Adds support for default rule in ceilometer policy.json.

The default rule is broken in the current implementation of
ceilometer rbac, because ceilometer rbac.py does not leverage
the support provided by oslo_policy . It instead tries to
loop through all the rules in the policy.json to check if the
rule corresponding to the requested REST api matches with the
any in the policy.json. In this process, it completely ignores
the existence of the default rule.

Closes-Bug: 1435855

Change-Id: Icab626b28d14514b0f024df447a8e7f35c52257c
This commit is contained in:
Divya 2015-03-27 09:27:35 +01:00
parent 2fb046fb66
commit aa78d70df2
2 changed files with 17 additions and 10 deletions

View File

@ -25,6 +25,10 @@ _ENFORCER = None
CONF = cfg.CONF
def _has_rule(name):
return name in _ENFORCER.rules.keys()
def enforce(policy_name, request):
"""Return the user and project the request should be limited to.
@ -46,14 +50,11 @@ def enforce(policy_name, request):
policy_dict['target.user_id'] = (headers.get('X-User-Id'))
policy_dict['target.project_id'] = (headers.get('X-Project-Id'))
for rule_name in _ENFORCER.rules.keys():
if rule_method == rule_name:
if not _ENFORCER.enforce(
rule_name,
{},
policy_dict):
pecan.core.abort(status_code=403,
detail='RBAC Authorization Failed')
# maintain backward compat with Juno and previous by allowing the action if
# there is no rule defined for it
if ((_has_rule('default') or _has_rule(rule_method)) and
not _ENFORCER.enforce(rule_method, {}, policy_dict)):
pecan.core.abort(status_code=403, detail='RBAC Authorization Failed')
# TODO(fabiog): these methods are still used because the scoping part is really
@ -77,10 +78,15 @@ def get_limited_to(headers):
policy_dict['target.user_id'] = (headers.get('X-User-Id'))
policy_dict['target.project_id'] = (headers.get('X-Project-Id'))
if not _ENFORCER.enforce('segregation',
# maintain backward compat with Juno and previous by using context_is_admin
# rule if the segregation rule (added in Kilo) is not defined
rule_name = 'segregation' if _has_rule(
'segregation') else 'context_is_admin'
if not _ENFORCER.enforce(rule_name,
{},
policy_dict):
return headers.get('X-User-Id'), headers.get('X-Project-Id')
return None, None

View File

@ -2,5 +2,6 @@
"context_is_admin": "role:admin",
"context_is_project": "project_id:%(target.project_id)s",
"context_is_owner": "user_id:%(target.user_id)s",
"segregation": "rule:context_is_admin"
"segregation": "rule:context_is_admin",
"default": ""
}