From 5f87d207b448ec4e24988af5671c3b3593b13804 Mon Sep 17 00:00:00 2001 From: Michael Johnson Date: Tue, 13 Jul 2021 21:24:52 +0000 Subject: [PATCH] Fix support for scoped tokens and default roles This patch is the base patch to enable support for Keystone scoped tokens[1] and default roles[2] in the Designate API. It also migrates to using project_id in the context objects instead of the deprecated tenant_id. [1] https://docs.openstack.org/keystone/latest/admin/tokens-overview.html#authorization-scopes [2] https://docs.openstack.org/keystone/latest/admin/service-api-protection.html Depends-On: https://review.opendev.org/c/openstack/designate-tempest-plugin/+/821632 Change-Id: I43bb76dc4dc1d167d86fd5ea139a50f95f3b0b4a --- .zuul.yaml | 20 + designate/api/middleware.py | 6 +- .../api/v2/controllers/zones/tasks/exports.py | 7 +- designate/central/service.py | 691 +++++++++++++----- designate/common/constants.py | 17 + designate/common/policies/base.py | 70 +- designate/common/policies/context.py | 50 +- designate/common/policies/diagnostics.py | 51 +- designate/common/policies/quota.py | 2 +- designate/common/policies/recordset.py | 64 +- designate/common/policies/tsigkey.py | 3 - designate/common/policies/zone.py | 25 +- designate/common/policies/zone_export.py | 24 +- designate/common/policies/zone_import.py | 2 +- .../common/policies/zone_transfer_accept.py | 6 +- .../common/policies/zone_transfer_request.py | 25 +- designate/context.py | 5 +- designate/exceptions.py | 13 + .../adapters/api_v2/zone_transfer_request.py | 8 +- designate/policy.py | 15 +- designate/storage/impl_sqlalchemy/__init__.py | 9 +- designate/tests/__init__.py | 9 +- designate/tests/test_api/test_middleware.py | 3 +- designate/tests/test_central/test_service.py | 19 +- .../tests/unit/test_central/test_basic.py | 30 +- ...upport-scoped-tokens-6b7d6052a258cd11.yaml | 4 + 26 files changed, 861 insertions(+), 317 deletions(-) create mode 100644 designate/common/constants.py create mode 100644 releasenotes/notes/Support-scoped-tokens-6b7d6052a258cd11.yaml diff --git a/.zuul.yaml b/.zuul.yaml index e3e71c5c1..9a68deb81 100644 --- a/.zuul.yaml +++ b/.zuul.yaml @@ -54,6 +54,24 @@ Functional testing for a FIPS enabled Centos 8 stream system pre-run: playbooks/enable-fips.yaml +- job: + name: designate-bind9-scoped-tokens + post-run: playbooks/designate-bind9/post.yaml + parent: designate-base + vars: + devstack_local_conf: + post-config: + $DESIGNATE_CONF: + oslo_policy: + enforce_scope: True + enforce_new_defaults: True + test-config: + "$TEMPEST_CONFIG": + enforce_scope: + designate: True + dns_feature_enabled: + enforce_new_defaults: True + - job: name: designate-pdns4 post-run: playbooks/designate-pdns4/post.yaml @@ -136,6 +154,7 @@ - designate-bind9 - designate-bind9-centos8stream-fips: voting: false + - designate-bind9-scoped-tokens - designate-pdns4 - designate-grenade-pdns4 - designate-ipv6-only-pdns4 @@ -145,6 +164,7 @@ queue: designate jobs: - designate-bind9 + - designate-bind9-scoped-tokens - designate-pdns4 - designate-grenade-pdns4 - designate-ipv6-only-pdns4 diff --git a/designate/api/middleware.py b/designate/api/middleware.py index 01de871a7..4b9c7e8e2 100644 --- a/designate/api/middleware.py +++ b/designate/api/middleware.py @@ -128,14 +128,13 @@ class KeystoneContextMiddleware(ContextMiddleware): pass tenant_id = headers.get('X-Tenant-ID') - if tenant_id is None: - return flask.Response(status=401) catalog = None if headers.get('X-Service-Catalog'): catalog = jsonutils.loads(headers.get('X-Service-Catalog')) roles = headers.get('X-Roles').split(',') + system_scope = headers.get('Openstack-System-Scope') try: self.make_context( @@ -144,7 +143,8 @@ class KeystoneContextMiddleware(ContextMiddleware): user_id=headers.get('X-User-ID'), project_id=tenant_id, roles=roles, - service_catalog=catalog + service_catalog=catalog, + system_scope=system_scope ) except exceptions.Forbidden: return flask.Response(status=403) diff --git a/designate/api/v2/controllers/zones/tasks/exports.py b/designate/api/v2/controllers/zones/tasks/exports.py index 9252da085..1e785c9de 100644 --- a/designate/api/v2/controllers/zones/tasks/exports.py +++ b/designate/api/v2/controllers/zones/tasks/exports.py @@ -17,6 +17,7 @@ from oslo_log import log as logging import pecan from designate.api.v2.controllers import rest +from designate.common import constants from designate import exceptions from designate.objects.adapters import DesignateAdapter from designate import policy @@ -31,7 +32,11 @@ class ZoneExportController(rest.RestController): @utils.validate_uuid('export_id') def get_all(self, export_id): context = pecan.request.environ['context'] - target = {'tenant_id': context.project_id} + if policy.enforce_new_defaults(): + target = {constants.RBAC_PROJECT_ID: context.project_id} + else: + target = {'tenant_id': context.project_id} + policy.check('zone_export', context, target) export = self.central_api.get_zone_export(context, export_id) diff --git a/designate/central/service.py b/designate/central/service.py index 6b23b3711..950edb3da 100644 --- a/designate/central/service.py +++ b/designate/central/service.py @@ -33,6 +33,7 @@ from oslo_config import cfg from oslo_log import log as logging import oslo_messaging as messaging +from designate.common import constants from designate import context as dcontext from designate import coordination from designate import dnsutils @@ -483,6 +484,12 @@ class Service(service.RPCService): raise exceptions.InvalidTTL('TTL is below the minimum: %s' % min_ttl) + def _is_valid_project_id(self, project_id): + if project_id is None: + raise exceptions.MissingProjectID( + "A project ID must be specified when not using a project " + "scoped token.") + def _increment_zone_serial(self, context, zone, set_delayed_notify=False): """Update the zone serial and the SOA record Optionally set delayed_notify to have PM issue delayed notify @@ -658,17 +665,30 @@ class Service(service.RPCService): # Quota Methods @rpc.expected_exceptions() def get_quotas(self, context, tenant_id): - target = {'tenant_id': tenant_id} + if policy.enforce_new_defaults(): + target = {constants.RBAC_PROJECT_ID: tenant_id, + 'all_tenants': context.all_tenants} + else: + target = {'tenant_id': tenant_id} policy.check('get_quotas', context, target) - if tenant_id != context.project_id and not context.all_tenants: + # TODO(johnsom) Deprecated since Wallaby, remove with legacy default + # policies. System scoped admin doesn't have a project_id + if (tenant_id != context.project_id and not context.all_tenants and not + policy.enforce_new_defaults()): raise exceptions.Forbidden() return self.quota.get_quotas(context, tenant_id) @rpc.expected_exceptions() def get_quota(self, context, tenant_id, resource): - target = {'tenant_id': tenant_id, 'resource': resource} + if policy.enforce_new_defaults(): + target = { + constants.RBAC_PROJECT_ID: tenant_id, + 'resource': resource + } + else: + target = {'tenant_id': tenant_id, 'resource': resource} policy.check('get_quota', context, target) return self.quota.get_quota(context, tenant_id, resource) @@ -676,21 +696,34 @@ class Service(service.RPCService): @rpc.expected_exceptions() @transaction def set_quota(self, context, tenant_id, resource, hard_limit): - target = { - 'tenant_id': tenant_id, - 'resource': resource, - 'hard_limit': hard_limit, - } + if policy.enforce_new_defaults(): + target = { + constants.RBAC_PROJECT_ID: tenant_id, + 'resource': resource, + 'hard_limit': hard_limit, + } + else: + target = { + 'tenant_id': tenant_id, + 'resource': resource, + 'hard_limit': hard_limit, + } policy.check('set_quota', context, target) - if tenant_id != context.project_id and not context.all_tenants: + # TODO(johnsom) Deprecated since Wallaby, remove with legacy default + # policies. System scoped admin doesn't have a project_id + if (tenant_id != context.project_id and not context.all_tenants and not + policy.enforce_new_defaults()): raise exceptions.Forbidden() return self.quota.set_quota(context, tenant_id, resource, hard_limit) @transaction def reset_quotas(self, context, tenant_id): - target = {'tenant_id': tenant_id} + if policy.enforce_new_defaults(): + target = {constants.RBAC_PROJECT_ID: tenant_id} + else: + target = {'tenant_id': tenant_id} policy.check('reset_quotas', context, target) self.quota.reset_quotas(context, tenant_id) @@ -806,9 +839,10 @@ class Service(service.RPCService): @rpc.expected_exceptions() def get_tenant(self, context, tenant_id): - target = { - 'tenant_id': tenant_id - } + if policy.enforce_new_defaults(): + target = {constants.RBAC_PROJECT_ID: tenant_id} + else: + target = {'tenant_id': tenant_id} policy.check('get_tenant', context, target) @@ -855,13 +889,21 @@ class Service(service.RPCService): # Default to creating in the current users tenant zone.tenant_id = zone.tenant_id or context.project_id - target = { - 'tenant_id': zone.tenant_id, - 'zone_name': zone.name - } + if policy.enforce_new_defaults(): + target = { + constants.RBAC_PROJECT_ID: zone.tenant_id, + 'zone_name': zone.name + } + else: + target = { + 'tenant_id': zone.tenant_id, + 'zone_name': zone.name + } policy.check('create_zone', context, target) + self._is_valid_project_id(zone.tenant_id) + # Ensure the tenant has enough quota to continue self._enforce_zone_quota(context, zone.tenant_id) @@ -969,11 +1011,19 @@ class Service(service.RPCService): """ zone = self.storage.get_zone(context, zone_id) - target = { - 'zone_id': zone_id, - 'zone_name': zone.name, - 'tenant_id': zone.tenant_id - } + if policy.enforce_new_defaults(): + target = { + 'zone_id': zone_id, + 'zone_name': zone.name, + constants.RBAC_PROJECT_ID: zone.tenant_id + } + else: + target = { + 'zone_id': zone_id, + 'zone_name': zone.name, + 'tenant_id': zone.tenant_id + } + policy.check('get_zone', context, target) return zone @@ -986,11 +1036,19 @@ class Service(service.RPCService): pool_id = cfg.CONF['service:central'].default_pool_id else: zone = self.storage.get_zone(context, zone_id) - target = { - 'zone_id': zone_id, - 'zone_name': zone.name, - 'tenant_id': zone.tenant_id - } + + if policy.enforce_new_defaults(): + target = { + 'zone_id': zone_id, + 'zone_name': zone.name, + constants.RBAC_PROJECT_ID: zone.tenant_id + } + else: + target = { + 'zone_id': zone_id, + 'zone_name': zone.name, + 'tenant_id': zone.tenant_id + } pool_id = zone.pool_id policy.check('get_zone_ns_records', context, target) @@ -1008,7 +1066,11 @@ class Service(service.RPCService): sort_key=None, sort_dir=None): """List existing zones including the ones flagged for deletion. """ - target = {'tenant_id': context.project_id} + if policy.enforce_new_defaults(): + target = {constants.RBAC_PROJECT_ID: context.project_id} + else: + target = {'tenant_id': context.project_id} + policy.check('find_zones', context, target) return self.storage.find_zones(context, criterion, marker, limit, @@ -1016,7 +1078,11 @@ class Service(service.RPCService): @rpc.expected_exceptions() def find_zone(self, context, criterion=None): - target = {'tenant_id': context.project_id} + if policy.enforce_new_defaults(): + target = {constants.RBAC_PROJECT_ID: context.project_id} + else: + target = {'tenant_id': context.project_id} + policy.check('find_zone', context, target) return self.storage.find_zone(context, criterion) @@ -1030,11 +1096,19 @@ class Service(service.RPCService): :returns: updated zone """ - target = { - 'zone_id': zone.obj_get_original_value('id'), - 'zone_name': zone.obj_get_original_value('name'), - 'tenant_id': zone.obj_get_original_value('tenant_id'), - } + if policy.enforce_new_defaults(): + target = { + 'zone_id': zone.obj_get_original_value('id'), + 'zone_name': zone.obj_get_original_value('name'), + constants.RBAC_PROJECT_ID: ( + zone.obj_get_original_value('tenant_id')), + } + else: + target = { + 'zone_id': zone.obj_get_original_value('id'), + 'zone_name': zone.obj_get_original_value('name'), + 'tenant_id': zone.obj_get_original_value('tenant_id'), + } policy.check('update_zone', context, target) @@ -1100,11 +1174,18 @@ class Service(service.RPCService): """ zone = self.storage.get_zone(context, zone_id) - target = { - 'zone_id': zone_id, - 'zone_name': zone.name, - 'tenant_id': zone.tenant_id - } + if policy.enforce_new_defaults(): + target = { + 'zone_id': zone_id, + 'zone_name': zone.name, + constants.RBAC_PROJECT_ID: zone.tenant_id + } + else: + target = { + 'zone_id': zone_id, + 'zone_name': zone.name, + 'tenant_id': zone.tenant_id + } if hasattr(context, 'abandon') and context.abandon: policy.check('abandon_zone', context, target) @@ -1159,11 +1240,18 @@ class Service(service.RPCService): def xfr_zone(self, context, zone_id): zone = self.storage.get_zone(context, zone_id) - target = { - 'zone_id': zone_id, - 'zone_name': zone.name, - 'tenant_id': zone.tenant_id - } + if policy.enforce_new_defaults(): + target = { + 'zone_id': zone_id, + 'zone_name': zone.name, + constants.RBAC_PROJECT_ID: zone.tenant_id + } + else: + target = { + 'zone_id': zone_id, + 'zone_name': zone.name, + 'tenant_id': zone.tenant_id + } policy.check('xfr_zone', context, target) @@ -1189,9 +1277,14 @@ class Service(service.RPCService): if criterion is None: criterion = {} - target = { - 'tenant_id': criterion.get('tenant_id', None) - } + if policy.enforce_new_defaults(): + target = { + constants.RBAC_PROJECT_ID: criterion.get('tenant_id', None) + } + else: + target = { + 'tenant_id': criterion.get('tenant_id', None) + } policy.check('count_zones', context, target) @@ -1233,11 +1326,18 @@ class Service(service.RPCService): def touch_zone(self, context, zone_id): zone = self.storage.get_zone(context, zone_id) - target = { - 'zone_id': zone_id, - 'zone_name': zone.name, - 'tenant_id': zone.tenant_id - } + if policy.enforce_new_defaults(): + target = { + 'zone_id': zone_id, + 'zone_name': zone.name, + constants.RBAC_PROJECT_ID: zone.tenant_id + } + else: + target = { + 'zone_id': zone_id, + 'zone_name': zone.name, + 'tenant_id': zone.tenant_id + } policy.check('touch_zone', context, target) @@ -1266,13 +1366,22 @@ class Service(service.RPCService): if zone.action == 'DELETE': raise exceptions.BadRequest('Can not update a deleting zone') - target = { - 'zone_id': zone_id, - 'zone_name': zone.name, - 'zone_type': zone.type, - 'recordset_name': recordset.name, - 'tenant_id': zone.tenant_id, - } + if policy.enforce_new_defaults(): + target = { + 'zone_id': zone_id, + 'zone_name': zone.name, + 'zone_type': zone.type, + 'recordset_name': recordset.name, + constants.RBAC_PROJECT_ID: zone.tenant_id, + } + else: + target = { + 'zone_id': zone_id, + 'zone_name': zone.name, + 'zone_type': zone.type, + 'recordset_name': recordset.name, + 'tenant_id': zone.tenant_id, + } policy.check('create_recordset', context, target) @@ -1357,12 +1466,20 @@ class Service(service.RPCService): else: zone = self.storage.get_zone(context, recordset.zone_id) - target = { - 'zone_id': zone.id, - 'zone_name': zone.name, - 'recordset_id': recordset.id, - 'tenant_id': zone.tenant_id, - } + if policy.enforce_new_defaults(): + target = { + 'zone_id': zone.id, + 'zone_name': zone.name, + 'recordset_id': recordset.id, + constants.RBAC_PROJECT_ID: zone.tenant_id, + } + else: + target = { + 'zone_id': zone.id, + 'zone_name': zone.name, + 'recordset_id': recordset.id, + 'tenant_id': zone.tenant_id, + } policy.check('get_recordset', context, target) @@ -1375,7 +1492,11 @@ class Service(service.RPCService): @rpc.expected_exceptions() def find_recordsets(self, context, criterion=None, marker=None, limit=None, sort_key=None, sort_dir=None, force_index=False): - target = {'tenant_id': context.project_id} + if policy.enforce_new_defaults(): + target = {constants.RBAC_PROJECT_ID: context.project_id} + else: + target = {'tenant_id': context.project_id} + policy.check('find_recordsets', context, target) recordsets = self.storage.find_recordsets(context, criterion, marker, @@ -1386,7 +1507,10 @@ class Service(service.RPCService): @rpc.expected_exceptions() def find_recordset(self, context, criterion=None): - target = {'tenant_id': context.project_id} + if policy.enforce_new_defaults(): + target = {constants.RBAC_PROJECT_ID: context.project_id} + else: + target = {'tenant_id': context.project_id} policy.check('find_recordset', context, target) recordset = self.storage.find_recordset(context, criterion) @@ -1430,13 +1554,22 @@ class Service(service.RPCService): if zone.action == 'DELETE': raise exceptions.BadRequest('Can not update a deleting zone') - target = { - 'zone_id': recordset.obj_get_original_value('zone_id'), - 'zone_type': zone.type, - 'recordset_id': recordset.obj_get_original_value('id'), - 'zone_name': zone.name, - 'tenant_id': zone.tenant_id - } + if policy.enforce_new_defaults(): + target = { + 'zone_id': recordset.obj_get_original_value('zone_id'), + 'zone_type': zone.type, + 'recordset_id': recordset.obj_get_original_value('id'), + 'zone_name': zone.name, + constants.RBAC_PROJECT_ID: zone.tenant_id + } + else: + target = { + 'zone_id': recordset.obj_get_original_value('zone_id'), + 'zone_type': zone.type, + 'recordset_id': recordset.obj_get_original_value('id'), + 'zone_name': zone.name, + 'tenant_id': zone.tenant_id + } policy.check('update_recordset', context, target) @@ -1494,13 +1627,22 @@ class Service(service.RPCService): if zone.action == 'DELETE': raise exceptions.BadRequest('Can not update a deleting zone') - target = { - 'zone_id': zone_id, - 'zone_name': zone.name, - 'zone_type': zone.type, - 'recordset_id': recordset.id, - 'tenant_id': zone.tenant_id - } + if policy.enforce_new_defaults(): + target = { + 'zone_id': zone_id, + 'zone_name': zone.name, + 'zone_type': zone.type, + 'recordset_id': recordset.id, + constants.RBAC_PROJECT_ID: zone.tenant_id + } + else: + target = { + 'zone_id': zone_id, + 'zone_name': zone.name, + 'zone_type': zone.type, + 'recordset_id': recordset.id, + 'tenant_id': zone.tenant_id + } policy.check('delete_recordset', context, target) @@ -1543,9 +1685,12 @@ class Service(service.RPCService): if criterion is None: criterion = {} - target = { - 'tenant_id': criterion.get('tenant_id', None) - } + if policy.enforce_new_defaults(): + target = { + constants.RBAC_PROJECT_ID: criterion.get('tenant_id', None) + } + else: + target = {'tenant_id': criterion.get('tenant_id', None)} policy.check('count_recordsets', context, target) @@ -1565,14 +1710,24 @@ class Service(service.RPCService): recordset = self.storage.get_recordset(context, recordset_id) - target = { - 'zone_id': zone_id, - 'zone_name': zone.name, - 'zone_type': zone.type, - 'recordset_id': recordset_id, - 'recordset_name': recordset.name, - 'tenant_id': zone.tenant_id - } + if policy.enforce_new_defaults(): + target = { + 'zone_id': zone_id, + 'zone_name': zone.name, + 'zone_type': zone.type, + 'recordset_id': recordset_id, + 'recordset_name': recordset.name, + constants.RBAC_PROJECT_ID: zone.tenant_id + } + else: + target = { + 'zone_id': zone_id, + 'zone_name': zone.name, + 'zone_type': zone.type, + 'recordset_id': recordset_id, + 'recordset_name': recordset.name, + 'tenant_id': zone.tenant_id + } policy.check('create_record', context, target) @@ -1619,14 +1774,24 @@ class Service(service.RPCService): if recordset.id != record.recordset_id: raise exceptions.RecordNotFound() - target = { - 'zone_id': zone_id, - 'zone_name': zone.name, - 'recordset_id': recordset_id, - 'recordset_name': recordset.name, - 'record_id': record.id, - 'tenant_id': zone.tenant_id - } + if policy.enforce_new_defaults(): + target = { + 'zone_id': zone_id, + 'zone_name': zone.name, + 'recordset_id': recordset_id, + 'recordset_name': recordset.name, + 'record_id': record.id, + constants.RBAC_PROJECT_ID: zone.tenant_id + } + else: + target = { + 'zone_id': zone_id, + 'zone_name': zone.name, + 'recordset_id': recordset_id, + 'recordset_name': recordset.name, + 'record_id': record.id, + 'tenant_id': zone.tenant_id + } policy.check('get_record', context, target) @@ -1635,7 +1800,11 @@ class Service(service.RPCService): @rpc.expected_exceptions() def find_records(self, context, criterion=None, marker=None, limit=None, sort_key=None, sort_dir=None): - target = {'tenant_id': context.project_id} + + if policy.enforce_new_defaults(): + target = {constants.RBAC_PROJECT_ID: context.project_id} + else: + target = {'tenant_id': context.project_id} policy.check('find_records', context, target) return self.storage.find_records(context, criterion, marker, limit, @@ -1643,7 +1812,11 @@ class Service(service.RPCService): @rpc.expected_exceptions() def find_record(self, context, criterion=None): - target = {'tenant_id': context.project_id} + + if policy.enforce_new_defaults(): + target = {constants.RBAC_PROJECT_ID: context.project_id} + else: + target = {'tenant_id': context.project_id} policy.check('find_record', context, target) return self.storage.find_record(context, criterion) @@ -1677,15 +1850,26 @@ class Service(service.RPCService): raise exceptions.BadRequest('Moving a recordset between ' 'recordsets is not allowed') - target = { - 'zone_id': record.obj_get_original_value('zone_id'), - 'zone_name': zone.name, - 'zone_type': zone.type, - 'recordset_id': record.obj_get_original_value('recordset_id'), - 'recordset_name': recordset.name, - 'record_id': record.obj_get_original_value('id'), - 'tenant_id': zone.tenant_id - } + if policy.enforce_new_defaults(): + target = { + 'zone_id': record.obj_get_original_value('zone_id'), + 'zone_name': zone.name, + 'zone_type': zone.type, + 'recordset_id': record.obj_get_original_value('recordset_id'), + 'recordset_name': recordset.name, + 'record_id': record.obj_get_original_value('id'), + constants.RBAC_PROJECT_ID: zone.tenant_id + } + else: + target = { + 'zone_id': record.obj_get_original_value('zone_id'), + 'zone_name': zone.name, + 'zone_type': zone.type, + 'recordset_id': record.obj_get_original_value('recordset_id'), + 'recordset_name': recordset.name, + 'record_id': record.obj_get_original_value('id'), + 'tenant_id': zone.tenant_id + } policy.check('update_record', context, target) @@ -1739,15 +1923,26 @@ class Service(service.RPCService): if recordset.id != record.recordset_id: raise exceptions.RecordNotFound() - target = { - 