From aa78d70df29c3927c032ef49079011fd9c937f73 Mon Sep 17 00:00:00 2001
From: Divya <dikonoor@in.ibm.com>
Date: Fri, 27 Mar 2015 09:27:35 +0100
Subject: [PATCH] Adds support for default rule in ceilometer policy.json.

The default rule is broken in the current implementation of
ceilometer rbac, because ceilometer rbac.py does not leverage
the support provided by oslo_policy . It instead tries to
loop through all the rules in the policy.json to check if the
rule corresponding to the requested REST api matches with the
any in the policy.json. In this process, it completely ignores
the existence of the default rule.

Closes-Bug: 1435855

Change-Id: Icab626b28d14514b0f024df447a8e7f35c52257c
---
 ceilometer/api/rbac.py     | 24 +++++++++++++++---------
 etc/ceilometer/policy.json |  3 ++-
 2 files changed, 17 insertions(+), 10 deletions(-)

diff --git a/ceilometer/api/rbac.py b/ceilometer/api/rbac.py
index 3b262c4faa..b59e19fd5d 100644
--- a/ceilometer/api/rbac.py
+++ b/ceilometer/api/rbac.py
@@ -25,6 +25,10 @@ _ENFORCER = None
 CONF = cfg.CONF
 
 
+def _has_rule(name):
+    return name in _ENFORCER.rules.keys()
+
+
 def enforce(policy_name, request):
     """Return the user and project the request should be limited to.
 
@@ -46,14 +50,11 @@ def enforce(policy_name, request):
     policy_dict['target.user_id'] = (headers.get('X-User-Id'))
     policy_dict['target.project_id'] = (headers.get('X-Project-Id'))
 
-    for rule_name in _ENFORCER.rules.keys():
-        if rule_method == rule_name:
-            if not _ENFORCER.enforce(
-                    rule_name,
-                    {},
-                    policy_dict):
-                pecan.core.abort(status_code=403,
-                                 detail='RBAC Authorization Failed')
+    # maintain backward compat with Juno and previous by allowing the action if
+    # there is no rule defined for it
+    if ((_has_rule('default') or _has_rule(rule_method)) and
+            not _ENFORCER.enforce(rule_method, {}, policy_dict)):
+        pecan.core.abort(status_code=403, detail='RBAC Authorization Failed')
 
 
 # TODO(fabiog): these methods are still used because the scoping part is really
@@ -77,10 +78,15 @@ def get_limited_to(headers):
     policy_dict['target.user_id'] = (headers.get('X-User-Id'))
     policy_dict['target.project_id'] = (headers.get('X-Project-Id'))
 
-    if not _ENFORCER.enforce('segregation',
+    # maintain backward compat with Juno and previous by using context_is_admin
+    # rule if the segregation rule (added in Kilo) is not defined
+    rule_name = 'segregation' if _has_rule(
+        'segregation') else 'context_is_admin'
+    if not _ENFORCER.enforce(rule_name,
                              {},
                              policy_dict):
         return headers.get('X-User-Id'), headers.get('X-Project-Id')
+
     return None, None
 
 
diff --git a/etc/ceilometer/policy.json b/etc/ceilometer/policy.json
index 4c3ec47af1..2bcd03425a 100644
--- a/etc/ceilometer/policy.json
+++ b/etc/ceilometer/policy.json
@@ -2,5 +2,6 @@
     "context_is_admin": "role:admin",
     "context_is_project": "project_id:%(target.project_id)s",
     "context_is_owner": "user_id:%(target.user_id)s",
-    "segregation": "rule:context_is_admin"
+    "segregation": "rule:context_is_admin",
+    "default": ""
 }