From aa78d70df29c3927c032ef49079011fd9c937f73 Mon Sep 17 00:00:00 2001 From: Divya Date: Fri, 27 Mar 2015 09:27:35 +0100 Subject: [PATCH] Adds support for default rule in ceilometer policy.json. The default rule is broken in the current implementation of ceilometer rbac, because ceilometer rbac.py does not leverage the support provided by oslo_policy . It instead tries to loop through all the rules in the policy.json to check if the rule corresponding to the requested REST api matches with the any in the policy.json. In this process, it completely ignores the existence of the default rule. Closes-Bug: 1435855 Change-Id: Icab626b28d14514b0f024df447a8e7f35c52257c --- ceilometer/api/rbac.py | 24 +++++++++++++++--------- etc/ceilometer/policy.json | 3 ++- 2 files changed, 17 insertions(+), 10 deletions(-) diff --git a/ceilometer/api/rbac.py b/ceilometer/api/rbac.py index 3b262c4f..b59e19fd 100644 --- a/ceilometer/api/rbac.py +++ b/ceilometer/api/rbac.py @@ -25,6 +25,10 @@ _ENFORCER = None CONF = cfg.CONF +def _has_rule(name): + return name in _ENFORCER.rules.keys() + + def enforce(policy_name, request): """Return the user and project the request should be limited to. @@ -46,14 +50,11 @@ def enforce(policy_name, request): policy_dict['target.user_id'] = (headers.get('X-User-Id')) policy_dict['target.project_id'] = (headers.get('X-Project-Id')) - for rule_name in _ENFORCER.rules.keys(): - if rule_method == rule_name: - if not _ENFORCER.enforce( - rule_name, - {}, - policy_dict): - pecan.core.abort(status_code=403, - detail='RBAC Authorization Failed') + # maintain backward compat with Juno and previous by allowing the action if + # there is no rule defined for it + if ((_has_rule('default') or _has_rule(rule_method)) and + not _ENFORCER.enforce(rule_method, {}, policy_dict)): + pecan.core.abort(status_code=403, detail='RBAC Authorization Failed') # TODO(fabiog): these methods are still used because the scoping part is really @@ -77,10 +78,15 @@ def get_limited_to(headers): policy_dict['target.user_id'] = (headers.get('X-User-Id')) policy_dict['target.project_id'] = (headers.get('X-Project-Id')) - if not _ENFORCER.enforce('segregation', + # maintain backward compat with Juno and previous by using context_is_admin + # rule if the segregation rule (added in Kilo) is not defined + rule_name = 'segregation' if _has_rule( + 'segregation') else 'context_is_admin' + if not _ENFORCER.enforce(rule_name, {}, policy_dict): return headers.get('X-User-Id'), headers.get('X-Project-Id') + return None, None diff --git a/etc/ceilometer/policy.json b/etc/ceilometer/policy.json index 4c3ec47a..2bcd0342 100644 --- a/etc/ceilometer/policy.json +++ b/etc/ceilometer/policy.json @@ -2,5 +2,6 @@ "context_is_admin": "role:admin", "context_is_project": "project_id:%(target.project_id)s", "context_is_owner": "user_id:%(target.user_id)s", - "segregation": "rule:context_is_admin" + "segregation": "rule:context_is_admin", + "default": "" }