Merge "Fix Secure RBAC policies for Consumers"

This commit is contained in:
Zuul 2022-08-25 22:27:36 +00:00 committed by Gerrit Code Review
commit 81ede2b9f8
2 changed files with 123 additions and 62 deletions

View File

@ -19,6 +19,9 @@ LEGACY_POLICY_DEPRECATION = (
)
rules = [
policy.RuleDefault(
name='system_admin',
check_str='role:amdin and system_scope:all'),
policy.RuleDefault(
name='admin',
check_str='role:admin'),

View File

@ -10,41 +10,83 @@
# License for the specific language governing permissions and limitations
# under the License.
from oslo_log import versionutils
from oslo_policy import policy
from barbican.common.policies import base
# FIXME(hrybacki): Note that the GET rules have the same check strings.
# The POST/DELETE rules also share the check stirngs.
# These can probably be turned into constants in base
_READER = "role:reader"
_MEMBER = "role:member"
_ADMIN = "role:admin"
_SYSTEM_ADMIN = "role:admin and system_scope:all"
_SECRET_CREATOR = "user_id:%(target.secret.creator_id)s"
_SECRET_PROJECT = "project_id:%(target.secret.project_id)s"
_SECRET_MEMBER = f"{_MEMBER} and {_SECRET_PROJECT}"
_SECRET_ADMIN = f"{_ADMIN} and {_SECRET_PROJECT}"
_SECRET_ACCESS = (f"{_SECRET_CREATOR} or ({_SECRET_MEMBER} and "
f"True:%(target.secret.read_project_access)s)")
_CONTAINER_CREATOR = "user_id:%(target.container.creator_id)s"
_CONTAINER_PROJECT = "project_id:%(target.container.project_id)s"
_CONTAINER_MEMBER = f"{_MEMBER} and {_CONTAINER_PROJECT}"
_CONTAINER_ADMIN = f"{_ADMIN} and {_CONTAINER_PROJECT}"
_CONTAINER_ACCESS = (f"{_CONTAINER_CREATOR} or ({_CONTAINER_MEMBER} and "
f"True:%(target.container.read_project_access)s)")
deprecated_consumer_get = policy.DeprecatedRule(
name='consumer:get',
check_str='rule:admin or rule:observer or rule:creator or ' +
'rule:audit or rule:container_non_private_read or ' +
'rule:container_project_creator or ' +
'rule:container_project_admin or rule:container_acl_read',
deprecated_reason=base.LEGACY_POLICY_DEPRECATION,
deprecated_since=versionutils.deprecated.WALLABY
)
deprecated_container_consumers_get = policy.DeprecatedRule(
name='container_consumers:get',
check_str='rule:container_non_private_read or ' +
'rule:container_project_creator or ' +
'rule:container_project_admin or rule:container_acl_read',
deprecated_reason=base.LEGACY_POLICY_DEPRECATION,
deprecated_since=versionutils.deprecated.WALLABY
)
deprecated_container_consumers_post = policy.DeprecatedRule(
name='container_consumers:post',
check_str='rule:container_non_private_read or ' +
'rule:container_project_creator or ' +
'rule:container_project_admin or rule:container_acl_read ',
deprecated_reason=base.LEGACY_POLICY_DEPRECATION,
deprecated_since=versionutils.deprecated.WALLABY
)
deprecated_container_consumers_delete = policy.DeprecatedRule(
name='container_consumers:delete',
check_str='rule:container_non_private_read or ' +
'rule:container_project_creator or ' +
'rule:container_project_admin or rule:container_acl_read ',
deprecated_reason=base.LEGACY_POLICY_DEPRECATION,
deprecated_since=versionutils.deprecated.WALLABY
)
deprecated_secret_consumers_get = policy.DeprecatedRule(
name='secret_consumers:get',
check_str='rule:secret_non_private_read or ' +
'rule:secret_project_creator or ' +
'rule:secret_project_admin or rule:secret_acl_read',
deprecated_reason=base.LEGACY_POLICY_DEPRECATION,
deprecated_since=versionutils.deprecated.WALLABY
)
deprecated_secret_consumers_post = policy.DeprecatedRule(
name='secret_consumers:post',
check_str='rule:secret_non_private_read or ' +
'rule:secret_project_creator or ' +
'rule:secret_project_admin or rule:secret_acl_read',
deprecated_reason=base.LEGACY_POLICY_DEPRECATION,
deprecated_since=versionutils.deprecated.WALLABY
)
deprecated_secret_consumers_delete = policy.DeprecatedRule(
name='secret_consumers:delete',
check_str='rule:secret_non_private_read or ' +
'rule:secret_project_creator or ' +
'rule:secret_project_admin or rule:secret_acl_read',
deprecated_reason=base.LEGACY_POLICY_DEPRECATION,
deprecated_since=versionutils.deprecated.WALLABY
)
rules = [
policy.DocumentedRuleDefault(
name='consumer:get',
check_str='rule:admin or rule:observer or rule:creator or ' +
'rule:audit or rule:container_non_private_read or ' +
'rule:container_project_creator or ' +
'rule:container_project_admin or rule:container_acl_read' +
f" or {_CONTAINER_ACCESS} or {_CONTAINER_ADMIN} or " +
f"{_SYSTEM_ADMIN}",
check_str=(
'True:%(enforce_new_defaults)s and '
'(rule:system_admin or rule:container_project_admin or '
'(rule:container_project_member and rule:container_owner) or '
'(rule:container_project_member and '
' rule:container_is_not_private) or '
'rule:container_acl_read)'),
scope_types=['project', 'system'],
# This API is unusable. There is no way for a user to get
# the consumer-id they would need to send a request.
@ -52,15 +94,18 @@ rules = [
