Implement secure RBAC for quota API
Add new system scope specific RBAC rules for the quota API. Change-Id: I4fd1676e8ead673b91bad1cc9749147ac5d62d7f
This commit is contained in:
Ade Lee
parent
060ca2ee36
commit
a0bc52c81a
@ -13,11 +13,15 @@
|
|||||||
from oslo_policy import policy
|
from oslo_policy import policy
|
||||||
|
|
||||||
|
|
||||||
|
_READER = "role:reader"
|
||||||
|
_SYSTEM_ADMIN = "role:admin and system_scope:all"
|
||||||
|
_SYSTEM_READER = "role:reader and system_scope:all"
|
||||||
|
|
||||||
rules = [
|
rules = [
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='quotas:get',
|
name='quotas:get',
|
||||||
check_str='rule:all_users',
|
check_str=f'rule:all_users or {_READER}',
|
||||||
scope_types=[],
|
scope_types=['project'],
|
||||||
description='List quotas for the project the user belongs to.',
|
description='List quotas for the project the user belongs to.',
|
||||||
operations=[
|
operations=[
|
||||||
{
|
{
|
||||||
@ -28,8 +32,8 @@ rules = [
|
|||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='project_quotas:get',
|
name='project_quotas:get',
|
||||||
check_str='rule:service_admin',
|
check_str=f'rule:service_admin or {_SYSTEM_READER}',
|
||||||
scope_types=[],
|
scope_types=['system'],
|
||||||
description='List quotas for the specified project.',
|
description='List quotas for the specified project.',
|
||||||
operations=[
|
operations=[
|
||||||
{
|
{
|
||||||
@ -44,8 +48,8 @@ rules = [
|
|||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='project_quotas:put',
|
name='project_quotas:put',
|
||||||
check_str='rule:service_admin',
|
check_str=f'rule:service_admin or {_SYSTEM_ADMIN}',
|
||||||
scope_types=[],
|
scope_types=['system'],
|
||||||
description='Create or update the configured project quotas for '
|
description='Create or update the configured project quotas for '
|
||||||
'the project with the specified UUID.',
|
'the project with the specified UUID.',
|
||||||
operations=[
|
operations=[
|
||||||
@ -57,8 +61,8 @@ rules = [
|
|||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='project_quotas:delete',
|
name='project_quotas:delete',
|
||||||
check_str='rule:service_admin',
|
check_str=f'rule:service_admin or {_SYSTEM_ADMIN}',
|
||||||
scope_types=[],
|
scope_types=['system'],
|
||||||
description='Delete the project quotas configuration for the '
|
description='Delete the project quotas configuration for the '
|
||||||
'project with the requested UUID.',
|
'project with the requested UUID.',
|
||||||
operations=[
|
operations=[
|
||||||
|
|||||||
@ -0,0 +1,11 @@
|
|||||||
|
---
|
||||||
|
features:
|
||||||
|
- |
|
||||||
|
Implement secure-rbac for quotas resource.
|
||||||
|
security:
|
||||||
|
- |
|
||||||
|
The current policy only allows users with the key-manager:service-admin
|
||||||
|
role to list, get, add, update or delete project quotas. The new
|
||||||
|
policy allows system readers to list quotas and get quotas for specific
|
||||||
|
projects and system admins (role:admin and system_scope:all) to add,
|
||||||
|
update and delete project quotas.
|
||||||
Loading…
x
Reference in New Issue
Block a user