Merge "Fix Secure RBAC policies for Consumers"
This commit is contained in:
Zuul
Gerrit Code Review
commit
81ede2b9f8
@ -19,6 +19,9 @@ LEGACY_POLICY_DEPRECATION = (
|
|||||||
)
|
)
|
||||||
|
|
||||||
rules = [
|
rules = [
|
||||||
|
policy.RuleDefault(
|
||||||
|
name='system_admin',
|
||||||
|
check_str='role:amdin and system_scope:all'),
|
||||||
policy.RuleDefault(
|
policy.RuleDefault(
|
||||||
name='admin',
|
name='admin',
|
||||||
check_str='role:admin'),
|
check_str='role:admin'),
|
||||||
|
|||||||
@ -10,41 +10,83 @@
|
|||||||
# License for the specific language governing permissions and limitations
|
# License for the specific language governing permissions and limitations
|
||||||
# under the License.
|
# under the License.
|
||||||
|
|
||||||
|
from oslo_log import versionutils
|
||||||
from oslo_policy import policy
|
from oslo_policy import policy
|
||||||
|
|
||||||
|
from barbican.common.policies import base
|
||||||
|
|
||||||
# FIXME(hrybacki): Note that the GET rules have the same check strings.
|
# FIXME(hrybacki): Note that the GET rules have the same check strings.
|
||||||
# The POST/DELETE rules also share the check stirngs.
|
# The POST/DELETE rules also share the check stirngs.
|
||||||
# These can probably be turned into constants in base
|
# These can probably be turned into constants in base
|
||||||
|
|
||||||
|
deprecated_consumer_get = policy.DeprecatedRule(
|
||||||
_READER = "role:reader"
|
name='consumer:get',
|
||||||
_MEMBER = "role:member"
|
check_str='rule:admin or rule:observer or rule:creator or ' +
|
||||||
_ADMIN = "role:admin"
|
'rule:audit or rule:container_non_private_read or ' +
|
||||||
_SYSTEM_ADMIN = "role:admin and system_scope:all"
|
'rule:container_project_creator or ' +
|
||||||
|
'rule:container_project_admin or rule:container_acl_read',
|
||||||
_SECRET_CREATOR = "user_id:%(target.secret.creator_id)s"
|
deprecated_reason=base.LEGACY_POLICY_DEPRECATION,
|
||||||
_SECRET_PROJECT = "project_id:%(target.secret.project_id)s"
|
deprecated_since=versionutils.deprecated.WALLABY
|
||||||
_SECRET_MEMBER = f"{_MEMBER} and {_SECRET_PROJECT}"
|
)
|
||||||
_SECRET_ADMIN = f"{_ADMIN} and {_SECRET_PROJECT}"
|
deprecated_container_consumers_get = policy.DeprecatedRule(
|
||||||
_SECRET_ACCESS = (f"{_SECRET_CREATOR} or ({_SECRET_MEMBER} and "
|
name='container_consumers:get',
|
||||||
f"True:%(target.secret.read_project_access)s)")
|
check_str='rule:container_non_private_read or ' +
|
||||||
|
'rule:container_project_creator or ' +
|
||||||
_CONTAINER_CREATOR = "user_id:%(target.container.creator_id)s"
|
'rule:container_project_admin or rule:container_acl_read',
|
||||||
_CONTAINER_PROJECT = "project_id:%(target.container.project_id)s"
|
deprecated_reason=base.LEGACY_POLICY_DEPRECATION,
|
||||||
_CONTAINER_MEMBER = f"{_MEMBER} and {_CONTAINER_PROJECT}"
|
deprecated_since=versionutils.deprecated.WALLABY
|
||||||
_CONTAINER_ADMIN = f"{_ADMIN} and {_CONTAINER_PROJECT}"
|
)
|