'zone_id': zone_id, - 'zone_name': zone.name, - 'zone_type': zone.type, - 'recordset_id': recordset_id, - 'recordset_name': recordset.name, - 'record_id': record.id, - 'tenant_id': zone.tenant_id - } + if policy.enforce_new_defaults(): + target = { + 'zone_id': zone_id, + 'zone_name': zone.name, + 'zone_type': zone.type, + 'recordset_id': recordset_id, + 'recordset_name': recordset.name, + 'record_id': record.id, + constants.RBAC_PROJECT_ID: zone.tenant_id + } + else: + target = { + 'zone_id': zone_id, + 'zone_name': zone.name, + 'zone_type': zone.type, + 'recordset_id': recordset_id, + 'recordset_name': recordset.name, + 'record_id': record.id, + 'tenant_id': zone.tenant_id + } policy.check('delete_record', context, target) @@ -1783,9 +1978,12 @@ class Service(service.RPCService): if criterion is None: criterion = {} - target = { - 'tenant_id': criterion.get('tenant_id', None) - } + if policy.enforce_new_defaults(): + target = { + constants.RBAC_PROJECT_ID: criterion.get('tenant_id', None) + } + else: + target = {'tenant_id': criterion.get('tenant_id', None)} policy.check('count_records', context, target) return self.storage.count_records(context, criterion) @@ -1812,11 +2010,18 @@ class Service(service.RPCService): def sync_zone(self, context, zone_id): zone = self.storage.get_zone(context, zone_id) - target = { - 'zone_id': zone_id, - 'zone_name': zone.name, - 'tenant_id': zone.tenant_id - } + if policy.enforce_new_defaults(): + target = { + 'zone_id': zone_id, + 'zone_name': zone.name, + constants.RBAC_PROJECT_ID: zone.tenant_id + } + else: + target = { + 'zone_id': zone_id, + 'zone_name': zone.name, + 'tenant_id': zone.tenant_id + } policy.check('diagnostics_sync_zone', context, target) @@ -1828,14 +2033,24 @@ class Service(service.RPCService): zone = self.storage.get_zone(context, zone_id) recordset = self.storage.get_recordset(context, recordset_id) - target = { - 'zone_id': zone_id, - 'zone_name': zone.name, - 'recordset_id': recordset_id, - 'recordset_name': recordset.name, - 'record_id': record_id, - 'tenant_id': zone.tenant_id - } + if policy.enforce_new_defaults(): + target = { + 'zone_id': zone_id, + 'zone_name': zone.name, + 'recordset_id': recordset_id, + 'recordset_name': recordset.name, + 'record_id': record_id, + constants.RBAC_PROJECT_ID: zone.tenant_id + } + else: + target = { + 'zone_id': zone_id, + 'zone_name': zone.name, + 'recordset_id': recordset_id, + 'recordset_name': recordset.name, + 'record_id': record_id, + 'tenant_id': zone.tenant_id + } policy.check('diagnostics_sync_record', context, target) @@ -2255,6 +2470,8 @@ class Service(service.RPCService): policy.check('create_pool', context) + self._is_valid_project_id(pool.tenant_id) + created_pool = self.storage.create_pool(context, pool) return created_pool @@ -2506,9 +2723,11 @@ class Service(service.RPCService): if zone.action == 'DELETE': raise exceptions.BadRequest('Can not transfer a deleting zone') - target = { - 'tenant_id': zone.tenant_id, - } + if policy.enforce_new_defaults(): + target = {constants.RBAC_PROJECT_ID: zone.tenant_id} + else: + target = {'tenant_id': zone.tenant_id} + policy.check('create_zone_transfer_request', context, target) zone_transfer_request.key = self._transfer_key_generator() @@ -2516,6 +2735,8 @@ class Service(service.RPCService): if zone_transfer_request.tenant_id is None: zone_transfer_request.tenant_id = context.project_id + self._is_valid_project_id(zone_transfer_request.tenant_id) + created_zone_transfer_request = \ self.storage.create_zone_transfer_request( context, zone_transfer_request) @@ -2532,10 +2753,18 @@ class Service(service.RPCService): elevated_context, zone_transfer_request_id) LOG.info('Target Tenant ID found - using scoped policy') - target = { - 'target_tenant_id': zone_transfer_request.target_tenant_id, - 'tenant_id': zone_transfer_request.tenant_id, - } + if policy.enforce_new_defaults(): + target = { + constants.RBAC_TARGET_PROJECT_ID: (zone_transfer_request. + target_tenant_id), + constants.RBAC_PROJECT_ID: zone_transfer_request.tenant_id, + } + else: + target = { + 'target_tenant_id': zone_transfer_request.target_tenant_id, + 'tenant_id': zone_transfer_request.tenant_id, + } + policy.check('get_zone_transfer_request', context, target) return zone_transfer_request @@ -2555,9 +2784,15 @@ class Service(service.RPCService): @rpc.expected_exceptions() def find_zone_transfer_request(self, context, criterion): - target = { - 'tenant_id': context.project_id, - } + if policy.enforce_new_defaults(): + target = { + constants.RBAC_PROJECT_ID: context.project_id, + } + else: + target = { + 'tenant_id': context.project_id, + } + policy.check('find_zone_transfer_request', context, target) return self.storage.find_zone_transfer_requests(context, criterion) @@ -2569,9 +2804,14 @@ class Service(service.RPCService): if 'zone_id' in zone_transfer_request.obj_what_changed(): raise exceptions.InvalidOperation('Zone cannot be changed') - target = { - 'tenant_id': zone_transfer_request.tenant_id, - } + if policy.enforce_new_defaults(): + target = { + constants.RBAC_PROJECT_ID: zone_transfer_request.tenant_id, + } + else: + target = { + 'tenant_id': zone_transfer_request.tenant_id, + } policy.check('update_zone_transfer_request', context, target) request = self.storage.update_zone_transfer_request( context, zone_transfer_request) @@ -2585,9 +2825,14 @@ class Service(service.RPCService): # Get zone transfer request zone_transfer_request = self.storage.get_zone_transfer_request( context, zone_transfer_request_id) - target = { - 'tenant_id': zone_transfer_request.tenant_id, - } + + if policy.enforce_new_defaults(): + target = { + constants.RBAC_PROJECT_ID: zone_transfer_request.tenant_id + } + else: + target = {'tenant_id': zone_transfer_request.tenant_id} + policy.check('delete_zone_transfer_request', context, target) return self.storage.delete_zone_transfer_request( context, @@ -2614,14 +2859,23 @@ class Service(service.RPCService): raise exceptions.IncorrectZoneTransferKey( 'Key does not match stored key for request') - target = { - 'target_tenant_id': zone_transfer_request.target_tenant_id - } + if policy.enforce_new_defaults(): + target = { + constants.RBAC_TARGET_PROJECT_ID: (zone_transfer_request. + target_tenant_id) + } + else: + target = { + 'target_tenant_id': zone_transfer_request.target_tenant_id + } + policy.check('create_zone_transfer_accept', context, target) if zone_transfer_accept.tenant_id is None: zone_transfer_accept.tenant_id = context.project_id + self._is_valid_project_id(zone_transfer_accept.tenant_id) + created_zone_transfer_accept = \ self.storage.create_zone_transfer_accept( context, zone_transfer_accept) @@ -2664,9 +2918,15 @@ class Service(service.RPCService): zone_transfer_accept = self.storage.get_zone_transfer_accept( context, zone_transfer_accept_id) - target = { - 'tenant_id': zone_transfer_accept.tenant_id - } + if policy.enforce_new_defaults(): + target = { + constants.RBAC_PROJECT_ID: zone_transfer_accept.tenant_id + } + else: + target = { + 'tenant_id': zone_transfer_accept.tenant_id + } + policy.check('get_zone_transfer_accept', context, target) return zone_transfer_accept @@ -2688,9 +2948,14 @@ class Service(service.RPCService): @notification('dns.zone_transfer_accept.update') @transaction def update_zone_transfer_accept(self, context, zone_transfer_accept): - target = { - 'tenant_id': zone_transfer_accept.tenant_id - } + if policy.enforce_new_defaults(): + target = { + constants.RBAC_PROJECT_ID: zone_transfer_accept.tenant_id + } + else: + target = { + 'tenant_id': zone_transfer_accept.tenant_id + } policy.check('update_zone_transfer_accept', context, target) accept = self.storage.update_zone_transfer_accept( context, zone_transfer_accept) @@ -2705,9 +2970,15 @@ class Service(service.RPCService): zt_accept = self.storage.get_zone_transfer_accept( context, zone_transfer_accept_id) - target = { - 'tenant_id': zt_accept.tenant_id - } + if policy.enforce_new_defaults(): + target = { + constants.RBAC_PROJECT_ID: zt_accept.tenant_id + } + else: + target = { + 'tenant_id': zt_accept.tenant_id + } + policy.check('delete_zone_transfer_accept', context, target) return self.storage.delete_zone_transfer_accept( context, @@ -2717,9 +2988,16 @@ class Service(service.RPCService): @rpc.expected_exceptions() @notification('dns.zone_import.create') def create_zone_import(self, context, request_body): - target = {'tenant_id': context.project_id} + + if policy.enforce_new_defaults(): + target = {constants.RBAC_PROJECT_ID: context.project_id} + else: + target = {'tenant_id': context.project_id} + policy.check('create_zone_import', context, target) + self._is_valid_project_id(context.project_id) + values = { 'status': 'PENDING', 'message': None, @@ -2811,7 +3089,12 @@ class Service(service.RPCService): @rpc.expected_exceptions() def find_zone_imports(self, context, criterion=None, marker=None, limit=None, sort_key=None, sort_dir=None): - target = {'tenant_id': context.project_id} + + if policy.enforce_new_defaults(): + target = {constants.RBAC_PROJECT_ID: context.project_id} + else: + target = {'tenant_id': context.project_id} + policy.check('find_zone_imports', context, target) if not criterion: @@ -2826,16 +3109,22 @@ class Service(service.RPCService): @rpc.expected_exceptions() def get_zone_import(self, context, zone_import_id): - target = {'tenant_id': context.project_id} + + if policy.enforce_new_defaults(): + target = {constants.RBAC_PROJECT_ID: context.project_id} + else: + target = {'tenant_id': context.project_id} + policy.check('get_zone_import', context, target) return self.storage.get_zone_import(context, zone_import_id) @rpc.expected_exceptions() @notification('dns.zone_import.update') def update_zone_import(self, context, zone_import): - target = { - 'tenant_id': zone_import.tenant_id, - } + if policy.enforce_new_defaults(): + target = {constants.RBAC_PROJECT_ID: zone_import.tenant_id} + else: + target = {'tenant_id': zone_import.tenant_id} policy.check('update_zone_import', context, target) return self.storage.update_zone_import(context, zone_import) @@ -2844,10 +3133,18 @@ class Service(service.RPCService): @notification('dns.zone_import.delete') @transaction def delete_zone_import(self, context, zone_import_id): - target = { - 'zone_import_id': zone_import_id, - 'tenant_id': context.project_id - } + + if policy.enforce_new_defaults(): + target = { + 'zone_import_id': zone_import_id, + constants.RBAC_PROJECT_ID: context.project_id + } + else: + target = { + 'zone_import_id': zone_import_id, + 'tenant_id': context.project_id + } + policy.check('delete_zone_import', context, target) zone_import = self.storage.delete_zone_import(context, zone_import_id) @@ -2861,9 +3158,15 @@ class Service(service.RPCService): # Try getting the zone to ensure it exists zone = self.storage.get_zone(context, zone_id) - target = {'tenant_id': context.project_id} + if policy.enforce_new_defaults(): + target = {constants.RBAC_PROJECT_ID: context.project_id} + else: + target = {'tenant_id': context.project_id} + policy.check('create_zone_export', context, target) + self._is_valid_project_id(context.project_id) + values = { 'status': 'PENDING', 'message': None, @@ -2884,7 +3187,11 @@ class Service(service.RPCService): @rpc.expected_exceptions() def find_zone_exports(self, context, criterion=None, marker=None, limit=None, sort_key=None, sort_dir=None): - target = {'tenant_id': context.project_id} + + if policy.enforce_new_defaults(): + target = {constants.RBAC_PROJECT_ID: context.project_id} + else: + target = {'tenant_id': context.project_id} policy.check('find_zone_exports', context, target) if not criterion: @@ -2899,7 +3206,12 @@ class Service(service.RPCService): @rpc.expected_exceptions() def get_zone_export(self, context, zone_export_id): - target = {'tenant_id': context.project_id} + + if policy.enforce_new_defaults(): + target = {constants.RBAC_PROJECT_ID: context.project_id} + else: + target = {'tenant_id': context.project_id} + policy.check('get_zone_export', context, target) return self.storage.get_zone_export(context, zone_export_id) @@ -2907,9 +3219,12 @@ class Service(service.RPCService): @rpc.expected_exceptions() @notification('dns.zone_export.update') def update_zone_export(self, context, zone_export): - target = { - 'tenant_id': zone_export.tenant_id, - } + + if policy.enforce_new_defaults(): + target = {constants.RBAC_PROJECT_ID: zone_export.tenant_id} + else: + target = {'tenant_id': zone_export.tenant_id} + policy.check('update_zone_export', context, target) return self.storage.update_zone_export(context, zone_export) @@ -2918,10 +3233,18 @@ class Service(service.RPCService): @notification('dns.zone_export.delete') @transaction def delete_zone_export(self, context, zone_export_id): - target = { - 'zone_export_id': zone_export_id, - 'tenant_id': context.project_id - } + + if policy.enforce_new_defaults(): + target = { + 'zone_export_id': zone_export_id, + constants.RBAC_PROJECT_ID: context.project_id + } + else: + target = { + 'zone_export_id': zone_export_id, + 'tenant_id': context.project_id + } + policy.check('delete_zone_export', context, target) zone_export = self.storage.delete_zone_export(context, zone_export_id) diff --git a/designate/common/constants.py b/designate/common/constants.py new file mode 100644 index 000000000..994334622 --- /dev/null +++ b/designate/common/constants.py @@ -0,0 +1,17 @@ +# Copyright 2021 Red Hat +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +# RBAC related constants +RBAC_PROJECT_ID = 'project_id' +RBAC_TARGET_PROJECT_ID = 'target_project_id' diff --git a/designate/common/policies/base.py b/designate/common/policies/base.py index adb2a6c6e..c09298db5 100644 --- a/designate/common/policies/base.py +++ b/designate/common/policies/base.py @@ -12,17 +12,14 @@ # License for the specific language governing permissions and limitations # under the License. - +from oslo_log import versionutils from oslo_policy import policy -RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner' -RULE_ADMIN = 'rule:admin' -RULE_ZONE_PRIMARY_OR_ADMIN = \ - "('PRIMARY':%(zone_type)s and rule:admin_or_owner) "\ - "OR ('SECONDARY':%(zone_type)s AND is_admin:True)" -RULE_ZONE_TRANSFER = "rule:admin_or_owner OR tenant:%(target_tenant_id)s " \ - "OR None:%(target_tenant_id)s" +DEPRECATED_REASON = """ +The designate API now supports system scope and default roles. +""" + RULE_ANY = "@" # Generic policy check string for system administrators. These are the people @@ -59,37 +56,56 @@ SYSTEM_OR_PROJECT_READER = ( '(' + SYSTEM_READER + ') or (' + PROJECT_READER + ')' ) +# Designate specific "secure RBAC" rules +ALL_TENANTS = 'True:%(all_tenants)s' + +ALL_TENANTS_READER = ALL_TENANTS + ' and role:reader' + +SYSTEM_OR_PROJECT_READER_OR_ALL_TENANTS_READER = ( + '(' + SYSTEM_READER + ') or (' + PROJECT_READER + ') or (' + + ALL_TENANTS_READER + ')' +) + +RULE_ZONE_TRANSFER = ( + '(' + SYSTEM_ADMIN_OR_PROJECT_MEMBER + ') or ' + 'project_id:%(target_project_id)s or ' + 'None:%(target_project_id)s') + + +# Deprecated in Wallaby as part of the "secure RBAC" work. +# TODO(johnsom) remove when the deprecated RBAC rules are removed. +RULE_ADMIN = 'rule:admin' +RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner' +LEGACY_RULE_ZONE_TRANSFER = "rule:admin_or_owner OR " \ + "tenant:%(target_tenant_id)s " \ + "OR None:%(target_tenant_id)s" + +deprecated_default = policy.DeprecatedRule( + name="default", + check_str=RULE_ADMIN_OR_OWNER, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.WALLABY +) + rules = [ + # TODO(johnsom) remove when the deprecated RBAC rules are removed. policy.RuleDefault( name="admin", check_str="role:admin or is_admin:True"), - policy.RuleDefault( - name="primary_zone", - check_str="target.zone_type:SECONDARY"), + # TODO(johnsom) remove when the deprecated RBAC rules are removed. policy.RuleDefault( name="owner", check_str="tenant:%(tenant_id)s"), + # TODO(johnsom) remove when the deprecated RBAC rules are removed. policy.RuleDefault( name="admin_or_owner", check_str="rule:admin or rule:owner"), + + # Default policy policy.RuleDefault( name="default", - check_str="rule:admin_or_owner"), - policy.RuleDefault( - name="target", - check_str="tenant:%(target_tenant_id)s"), - policy.RuleDefault( - name="owner_or_target", - check_str="rule:target or rule:owner"), - policy.RuleDefault( - name="admin_or_owner_or_target", - check_str="rule:owner_or_target or rule:admin"), - policy.RuleDefault( - name="admin_or_target", - check_str="rule:admin or rule:target"), - policy.RuleDefault( - name="zone_primary_or_admin", - check_str=RULE_ZONE_PRIMARY_OR_ADMIN) + check_str=SYSTEM_ADMIN_OR_PROJECT_MEMBER, + deprecated_rule=deprecated_default), ] diff --git a/designate/common/policies/context.py b/designate/common/policies/context.py index 08a528f3a..81ab54d5e 100644 --- a/designate/common/policies/context.py +++ b/designate/common/policies/context.py @@ -13,28 +13,62 @@ # under the License. +from oslo_log import versionutils from oslo_policy import policy from designate.common.policies import base +deprecated_all_tenants = policy.DeprecatedRule( + name="all_tenants", + check_str=base.RULE_ADMIN, + deprecated_reason=base.DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.WALLABY +) +deprecated_edit_managed_records = policy.DeprecatedRule( + name="edit_managed_records", + check_str=base.RULE_ADMIN, + deprecated_reason=base.DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.WALLABY +) +deprecated_use_low_ttl = policy.DeprecatedRule( + name="use_low_ttl", + check_str=base.RULE_ADMIN, + deprecated_reason=base.DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.WALLABY +) +deprecated_use_sudo = policy.DeprecatedRule( + name="use_sudo", + check_str=base.RULE_ADMIN, + deprecated_reason=base.DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.WALLABY +) + rules = [ policy.RuleDefault( name="all_tenants", - check_str=base.RULE_ADMIN, - description='Action on all tenants.'), + check_str=base.SYSTEM_ADMIN, + scope_types=['system'], + description='Action on all tenants.', + deprecated_rule=deprecated_all_tenants), policy.RuleDefault( name="edit_managed_records", - check_str=base.RULE_ADMIN, - description='Edit managed records.'), + check_str=base.SYSTEM_ADMIN, + scope_types=['system'], + description='Edit managed records.', + deprecated_rule=deprecated_edit_managed_records), policy.RuleDefault( name="use_low_ttl", - check_str=base.RULE_ADMIN, - description='Use low TTL.'), + check_str=base.SYSTEM_ADMIN, + scope_types=['system'], + description='Use low TTL.', + deprecated_rule=deprecated_use_low_ttl), policy.RuleDefault( name="use_sudo", - check_str=base.RULE_ADMIN, - description='Accept sudo from user to tenant.') + check_str=base.SYSTEM_ADMIN, + scope_types=['system'], + description='Accept sudo from user to tenant.', + deprecated_rule=deprecated_use_sudo) ] diff --git a/designate/common/policies/diagnostics.py b/designate/common/policies/diagnostics.py index 9b903231d..55574bf59 100644 --- a/designate/common/policies/diagnostics.py +++ b/designate/common/policies/diagnostics.py @@ -12,29 +12,62 @@ # License for the specific language governing permissions and limitations # under the License. - +from oslo_log import versionutils from oslo_policy import policy from designate.common.policies import base +deprecated_diagnostics_ping = policy.DeprecatedRule( + name="diagnostics_ping", + check_str=base.RULE_ADMIN, + deprecated_reason=base.DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.WALLABY +) +deprecated_diagnostics_sync_zones = policy.DeprecatedRule( + name="diagnostics_sync_zones", + check_str=base.RULE_ADMIN, + deprecated_reason=base.DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.WALLABY +) +deprecated_diagnostics_sync_zone = policy.DeprecatedRule( + name="diagnostics_sync_zone", + check_str=base.RULE_ADMIN, + deprecated_reason=base.DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.WALLABY +) +deprecated_diagnostics_sync_record = policy.DeprecatedRule( + name="diagnostics_sync_record", + check_str=base.RULE_ADMIN, + deprecated_reason=base.DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.WALLABY +) + rules = [ policy.RuleDefault( name="diagnostics_ping", - check_str=base.RULE_ADMIN, - description='Diagnose ping.'), + check_str=base.SYSTEM_ADMIN, + scope_types=['system'], + description='Diagnose ping.', + deprecated_rule=deprecated_diagnostics_ping), policy.RuleDefault( name="diagnostics_sync_zones", - check_str=base.RULE_ADMIN, - description='Diagnose sync zones.'), + check_str=base.SYSTEM_ADMIN, + scope_types=['system'], + description='Diagnose sync zones.', + deprecated_rule=deprecated_diagnostics_sync_zones), policy.RuleDefault( name="diagnostics_sync_zone", - check_str=base.RULE_ADMIN, - description='Diagnose sync zone.'), + check_str=base.SYSTEM_ADMIN, + scope_types=['system'], + description='Diagnose sync zone.', + deprecated_rule=deprecated_diagnostics_sync_zone), policy.RuleDefault( name="diagnostics_sync_record", - check_str=base.RULE_ADMIN, - description='Diagnose sync record.') + check_str=base.SYSTEM_ADMIN, + scope_types=['system'], + description='Diagnose sync record.', + deprecated_rule=deprecated_diagnostics_sync_record) ] diff --git a/designate/common/policies/quota.py b/designate/common/policies/quota.py index f430d9a7e..0ddb4459a 100644 --- a/designate/common/policies/quota.py +++ b/designate/common/policies/quota.py @@ -50,7 +50,7 @@ deprecated_reset_quotas = policy.DeprecatedRule( rules = [ policy.DocumentedRuleDefault( name="get_quotas", - check_str=base.SYSTEM_OR_PROJECT_READER, + check_str=base.SYSTEM_OR_PROJECT_READER_OR_ALL_TENANTS_READER, scope_types=['system', 'project'], description="View Current Project's Quotas.", operations=[ diff --git a/designate/common/policies/recordset.py b/designate/common/policies/recordset.py index e77025ebc..6dad34fc0 100644 --- a/designate/common/policies/recordset.py +++ b/designate/common/policies/recordset.py @@ -22,9 +22,15 @@ DEPRECATED_REASON = """ The record set API now supports system scope and default roles. """ +# Deprecated in Wallaby as part of the "secure RBAC" work. +# TODO(johnsom) remove when the deprecated RBAC rules are