openstack/deb-ceilometer
Code Issues Proposed changes

Adds support for default rule in ceilometer policy.json.

Browse Source 
The default rule is broken in the current implementation of
ceilometer rbac, because ceilometer rbac.py does not leverage
the support provided by oslo_policy . It instead tries to
loop through all the rules in the policy.json to check if the
rule corresponding to the requested REST api matches with the
any in the policy.json. In this process, it completely ignores
the existence of the default rule.

Closes-Bug: 1435855

Change-Id: Icab626b28d14514b0f024df447a8e7f35c52257c
This commit is contained in:
Divya 2015-03-27 09:27:35 +01:00
parent 2fb046fb66
commit aa78d70df2
2 changed files with 17 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
ceilometer/api/rbac.py
View File

@ -25,6 +25,10 @@ _ENFORCER = None
CONF = cfg.CONF CONF = cfg.CONF
def _has_rule(name):
return name in _ENFORCER.rules.keys()
def enforce(policy_name, request): def enforce(policy_name, request):
"""Return the user and project the request should be limited to. """Return the user and project the request should be limited to.
@ -46,14 +50,11 @@ def enforce(policy_name, request):
policy_dict['target.user_id'] = (headers.get('X-User-Id')) policy_dict['target.user_id'] = (headers.get('X-User-Id'))
policy_dict['target.project_id'] = (headers.get('X-Project-Id')) policy_dict['target.project_id'] = (headers.get('X-Project-Id'))
for rule_name in _ENFORCER.rules.keys(): # maintain backward compat with Juno and previous by allowing the action if
if rule_method == rule_name: # there is no rule defined for it
if not _ENFORCER.enforce( if ((_has_rule('default') or _has_rule(rule_method)) and
rule_name, not _ENFORCER.enforce(rule_method, {}, policy_dict)):
{}, pecan.core.abort(status_code=403, detail='RBAC Authorization Failed')
policy_dict):
pecan.core.abort(status_code=403,
detail='RBAC Authorization Failed')
# TODO(fabiog): these methods are still used because the scoping part is really # TODO(fabiog): these methods are still used because the scoping part is really
@ -77,10 +78,15 @@ def get_limited_to(headers):
policy_dict['target.user_id'] = (headers.get('X-User-Id')) policy_dict['target.user_id'] = (headers.get('X-User-Id'))
policy_dict['target.project_id'] = (headers.get('X-Project-Id')) policy_dict['target.project_id'] = (headers.get('X-Project-Id'))
if not _ENFORCER.enforce('segregation', # maintain backward compat with Juno and previous by using context_is_admin
# rule if the segregation rule (added in Kilo) is not defined
rule_name = 'segregation' if _has_rule(
'segregation') else 'context_is_admin'
if not _ENFORCER.enforce(rule_name,
{}, {},
policy_dict): policy_dict):
return headers.get('X-User-Id'), headers.get('X-Project-Id') return headers.get('X-User-Id'), headers.get('X-Project-Id')
return None, None return None, None

3
etc/ceilometer/policy.json
View File

@ -2,5 +2,6 @@
"context_is_admin": "role:admin", "context_is_admin": "role:admin",
"context_is_project": "project_id:%(target.project_id)s", "context_is_project": "project_id:%(target.project_id)s",
"context_is_owner": "user_id:%(target.user_id)s", "context_is_owner": "user_id:%(target.user_id)s",
"segregation": "rule:context_is_admin" "segregation": "rule:context_is_admin",
"default": ""
} }