||||||
_CONTAINER_ACCESS = (f"{_CONTAINER_CREATOR} or ({_CONTAINER_MEMBER} and "
|
deprecated_container_consumers_post = policy.DeprecatedRule(
|
||||||
f"True:%(target.container.read_project_access)s)")
|
name='container_consumers:post',
|
||||||
|
check_str='rule:container_non_private_read or ' +
|
||||||
|
'rule:container_project_creator or ' +
|
||||||
|
'rule:container_project_admin or rule:container_acl_read ',
|
||||||
|
deprecated_reason=base.LEGACY_POLICY_DEPRECATION,
|
||||||
|
deprecated_since=versionutils.deprecated.WALLABY
|
||||||
|
)
|
||||||
|
deprecated_container_consumers_delete = policy.DeprecatedRule(
|
||||||
|
name='container_consumers:delete',
|
||||||
|
check_str='rule:container_non_private_read or ' +
|
||||||
|
'rule:container_project_creator or ' +
|
||||||
|
'rule:container_project_admin or rule:container_acl_read ',
|
||||||
|
deprecated_reason=base.LEGACY_POLICY_DEPRECATION,
|
||||||
|
deprecated_since=versionutils.deprecated.WALLABY
|
||||||
|
)
|
||||||
|
deprecated_secret_consumers_get = policy.DeprecatedRule(
|
||||||
|
name='secret_consumers:get',
|
||||||
|
check_str='rule:secret_non_private_read or ' +
|
||||||
|
'rule:secret_project_creator or ' +
|
||||||
|
'rule:secret_project_admin or rule:secret_acl_read',
|
||||||
|
deprecated_reason=base.LEGACY_POLICY_DEPRECATION,
|
||||||
|
deprecated_since=versionutils.deprecated.WALLABY
|
||||||
|
)
|
||||||
|
deprecated_secret_consumers_post = policy.DeprecatedRule(
|
||||||
|
name='secret_consumers:post',
|
||||||
|
check_str='rule:secret_non_private_read or ' +
|
||||||
|
'rule:secret_project_creator or ' +
|
||||||
|
'rule:secret_project_admin or rule:secret_acl_read',
|
||||||
|
deprecated_reason=base.LEGACY_POLICY_DEPRECATION,
|
||||||
|
deprecated_since=versionutils.deprecated.WALLABY
|
||||||
|
)
|
||||||
|
deprecated_secret_consumers_delete = policy.DeprecatedRule(
|
||||||
|
name='secret_consumers:delete',
|
||||||
|
check_str='rule:secret_non_private_read or ' +
|
||||||
|
'rule:secret_project_creator or ' +
|
||||||
|
'rule:secret_project_admin or rule:secret_acl_read',
|
||||||
|
deprecated_reason=base.LEGACY_POLICY_DEPRECATION,
|
||||||
|
deprecated_since=versionutils.deprecated.WALLABY
|
||||||
|
)
|
||||||
|
|
||||||
rules = [
|
rules = [
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='consumer:get',
|
name='consumer:get',
|
||||||
check_str='rule:admin or rule:observer or rule:creator or ' +
|
check_str=(
|
||||||
'rule:audit or rule:container_non_private_read or ' +
|
'True:%(enforce_new_defaults)s and '
|
||||||
'rule:container_project_creator or ' +
|
'(rule:system_admin or rule:container_project_admin or '
|
||||||
'rule:container_project_admin or rule:container_acl_read' +
|
'(rule:container_project_member and rule:container_owner) or '
|
||||||
f" or {_CONTAINER_ACCESS} or {_CONTAINER_ADMIN} or " +
|
'(rule:container_project_member and '
|
||||||
f"{_SYSTEM_ADMIN}",
|
' rule:container_is_not_private) or '