removed. +RULE_ZONE_PRIMARY_OR_ADMIN = ( + "('PRIMARY':%(zone_type)s and rule:admin_or_owner) " + "OR ('SECONDARY':%(zone_type)s AND is_admin:True)") + deprecated_create_recordset = policy.DeprecatedRule( name="create_recordset", - check_str=base.RULE_ZONE_PRIMARY_OR_ADMIN, + check_str=RULE_ZONE_PRIMARY_OR_ADMIN, deprecated_reason=DEPRECATED_REASON, deprecated_since=versionutils.deprecated.WALLABY ) @@ -40,15 +46,27 @@ deprecated_get_recordset = policy.DeprecatedRule( deprecated_reason=DEPRECATED_REASON, deprecated_since=versionutils.deprecated.WALLABY ) +deprecated_find_recordset = policy.DeprecatedRule( + name="find_recordset", + check_str=base.RULE_ADMIN_OR_OWNER, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.WALLABY +) +deprecated_find_recordsets = policy.DeprecatedRule( + name="find_recordsets", + check_str=base.RULE_ADMIN_OR_OWNER, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.WALLABY +) deprecated_update_recordset = policy.DeprecatedRule( name="update_recordset", - check_str=base.RULE_ZONE_PRIMARY_OR_ADMIN, + check_str=RULE_ZONE_PRIMARY_OR_ADMIN, deprecated_reason=DEPRECATED_REASON, deprecated_since=versionutils.deprecated.WALLABY ) deprecated_delete_recordset = policy.DeprecatedRule( name="delete_recordset", - check_str=base.RULE_ZONE_PRIMARY_OR_ADMIN, + check_str=RULE_ZONE_PRIMARY_OR_ADMIN, deprecated_reason=DEPRECATED_REASON, deprecated_since=versionutils.deprecated.WALLABY ) @@ -69,7 +87,7 @@ SYSTEM_ADMIN_AND_SECONDARY_ZONE = ( '(' + base.SYSTEM_ADMIN + ') and (\'SECONDARY\':%(zone_type)s)' ) -SYSTEM_ADMIN_OR_PROJECT_MEMBER = ''.join( +SYSTEM_ADMIN_OR_PROJECT_MEMBER_ZONE_TYPE = ' or '.join( [PROJECT_MEMBER_AND_PRIMARY_ZONE, SYSTEM_ADMIN_AND_PRIMARY_ZONE, SYSTEM_ADMIN_AND_SECONDARY_ZONE] @@ -79,16 +97,13 @@ SYSTEM_ADMIN_OR_PROJECT_MEMBER = ''.join( rules = [ policy.DocumentedRuleDefault( name="create_recordset", - check_str=SYSTEM_ADMIN_AND_SECONDARY_ZONE, + check_str=SYSTEM_ADMIN_OR_PROJECT_MEMBER_ZONE_TYPE, scope_types=['system', 'project'], description="Create Recordset", operations=[ { 'path': '/v2/zones/{zone_id}/recordsets', 'method': 'POST' - }, { - 'path': '/v2/reverse/floatingips/{region}:{floatingip_id}', - 'method': 'PATCH' } ], deprecated_rule=deprecated_create_recordset @@ -108,35 +123,46 @@ rules = [ { 'path': '/v2/zones/{zone_id}/recordsets/{recordset_id}', 'method': 'GET' - }, { - 'path': '/v2/zones/{zone_id}/recordsets/{recordset_id}', - 'method': 'DELETE' - }, { - 'path': '/v2/zones/{zone_id}/recordsets/{recordset_id}', - 'method': 'PUT' } ], deprecated_rule=deprecated_get_recordset ), + policy.RuleDefault( + name="find_recordset", + check_str=base.SYSTEM_OR_PROJECT_READER, + scope_types=['system', 'project'], + description="List a Recordset in a Zone", + deprecated_rule=deprecated_find_recordset + ), + policy.DocumentedRuleDefault( + name="find_recordsets", + check_str=base.SYSTEM_OR_PROJECT_READER, + scope_types=['system', 'project'], + description="List Recordsets in a Zone", + operations=[ + { + 'path': '/v2/zones/{zone_id}/recordsets', + 'method': 'GET' + }, + ], + deprecated_rule=deprecated_find_recordsets + ), policy.DocumentedRuleDefault( name="update_recordset", - check_str=SYSTEM_ADMIN_AND_SECONDARY_ZONE, + check_str=SYSTEM_ADMIN_OR_PROJECT_MEMBER_ZONE_TYPE, scope_types=['system', 'project'], description="Update recordset", operations=[ { 'path': '/v2/zones/{zone_id}/recordsets/{recordset_id}', 'method': 'PUT' - }, { - 'path': '/v2/reverse/floatingips/{region}:{floatingip_id}', - 'method': 'PATCH' } ], deprecated_rule=deprecated_update_recordset ), policy.DocumentedRuleDefault( name="delete_recordset", - check_str=SYSTEM_ADMIN_AND_SECONDARY_ZONE, + check_str=SYSTEM_ADMIN_OR_PROJECT_MEMBER_ZONE_TYPE, scope_types=['system', 'project'], description="Delete RecordSet", operations=[ diff --git a/designate/common/policies/tsigkey.py b/designate/common/policies/tsigkey.py index b3562315a..2df26f3ea 100644 --- a/designate/common/policies/tsigkey.py +++ b/designate/common/policies/tsigkey.py @@ -88,9 +88,6 @@ rules = [ description="Show a Tsigkey", operations=[ { - 'path': '/v2/tsigkeys/{tsigkey_id}', - 'method': 'PATCH' - }, { 'path': '/v2/tsigkeys/{tsigkey_id}', 'method': 'GET' } diff --git a/designate/common/policies/zone.py b/designate/common/policies/zone.py index 948b11326..929c0549f 100644 --- a/designate/common/policies/zone.py +++ b/designate/common/policies/zone.py @@ -46,6 +46,12 @@ deprecated_get_zone_servers = policy.DeprecatedRule( deprecated_reason=DEPRECATED_REASON, deprecated_since=versionutils.deprecated.WALLABY ) +deprecated_get_zone_ns_records = policy.DeprecatedRule( + name="get_zone_ns_records", + check_str=base.RULE_ADMIN_OR_OWNER, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.WALLABY +) deprecated_find_zones = policy.DeprecatedRule( name="find_zones", check_str=base.RULE_ADMIN_OR_OWNER, @@ -131,12 +137,6 @@ rules = [ { 'path': '/v2/zones/{zone_id}', 'method': 'GET' - }, { - 'path': '/v2/zones/{zone_id}', - 'method': 'PATCH' - }, { - 'path': '/v2/zones/{zone_id}/recordsets/{recordset_id}', - 'method': 'PUT' } ], deprecated_rule=deprecated_get_zone @@ -147,6 +147,19 @@ rules = [ scope_types=['system', 'project'], deprecated_rule=deprecated_get_zone_servers ), + policy.DocumentedRuleDefault( + name="get_zone_ns_records", + check_str=base.SYSTEM_OR_PROJECT_READER, + scope_types=['system', 'project'], + description="Get the Name Servers for a Zone", + operations=[ + { + 'path': '/v2/zones/{zone_id}/nameservers', + 'method': 'GET' + } + ], + deprecated_rule=deprecated_get_zone_ns_records + ), policy.DocumentedRuleDefault( name="find_zones", check_str=base.SYSTEM_OR_PROJECT_READER, diff --git a/designate/common/policies/zone_export.py b/designate/common/policies/zone_export.py index c3f024431..ca45971b9 100644 --- a/designate/common/policies/zone_export.py +++ b/designate/common/policies/zone_export.py @@ -52,6 +52,12 @@ deprecated_update_zone_export = policy.DeprecatedRule( deprecated_reason=DEPRECATED_REASON, deprecated_since=versionutils.deprecated.WALLABY ) +deprecated_delete_zone_export = policy.DeprecatedRule( + name="delete_zone_export", + check_str=base.RULE_ADMIN_OR_OWNER, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.WALLABY +) rules = [ @@ -103,9 +109,6 @@ rules = [ { 'path': '/v2/zones/tasks/exports/{zone_export_id}', 'method': 'GET' - }, { - 'path': '/v2/zones/tasks/exports/{zone_export_id}/export', - 'method': 'GET' } ], deprecated_rule=deprecated_get_zone_export @@ -122,7 +125,20 @@ rules = [ } ], deprecated_rule=deprecated_update_zone_export - ) + ), + policy.DocumentedRuleDefault( + name="delete_zone_export", + check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER, + scope_types=['system', 'project'], + description="Delete a zone export", + operations=[ + { + 'path': '/v2/zones/tasks/exports/{zone_export_id}', + 'method': 'DELETE' + } + ], + deprecated_rule=deprecated_delete_zone_export + ), ] diff --git a/designate/common/policies/zone_import.py b/designate/common/policies/zone_import.py index 02a383e1b..8d4f2b171 100644 --- a/designate/common/policies/zone_import.py +++ b/designate/common/policies/zone_import.py @@ -115,7 +115,7 @@ rules = [ operations=[ { 'path': '/v2/zones/tasks/imports/{zone_import_id}', - 'method': 'GET' + 'method': 'DELETE' } ], deprecated_rule=deprecated_delete_zone_import diff --git a/designate/common/policies/zone_transfer_accept.py