Implement secure RBAC for quota API

Add new system scope specific RBAC rules for the quota API. Change-Id: I4fd1676e8ead673b91bad1cc9749147ac5d62d7f
2021-03-09 11:15:43 -05:00 · 2021-03-09 11:15:43 -05:00 · a0bc52c81a
commit a0bc52c81a
parent 060ca2ee36
2 changed files with 23 additions and 8 deletions
--- a/barbican/common/policies/quotas.py
+++ b/barbican/common/policies/quotas.py
@ -13,11 +13,15 @@
 from oslo_policy import policy


+_READER = "role:reader"
+_SYSTEM_ADMIN = "role:admin and system_scope:all"
+_SYSTEM_READER = "role:reader and system_scope:all"
+
 rules = [
    policy.DocumentedRuleDefault(
        name='quotas:get',
-        check_str='rule:all_users',
-        scope_types=[],
+        check_str=f'rule:all_users or {_READER}',
+        scope_types=['project'],
        description='List quotas for the project the user belongs to.',
        operations=[
            {
@ -28,8 +32,8 @@ rules = [
    ),
    policy.DocumentedRuleDefault(
        name='project_quotas:get',
-        check_str='rule:service_admin',
-        scope_types=[],
+        check_str=f'rule:service_admin or {_SYSTEM_READER}',
+        scope_types=['system'],
        description='List quotas for the specified project.',
        operations=[
            {
@ -44,8 +48,8 @@ rules = [
    ),
    policy.DocumentedRuleDefault(
        name='project_quotas:put',
-        check_str='rule:service_admin',
-        scope_types=[],
+        check_str=f'rule:service_admin or {_SYSTEM_ADMIN}',
+        scope_types=['system'],
        description='Create or update the configured project quotas for '
                    'the project with the specified UUID.',
        operations=[
@ -57,8 +61,8 @@ rules = [
    ),
    policy.DocumentedRuleDefault(
        name='project_quotas:delete',
-        check_str='rule:service_admin',
-        scope_types=[],
+        check_str=f'rule:service_admin or {_SYSTEM_ADMIN}',
+        scope_types=['system'],
        description='Delete the project quotas configuration for the '
                    'project with the requested UUID.',
        operations=[
--- a/releasenotes/notes/secure-rbac-quotas-policy-f725a2752d1ba3f4.yaml
+++ b/releasenotes/notes/secure-rbac-quotas-policy-f725a2752d1ba3f4.yaml
@ -0,0 +1,11 @@
+---
+features:
+  - |
+    Implement secure-rbac for quotas resource.
+security:
+  - |
+    The current policy only allows users with the key-manager:service-admin
+    role to list, get, add, update or delete project quotas.  The new
+    policy allows system readers to list quotas and get quotas for specific
+    projects and system admins (role:admin and system_scope:all) to add,
+    update and delete project quotas.