|
||||||
|
'rule:container_acl_read)'),
|
||||||
scope_types=['project', 'system'],
|
scope_types=['project', 'system'],
|
||||||
# This API is unusable. There is no way for a user to get
|
# This API is unusable. There is no way for a user to get
|
||||||
# the consumer-id they would need to send a request.
|
# the consumer-id they would need to send a request.
|
||||||
@ -52,15 +94,18 @@ rules = [
|
|||||||
operations=[{
|
operations=[{
|
||||||
'path': '/v1/containers/{container-id}/consumers/{consumer-id}',
|
'path': '/v1/containers/{container-id}/consumers/{consumer-id}',
|
||||||
'method': 'GET'
|
'method': 'GET'
|
||||||
}]
|
}],
|
||||||
|
deprecated_rule=deprecated_consumer_get
|
||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='container_consumers:get',
|
name='container_consumers:get',
|
||||||
check_str='rule:container_non_private_read or ' +
|
check_str=(
|
||||||
'rule:container_project_creator or ' +
|
'True:%(enforce_new_defaults)s and '
|
||||||
'rule:container_project_admin or rule:container_acl_read ' +
|
'(rule:system_admin or rule:container_project_admin or '
|
||||||
f" or {_CONTAINER_ACCESS} or {_CONTAINER_ADMIN} or " +
|
'(rule:container_project_member and rule:container_owner) or '
|
||||||
f"{_SYSTEM_ADMIN}",
|
'(rule:container_project_member and '
|
||||||
|
' rule:container_is_not_private) or '
|
||||||
|
'rule:container_acl_read)'),
|
||||||
scope_types=['project', 'system'],
|
scope_types=['project', 'system'],
|
||||||
description='List a containers consumers.',
|
description='List a containers consumers.',
|
||||||
operations=[
|
operations=[
|
||||||
@ -68,15 +113,18 @@ rules = [
|
|||||||
'path': '/v1/containers/{container-id}/consumers',
|
'path': '/v1/containers/{container-id}/consumers',
|
||||||
'method': 'GET'
|
'method': 'GET'
|
||||||
}
|
}
|
||||||
]
|
],
|
||||||
|
deprecated_rule=deprecated_container_consumers_get
|
||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='container_consumers:post',
|
name='container_consumers:post',
|
||||||
check_str='rule:container_non_private_read or ' +
|
check_str=(
|
||||||
'rule:container_project_creator or ' +
|
'True:%(enforce_new_defaults)s and '
|
||||||
'rule:container_project_admin or rule:container_acl_read ' +
|
'(rule:system_admin or rule:container_project_admin or '
|
||||||
f" or {_CONTAINER_ACCESS} or {_CONTAINER_ADMIN} or " +
|
'(rule:container_project_member and rule:container_owner) or '
|
||||||
f"{_SYSTEM_ADMIN}",
|
'(rule:container_project_member and '
|
||||||
|
' rule:container_is_not_private) or '
|
||||||
|
'rule:container_acl_read)'),
|
||||||
scope_types=['project', 'system'],
|
scope_types=['project', 'system'],
|
||||||
description='Creates a consumer.',
|
description='Creates a consumer.',
|
||||||
operations=[
|
operations=[
|
||||||
@ -84,15 +132,18 @@ rules = [
|
|||||||
'path': '/v1/containers/{container-id}/consumers',
|
'path': '/v1/containers/{container-id}/consumers',
|
||||||
'method': 'POST'
|
'method': 'POST'
|
||||||
}
|
}
|
||||||
]
|
],
|
||||||
|
deprecated_rule=deprecated_container_consumers_post
|
||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='container_consumers:delete',
|
name='container_consumers:delete',
|
||||||
check_str='rule:container_non_private_read or ' +
|
check_str=(
|
||||||
'rule:container_project_creator or ' +
|
'True:%(enforce_new_defaults)s and '
|
||||||
'rule:container_project_admin or rule:container_acl_read ' +
|
'(rule:system_admin or rule:container_project_admin or '
|
||||||
f" or {_CONTAINER_ACCESS} or {_CONTAINER_ADMIN} or " +
|
'(rule:container_project_member and rule:container_owner) or '
|
||||||
f"{_SYSTEM_ADMIN}",
|
'(rule:container_project_member and '
|
||||||
|
' rule:container_is_not_private) or '
|
||||||
|
'rule:container_acl_read)'),
|
||||||
scope_types=['project', 'system'],
|
scope_types=['project', 'system'],
