||||
'rule:container_acl_read)'),
|
||||
scope_types=['project', 'system'],
|
||||
description='Creates a consumer.',
|
||||
operations=[
|
||||
@ -84,15 +132,18 @@ rules = [
|
||||
'path': '/v1/containers/{container-id}/consumers',
|
||||
'method': 'POST'
|
||||
}
|
||||
]
|
||||
],
|
||||
deprecated_rule=deprecated_container_consumers_post
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='container_consumers:delete',
|
||||
check_str='rule:container_non_private_read or ' +
|
||||
'rule:container_project_creator or ' +
|
||||
'rule:container_project_admin or rule:container_acl_read ' +
|
||||
f" or {_CONTAINER_ACCESS} or {_CONTAINER_ADMIN} or " +
|
||||
f"{_SYSTEM_ADMIN}",
|
||||
check_str=(
|
||||
'True:%(enforce_new_defaults)s and '
|
||||
'(rule:system_admin or rule:container_project_admin or '
|
||||
'(rule:container_project_member and rule:container_owner) or '
|
||||
'(rule:container_project_member and '
|
||||
' rule:container_is_not_private) or '
|
||||
'rule:container_acl_read)'),
|
||||
scope_types=['project', 'system'],
|
||||
description='Deletes a consumer.',
|
||||
operations=[
|
||||
@ -100,15 +151,17 @@ rules = [
|
||||
'path': '/v1/containers/{container-id}/consumers',
|
||||
'method': 'DELETE'
|
||||
}
|
||||
]
|
||||
],
|
||||
deprecated_rule=deprecated_container_consumers_delete
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='secret_consumers:get',
|
||||
check_str='rule:secret_non_private_read or ' +
|
||||
'rule:secret_project_creator or ' +
|
||||
'rule:secret_project_admin or rule:secret_acl_read ' +
|
||||
f" or {_SECRET_ACCESS} or {_SECRET_ADMIN} or " +
|
||||
f"{_SYSTEM_ADMIN}",
|
||||
check_str=(
|
||||
'True:%(enforce_new_defaults)s and '
|
||||
'(rule:system_admin or rule:secret_project_admin or '
|
||||
'(rule:secret_project_member and rule:secret_owner) or '
|
||||
'(rule:secret_project_member and rule:secret_is_not_private) or '
|
||||
'rule:secret_acl_read)'),
|
||||
scope_types=['project', 'system'],
|
||||
description='List consumers for a secret.',
|
||||
operations=[
|
||||
@ -116,15 +169,17 @@ rules = [
|
||||
'path': '/v1/secrets/{secret-id}/consumers',
|
||||
'method': 'GET'
|
||||
}
|
||||
]
|
||||
],
|
||||
deprecated_rule=deprecated_secret_consumers_get
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='secret_consumers:post',
|
||||
check_str='rule:secret_non_private_read or ' +
|
||||
'rule:secret_project_creator or ' +
|
||||
'rule:secret_project_admin or rule:secret_acl_read ' +
|
||||
f" or {_SECRET_ACCESS} or {_SECRET_ADMIN} or " +
|
||||
f"{_SYSTEM_ADMIN}",
|
||||
check_str=(
|
||||
'True:%(enforce_new_defaults)s and '
|
||||
'(rule:system_admin or rule:secret_project_admin or '
|
||||
'(rule:secret_project_member and rule:secret_owner) or '
|
||||
'(rule:secret_project_member and rule:secret_is_not_private) or '
|
||||
'rule:secret_acl_read)'),
|
||||
scope_types=['project', 'system'],
|
||||
description='Creates a consumer.',
|
||||
operations=[
|
||||
@ -132,15 +187,17 @@ rules = [
|
||||
'path': '/v1/secrets/{secrets-id}/consumers',
|
||||
'method': 'POST'
|
||||
}
|
||||
]
|
||||
],
|
||||
deprecated_rule=deprecated_secret_consumers_post
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='secret_consumers:delete',
|
||||
check_str='rule:secret_non_private_read or ' +
|
||||
'rule:secret_project_creator or ' +
|
||||
'rule:secret_project_admin or rule:secret_acl_read ' +
|
||||
f" or {_SECRET_ACCESS} or {_SECRET_ADMIN} or " +
|
||||
f"{_SYSTEM_ADMIN}",
|
||||
check_str=(
|
||||
'True:%(enforce_new_defaults)s and '
|
||||
'(rule:system_admin or rule:secret_project_admin or '
|
||||
'(rule:secret_project_member and rule:secret_owner) or '
|
||||
'(rule:secret_project_member and rule:secret_is_not_private) or '
|
||||
'rule:secret_acl_read)'),
|
||||
scope_types=['project', 'system'],
|
||||
description='Deletes a consumer.',
|
||||
operations=[
|
||||
@ -148,7 +205,8 @@ rules = [
|
||||
'path': '/v1/secrets/{secrets-id}/consumers',
|
||||
'method': 'DELETE'
|
||||
}
|
||||
]
|
||||
],
|
||||
deprecated_rule=deprecated_secret_consumers_delete
|
||||
),
|
||||
]
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user