Merge "Allow secret delete by users with "creator" role"
This commit is contained in:
commit
ffea7f79c9
@ -48,7 +48,8 @@ Following ACL rules are defined and used as `OR` in resource access policy:
|
|||||||
* ACL based access is allowed when token user is present in secret/container operation specific
|
* ACL based access is allowed when token user is present in secret/container operation specific
|
||||||
ACL user list e.g. token user present in `read` users list.
|
ACL user list e.g. token user present in `read` users list.
|
||||||
* When secret/container resource is marked private, then project-level RBAC users access is not
|
* When secret/container resource is marked private, then project-level RBAC users access is not
|
||||||
allowed.
|
allowed. e.g. When a secret is marked private, only the user who created it
|
||||||
|
or a user with the "admin" role on the project will be able to remove it.
|
||||||
|
|
||||||
.. note::
|
.. note::
|
||||||
|
|
||||||
|
@ -72,6 +72,8 @@ rules = [
|
|||||||
name='secret:delete',
|
name='secret:delete',
|
||||||
check_str='rule:secret_project_admin or ' +
|
check_str='rule:secret_project_admin or ' +
|
||||||
'rule:secret_project_creator or ' +
|
'rule:secret_project_creator or ' +
|
||||||
|
'(rule:secret_project_creator_role and ' +
|
||||||
|
'not rule:secret_private_read) or ' +
|
||||||
f"({_PROJECT_MEMBER} and ({_SECRET_CREATOR} or " +
|
f"({_PROJECT_MEMBER} and ({_SECRET_CREATOR} or " +
|
||||||
f"{_SECRET_IS_NOT_PRIVATE})) or {_PROJECT_ADMIN}",
|
f"{_SECRET_IS_NOT_PRIVATE})) or {_PROJECT_ADMIN}",
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
|
@ -663,15 +663,26 @@ class WhenTestingSecretResource(BaseTestCase):
|
|||||||
content_type="application/octet-stream")
|
content_type="application/octet-stream")
|
||||||
|
|
||||||
def test_should_pass_delete_secret(self):
|
def test_should_pass_delete_secret(self):
|
||||||
self._assert_pass_rbac(['admin'], self._invoke_on_delete,
|
self._assert_pass_rbac(['admin', 'creator'], self._invoke_on_delete,
|
||||||
user_id=self.user_id,
|
user_id=self.user_id,
|
||||||
project_id=self.external_project_id)
|
project_id=self.external_project_id)
|
||||||
|
|
||||||
def test_should_raise_delete_secret(self):
|
def test_should_raise_delete_secret(self):
|
||||||
"""A non-admin user cannot delete other user's secret.
|
"""Only admin and creator can delete secrets
|
||||||
|
|
||||||
User id is different from initial user who has created the secret.
|
User id is different from initial user who has created the secret.
|
||||||
"""
|
"""
|
||||||
|
self._assert_fail_rbac([None, 'audit', 'observer', 'bogus'],
|
||||||
|
self._invoke_on_delete,
|
||||||
|
user_id=self.user_id,
|
||||||
|
project_id=self.external_project_id)
|
||||||
|
|
||||||
|
def test_should_raise_delete_private_secret(self):
|
||||||
|
self.acl_list.pop() # remove read acl from default setup
|
||||||
|
acl_read = models.SecretACL(secret_id=self.secret_id, operation='read',
|
||||||
|
project_access=False,
|
||||||
|
user_ids=['anyRandomUserX', 'aclUser1'])
|
||||||
|
self.acl_list.append(acl_read)
|
||||||
self._assert_fail_rbac([None, 'audit', 'observer', 'creator', 'bogus'],
|
self._assert_fail_rbac([None, 'audit', 'observer', 'creator', 'bogus'],
|
||||||
self._invoke_on_delete,
|
self._invoke_on_delete,
|
||||||
user_id=self.user_id,
|
user_id=self.user_id,
|
||||||
|
@ -58,11 +58,10 @@ admin
|
|||||||
by the project for which the admin role is scoped.