operations=[{
'path': '/v1/containers/{container-id}/consumers/{consumer-id}',
'method': 'GET'
}]
}],
deprecated_rule=deprecated_consumer_get
),
policy.DocumentedRuleDefault(
name='container_consumers:get',
check_str='rule:container_non_private_read or ' +
'rule:container_project_creator or ' +
'rule:container_project_admin or rule:container_acl_read ' +
f" or {_CONTAINER_ACCESS} or {_CONTAINER_ADMIN} or " +
f"{_SYSTEM_ADMIN}",
check_str=(
'True:%(enforce_new_defaults)s and '
'(rule:system_admin or rule:container_project_admin or '
'(rule:container_project_member and rule:container_owner) or '
'(rule:container_project_member and '
' rule:container_is_not_private) or '
'rule:container_acl_read)'),
scope_types=['project', 'system'],
description='List a containers consumers.',
operations=[
@ -68,15 +113,18 @@ rules = [
'path': '/v1/containers/{container-id}/consumers',
'method': 'GET'
}
]
],
deprecated_rule=deprecated_container_consumers_get
),
policy.DocumentedRuleDefault(
name='container_consumers:post',
check_str='rule:container_non_private_read or ' +
'rule:container_project_creator or ' +
'rule:container_project_admin or rule:container_acl_read ' +
f" or {_CONTAINER_ACCESS} or {_CONTAINER_ADMIN} or " +
f"{_SYSTEM_ADMIN}",
check_str=(
'True:%(enforce_new_defaults)s and '
'(rule:system_admin or rule:container_project_admin or '
'(rule:container_project_member and rule:container_owner) or '
'(rule:container_project_member and '
' rule:container_is_not_private) or '
'rule:container_acl_read)'),
scope_types=['project', 'system'],
description='Creates a consumer.',
operations=[
@ -84,15 +132,18 @@ rules = [
'path': '/v1/containers/{container-id}/consumers',
'method': 'POST'
}
]
],
deprecated_rule=deprecated_container_consumers_post
),
policy.DocumentedRuleDefault(
name='container_consumers:delete',
check_str='rule:container_non_private_read or ' +
'rule:container_project_creator or ' +
'rule:container_project_admin or rule:container_acl_read ' +
f" or {_CONTAINER_ACCESS} or {_CONTAINER_ADMIN} or " +
f"{_SYSTEM_ADMIN}",
check_str=(
'True:%(enforce_new_defaults)s and '
'(rule:system_admin or rule:container_project_admin or '
'(rule:container_project_member and rule:container_owner) or '
'(rule:container_project_member and '
' rule:container_is_not_private) or '
'rule:container_acl_read)'),
scope_types=['project', 'system'],
description='Deletes a consumer.',
operations=[
@ -100,15 +151,17 @@ rules = [
'path': '/v1/containers/{container-id}/consumers',
'method': 'DELETE'
}
]
],
deprecated_rule=deprecated_container_consumers_delete
),
policy.DocumentedRuleDefault(
name='secret_consumers:get',
check_str='rule:secret_non_private_read or ' +
'rule:secret_project_creator or ' +
'rule:secret_project_admin or rule:secret_acl_read ' +
f" or {_SECRET_ACCESS} or {_SECRET_ADMIN} or " +
f"{_SYSTEM_ADMIN}",
check_str=(
'True:%(enforce_new_defaults)s and '
'(rule:system_admin or rule:secret_project_admin or '
'(rule:secret_project_member and rule:secret_owner) or '
'(rule:secret_project_member and rule:secret_is_not_private) or '
'rule:secret_acl_read)'),
scope_types=['project', 'system'],
description='List consumers for a secret.',
operations=[
@ -116,15 +169,17 @@ rules = [
'path': '/v1/secrets/{secret-id}/consumers',
'method': 'GET'
}
]
],
deprecated_rule=deprecated_secret_consumers_get
),
policy.DocumentedRuleDefault(
name='secret_consumers:post',
check_str='rule:secret_non_private_read or ' +
'rule:secret_project_creator or ' +
'rule:secret_project_admin or rule:secret_acl_read ' +
f" or {_SECRET_ACCESS} or {_SECRET_ADMIN} or " +
f"{_SYSTEM_ADMIN}",
check_str=(
'True:%(enforce_new_defaults)s and '
'(rule:system_admin or rule:secret_project_admin or '
'(rule:secret_project_member and rule:secret_owner) or '
'(rule:secret_project_member and rule:secret_is_not_private) or '
'rule:secret_acl_read)'),
scope_types=['project', 'system'],
description='Creates a consumer.',
operations=[
@ -132,15 +187,17 @@ rules = [
'path': '/v1/secrets/{secrets-id}/consumers',
'method': 'POST'
}
]
],
deprecated_rule=deprecated_secret_consumers_post
),
policy.DocumentedRuleDefault(
name='secret_consumers:delete',
check_str='rule:secret_non_private_read or ' +
'rule:secret_project_creator or ' +
'rule:secret_project_admin or rule:secret_acl_read ' +
f" or {_SECRET_ACCESS} or {_SECRET_ADMIN} or " +
f"{_SYSTEM_ADMIN}",
check_str=(
'True:%(enforce_new_defaults)s and '
'(rule:system_admin or rule:secret_project_admin or '
'(rule:secret_project_member and rule:secret_owner) or '
'(rule:secret_project_member and rule:secret_is_not_private) or '
'rule:secret_acl_read)'),
scope_types=['project', 'system'],
description='Deletes a consumer.',
operations=[
@ -148,7 +205,8 @@ rules = [
'path': '/v1/secrets/{secrets-id}/consumers',
'method': 'DELETE'
}
]
],
deprecated_rule=deprecated_secret_consumers_delete
),
]