|
||||||
description='Deletes a consumer.',
|
description='Deletes a consumer.',
|
||||||
operations=[
|
operations=[
|
||||||
@ -100,15 +151,17 @@ rules = [
|
|||||||
'path': '/v1/containers/{container-id}/consumers',
|
'path': '/v1/containers/{container-id}/consumers',
|
||||||
'method': 'DELETE'
|
'method': 'DELETE'
|
||||||
}
|
}
|
||||||
]
|
],
|
||||||
|
deprecated_rule=deprecated_container_consumers_delete
|
||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='secret_consumers:get',
|
name='secret_consumers:get',
|
||||||
check_str='rule:secret_non_private_read or ' +
|
check_str=(
|
||||||
'rule:secret_project_creator or ' +
|
'True:%(enforce_new_defaults)s and '
|
||||||
'rule:secret_project_admin or rule:secret_acl_read ' +
|
'(rule:system_admin or rule:secret_project_admin or '
|
||||||
f" or {_SECRET_ACCESS} or {_SECRET_ADMIN} or " +
|
'(rule:secret_project_member and rule:secret_owner) or '
|
||||||
f"{_SYSTEM_ADMIN}",
|
'(rule:secret_project_member and rule:secret_is_not_private) or '
|
||||||
|
'rule:secret_acl_read)'),
|
||||||
scope_types=['project', 'system'],
|
scope_types=['project', 'system'],
|
||||||
description='List consumers for a secret.',
|
description='List consumers for a secret.',
|
||||||
operations=[
|
operations=[
|
||||||
@ -116,15 +169,17 @@ rules = [
|
|||||||
'path': '/v1/secrets/{secret-id}/consumers',
|
'path': '/v1/secrets/{secret-id}/consumers',
|
||||||
'method': 'GET'
|
'method': 'GET'
|
||||||
}
|
}
|
||||||
]
|
],
|
||||||
|
deprecated_rule=deprecated_secret_consumers_get
|
||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='secret_consumers:post',
|
name='secret_consumers:post',
|
||||||
check_str='rule:secret_non_private_read or ' +
|
check_str=(
|
||||||
'rule:secret_project_creator or ' +
|
'True:%(enforce_new_defaults)s and '
|
||||||
'rule:secret_project_admin or rule:secret_acl_read ' +
|
'(rule:system_admin or rule:secret_project_admin or '
|
||||||
f" or {_SECRET_ACCESS} or {_SECRET_ADMIN} or " +
|
'(rule:secret_project_member and rule:secret_owner) or '
|
||||||
f"{_SYSTEM_ADMIN}",
|
'(rule:secret_project_member and rule:secret_is_not_private) or '
|
||||||
|
'rule:secret_acl_read)'),
|
||||||
scope_types=['project', 'system'],
|
scope_types=['project', 'system'],
|
||||||
description='Creates a consumer.',
|
description='Creates a consumer.',
|
||||||
operations=[
|
operations=[
|
||||||
@ -132,15 +187,17 @@ rules = [
|
|||||||
'path': '/v1/secrets/{secrets-id}/consumers',
|
'path': '/v1/secrets/{secrets-id}/consumers',
|
||||||
'method': 'POST'
|
'method': 'POST'
|
||||||
}
|
}
|
||||||
]
|
],
|
||||||
|
deprecated_rule=deprecated_secret_consumers_post
|
||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='secret_consumers:delete',
|
name='secret_consumers:delete',
|
||||||
check_str='rule:secret_non_private_read or ' +
|
check_str=(
|
||||||
'rule:secret_project_creator or ' +
|
'True:%(enforce_new_defaults)s and '
|
||||||
'rule:secret_project_admin or rule:secret_acl_read ' +
|
'(rule:system_admin or rule:secret_project_admin or '
|
||||||
f" or {_SECRET_ACCESS} or {_SECRET_ADMIN} or " +
|
'(rule:secret_project_member and rule:secret_owner) or '
|
||||||
f"{_SYSTEM_ADMIN}",
|
'(rule:secret_project_member and rule:secret_is_not_private) or '
|
||||||
|
'rule:secret_acl_read)'),
|
||||||
scope_types=['project', 'system'],
|
scope_types=['project', 'system'],
|
||||||
description='Deletes a consumer.',
|
description='Deletes a consumer.',
|
||||||
operations=[
|
operations=[
|
||||||
@ -148,7 +205,8 @@ rules = [
|
|||||||
'path': '/v1/secrets/{secrets-id}/consumers',
|
'path': '/v1/secrets/{secrets-id}/consumers',
|
||||||
'method': 'DELETE'
|
'method': 'DELETE'
|
||||||
}
|
}
|
||||||
]
|
],
|
||||||
|
deprecated_rule=deprecated_secret_consumers_delete
|
||||||
),
|
),
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user