|
by the project for which the admin role is scoped.
|
||||||
|
|
||||||
creator
|
creator
|
||||||
Users with this role are allowed to create new resources and can only
|
Users with this role are allowed to create new resources and can also
|
||||||
delete resources which are originally created (owned) by them. Users with
|
delete resources which are owned by the project for which the creator role
|
||||||
this role cannot delete other user's resources managed within same project.
|
is scoped. They are also allowed full access to existing secrets owned by
|
||||||
They are also allowed full access to existing secrets owned by the project
|
the project in scope.
|
||||||
in scope.
|
|
||||||
|
|
||||||
observer
|
observer
|
||||||
Users with this role are allowed to access to existing resources but are
|
Users with this role are allowed to access to existing resources but are
|
||||||
@ -76,10 +75,14 @@ Access Control List API
|
|||||||
-----------------------
|
-----------------------
|
||||||
|
|
||||||
There are some limitations that result from scoping ownership of a secret at the
|
There are some limitations that result from scoping ownership of a secret at the
|
||||||
project level. For example, there is no easy way for a user to upload a secret
|
project level. For example, it is not possible to grant a user access to a
|
||||||
for which only they have access. There is also no easy way to grant a user
|
single secret, as granting a role on a project would allow access to all
|
||||||
access to only a single secret.
|
all secrets owned by that project.
|
||||||
|
|
||||||
To address this limitations the Key Manager service includes an Access Control
|
Additionally, there is no easy way to upload a private secret (i.e. a secret
|
||||||
|
that only you have access to) without creating a new project for which only
|
||||||
|
you have roles assigned on it.
|
||||||
|
|
||||||
|
To address these limitations the Key Manager service includes an Access Control
|
||||||
List (ACL) API. For full details see the
|
List (ACL) API. For full details see the
|
||||||
`ACL API User Guide <https://docs.openstack.org/api-guide/key-manager/acls.html>`__
|
`ACL API User Guide <https://docs.openstack.org/api-guide/key-manager/acls.html>`__
|
||||||
|
@ -90,7 +90,7 @@ test_data_rbac_delete_secret = {
|
|||||||
'with_creator_a': {'user': creator_a, 'admin': creator_a,
|
'with_creator_a': {'user': creator_a, 'admin': creator_a,
|
||||||
'expected_return': 204},
|
'expected_return': 204},
|
||||||
'with_creator_a_2': {'user': creator_a_2, 'admin': creator_a,
|
'with_creator_a_2': {'user': creator_a_2, 'admin': creator_a,
|
||||||
'expected_return': 403},
|
'expected_return': 204},
|
||||||
'with_observer_a': {'user': observer_a, 'admin': admin_a,
|
'with_observer_a': {'user': observer_a, 'admin': admin_a,
|
||||||
'expected_return': 403},
|
'expected_return': 403},
|
||||||
'with_auditor_a': {'user': auditor_a, 'admin': admin_a,
|
'with_auditor_a': {'user': auditor_a, 'admin': admin_a,
|
||||||
|
@ -0,0 +1,11 @@
|
|||||||
|
---
|
||||||
|
security:
|
||||||
|
- |
|
||||||
|
Fixed Story #2009791: Users with the "creator" role on a project can now
|
||||||
|
delete secrets owned by the project even if the user is different than
|
||||||
|
the user that originally created the secret. Previous to this fix a user
|
||||||
|
with the "creator" role was only allowed to delete a secret owned by the
|
||||||
|
project if they were also the same user that originally created, which
|
||||||
|
was inconsistent with the way that deletes are handled by other OpenStack
|
||||||
|
projects that integrate with Barbican. This change does not affect private
|
||||||
|
secrets (i.e. secrets with the "project-access" flag set to "false").
|
Loading…
Reference in New Issue
Block a user