Ensure that only cloud admins are neutron admins

When determining if a user is an admin the default neutron policy file only checks if a user has the 'admin' role. It does not check what that role is applied to. The problem is illustrated by the following scenario: A cloud admin creates a new domain, then creates a new project within that domain. The cloud admin wants to delegate the maintenance of the new project to userA so she grants them admin on the new project. UserA is now a cloud admin from Neutrons pov. To fix this issue a policy override file is added which checks that the user is admin either against the admin project (as defined by keystone) or the service project. Change-Id: If4c5b0c1ab7bf2c75e911e77531d442d417a1231 Closes-Bug: 1830536
2019-07-19 13:00:59 +00:00 · 2019-07-19 13:00:59 +00:00 · e03501dee1
parent 0068267095
commit e03501dee1
3 changed files with 23 additions and 0 deletions
--- a/hooks/neutron_api_utils.py
+++ b/hooks/neutron_api_utils.py
@ -146,6 +146,7 @@ NEUTRON_DEFAULT = '/etc/default/neutron-server'
 CA_CERT_PATH = '/usr/local/share/ca-certificates/keystone_juju_ca_cert.crt'
 MEMCACHED_CONF = '/etc/memcached.conf'
 API_PASTE_INI = '%s/api-paste.ini' % NEUTRON_CONF_DIR
+ADMIN_POLICY = "/etc/neutron/policy.d/00-admin.json"
 # NOTE:(fnordahl) placeholder ml2_conf_srov.ini pointing users to ml2_conf.ini
 # Due to how neutron init scripts are laid out on various Linux
 # distributions we put the [ml2_sriov] section in ml2_conf.ini instead
@ -461,6 +462,13 @@ def resource_map(release=None):
    release = release or os_release('neutron-common')

    resource_map = deepcopy(BASE_RESOURCE_MAP)
+    if CompareOpenStackReleases(release) >= 'queens':
+        resource_map[ADMIN_POLICY] = {
+            'contexts': [
+                neutron_api_context.IdentityServiceContext(
+                    service='neutron',
+                    service_user='neutron')],
+            'services': ['neutron-server']}
    if CompareOpenStackReleases(release) >= 'liberty':
        resource_map.update(LIBERTY_RESOURCE_MAP)

--- a/templates/queens/00-admin.json
+++ b/templates/queens/00-admin.json
@ -0,0 +1,2 @@
+"is_service_project": "project_id:{{ service_project_id }} or domain_id:{{ service_domain_id }}"
+"context_is_admin": "role:admin and (is_admin_project:True or rule:is_service_project)"
--- a/unit_tests/test_neutron_api_utils.py
+++ b/unit_tests/test_neutron_api_utils.py
@ -178,6 +178,19 @@ class TestNeutronAPIUtils(CharmTestCase):
        [self.assertIn(q_conf, _map.keys()) for q_conf in confs]
        self.assertTrue(nutils.APACHE_24_CONF not in _map.keys())

+    @patch.object(nutils, 'manage_plugin')
+    @patch('os.path.exists')
+    def test_resource_map_queens(self, _path_exists, _manage_plugin):
+        _path_exists.return_value = False
+        _manage_plugin.return_value = True
+        self.os_release.return_value = 'queens'
+        _map = nutils.resource_map()
+        confs = [nutils.NEUTRON_CONF, nutils.NEUTRON_DEFAULT,
+                 nutils.APACHE_CONF, nutils.NEUTRON_LBAAS_CONF,
+                 nutils.NEUTRON_VPNAAS_CONF, nutils.ADMIN_POLICY]
+        [self.assertIn(q_conf, _map.keys()) for q_conf in confs]
+        self.assertTrue(nutils.APACHE_24_CONF not in _map.keys())
+
    @patch.object(nutils, 'manage_plugin')
    @patch('os.path.exists')
    def test_resource_map_apache24(self, _path_exists, _manage_plugin):