b/designate/common/policies/zone_transfer_accept.py index eeca74356..05e18a64a 100644 --- a/designate/common/policies/zone_transfer_accept.py +++ b/designate/common/policies/zone_transfer_accept.py @@ -24,7 +24,7 @@ The zone transfer accept API now supports system scope and default roles. deprecated_create_zone_transfer_accept = policy.DeprecatedRule( name="create_zone_transfer_accept", - check_str=base.RULE_ZONE_TRANSFER, + check_str=base.LEGACY_RULE_ZONE_TRANSFER, deprecated_reason=DEPRECATED_REASON, deprecated_since=versionutils.deprecated.WALLABY ) @@ -64,13 +64,15 @@ rules = [ policy.DocumentedRuleDefault( name="create_zone_transfer_accept", check_str=base.RULE_ZONE_TRANSFER, + scope_types=['system', 'project'], description="Create Zone Transfer Accept", operations=[ { 'path': '/v2/zones/tasks/transfer_accepts', 'method': 'POST' } - ] + ], + deprecated_rule=deprecated_create_zone_transfer_accept ), policy.DocumentedRuleDefault( name="get_zone_transfer_accept", diff --git a/designate/common/policies/zone_transfer_request.py b/designate/common/policies/zone_transfer_request.py index 0ed2c8d3f..5178aaf61 100644 --- a/designate/common/policies/zone_transfer_request.py +++ b/designate/common/policies/zone_transfer_request.py @@ -23,14 +23,14 @@ The zone transfer request API now supports system scope and default roles. """ deprecated_create_zone_transfer_request = policy.DeprecatedRule( - name="create_zone_transfer_request", - check_str=base.RULE_ADMIN_OR_OWNER, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.WALLABY + name="create_zone_transfer_request", + check_str=base.RULE_ADMIN_OR_OWNER, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.WALLABY ) deprecated_get_zone_transfer_request = policy.DeprecatedRule( name="get_zone_transfer_request", - check_str=base.RULE_ZONE_TRANSFER, + check_str=base.LEGACY_RULE_ZONE_TRANSFER, deprecated_reason=DEPRECATED_REASON, deprecated_since=versionutils.deprecated.WALLABY ) @@ -40,12 +40,6 @@ deprecated_get_zone_transfer_request_detailed = policy.DeprecatedRule( deprecated_reason=DEPRECATED_REASON, deprecated_since=versionutils.deprecated.WALLABY ) -deprecated_find_zone_transfer_requests = policy.DeprecatedRule( - name="find_zone_transfer_requests", - check_str=base.RULE_ANY, - deprecated_reason=DEPRECATED_REASON, - deprecated_since=versionutils.deprecated.WALLABY -) deprecated_update_zone_transfer_request = policy.DeprecatedRule( name="update_zone_transfer_request", check_str=base.RULE_ADMIN_OR_OWNER, @@ -77,16 +71,15 @@ rules = [ policy.DocumentedRuleDefault( name="get_zone_transfer_request", check_str=base.RULE_ZONE_TRANSFER, + scope_types=['system', 'project'], description="Show a Zone Transfer Request", operations=[ { 'path': '/v2/zones/tasks/transfer_requests/{zone_transfer_request_id}', # noqa 'method': 'GET' - }, { - 'path': '/v2/zones/tasks/transfer_requests/{zone_transfer_request_id}', # noqa - 'method': 'PATCH' } - ] + ], + deprecated_rule=deprecated_get_zone_transfer_request ), policy.RuleDefault( name="get_zone_transfer_request_detailed", @@ -103,7 +96,7 @@ rules = [ 'path': '/v2/zones/tasks/transfer_requests', 'method': 'GET' } - ] + ], ), policy.RuleDefault( name="find_zone_transfer_request", diff --git a/designate/context.py b/designate/context.py index 43992d5a0..22a0c2d45 100644 --- a/designate/context.py +++ b/designate/context.py @@ -107,6 +107,8 @@ class DesignateContext(context.RequestContext): # NOTE(kiall): Ugly - required to match http://tinyurl.com/o3y8qmw context.roles.append('admin') + if policy.enforce_new_defaults(): + context.system_scope = 'all' if show_deleted is not None: context.show_deleted = show_deleted @@ -132,7 +134,8 @@ class DesignateContext(context.RequestContext): def get_admin_context(cls, **kwargs): # TODO(kiall): Remove Me kwargs['is_admin'] = True - kwargs['roles'] = ['admin'] + kwargs['roles'] = ['admin', 'reader'] + kwargs['system_scope'] = 'all' return cls(None, **kwargs) diff --git a/designate/exceptions.py b/designate/exceptions.py index 2aa731270..071addf57 100644 --- a/designate/exceptions.py +++ b/designate/exceptions.py @@ -256,6 +256,10 @@ class IncorrectZoneTransferKey(Forbidden): error_type = 'invalid_key' +class InvalidTokenScope(Forbidden): + error_type = 'invalid_token_scope' + + class Duplicate(DesignateException): expected = True error_code = 409 @@ -473,3 +477,12 @@ class LastServerDeleteNotAllowed(BadRequest): class ResourceNotFound(NotFound): # TODO(kiall): Should this be extending NotFound?? pass + + +class MissingProjectID(BadRequest): + # Note: This should be 400, but is 401 for compatibility with + # previous versions of the API. + # https://github.com/openstack/designate/blob/stable/wallaby/ \ + # designate/api/middleware.py#L132 + error_code = 401 + error_type = 'missing_project_id' diff --git a/designate/objects/adapters/api_v2/zone_transfer_request.py b/designate/objects/adapters/api_v2/zone_transfer_request.py index 732494222..5cd2d1783 100644 --- a/designate/objects/adapters/api_v2/zone_transfer_request.py +++ b/designate/objects/adapters/api_v2/zone_transfer_request.py @@ -11,6 +11,7 @@ # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. +from designate.common import constants from designate import exceptions from designate import objects from designate.objects.adapters.api_v2 import base @@ -65,9 +66,10 @@ class ZoneTransferRequestAPIv2Adapter(base.APIv2Adapter): object, *args, **kwargs) try: - target = { - 'tenant_id': object.tenant_id, - } + if policy.enforce_new_defaults(): + target = {constants.RBAC_PROJECT_ID: object.tenant_id} + else: + target = {'tenant_id': object.tenant_id} policy.check( 'get_zone_transfer_request_detailed', diff --git a/designate/policy.py b/designate/policy.py index 006f48b8f..e67d22026 100644 --- a/designate/policy.py +++ b/designate/policy.py @@ -73,10 +73,17 @@ def init(default_rule=None, policy_file=None): def check(rule, ctxt, target=None, do_raise=True, exc=exceptions.Forbidden): - creds = ctxt.to_dict() + if enforce_new_defaults(): + creds = ctxt.to_policy_values() + else: + creds = ctxt.to_dict() target = target or {} try: result = _ENFORCER.enforce(rule, target, creds, do_raise, exc) + except policy.InvalidScope: + result = False + if do_raise: + raise exceptions.InvalidTokenScope except Exception: result = False raise @@ -93,3 +100,9 @@ def check(rule, ctxt, target=None, do_raise=True, exc=exceptions.Forbidden): LOG.info("Policy check failed for rule '%(rule)s' " "on target %(target)s", {'rule': rule, 'target': repr(target)}, extra=extra) + + +def enforce_new_defaults(): + if CONF.get('oslo_policy'): + return CONF['oslo_policy'].get('enforce_new_defaults', False) + return False diff --git a/designate/storage/impl_sqlalchemy/__init__.py b/designate/storage/impl_sqlalchemy/__init__.py index 7449f9e21..fe46a88b2 100644 --- a/designate/storage/impl_sqlalchemy/__init__.py +++ b/designate/storage/impl_sqlalchemy/__init__.py @@ -1488,6 +1488,12 @@ class SQLAlchemyStorage(sqlalchemy_base.SQLAlchemy, storage_base.Storage): ).select_from(ljoin) if not context.all_tenants: + # If we have a system scoped token with no project_id and + # all_tenants was not used, we don't know what records to return, + # so return an empty list. + if not context.project_id: + return objects.ZoneTransferRequestList() + query = query.where(or_( table.c.tenant_id == context.project_id, table.c.target_tenant_id == context.project_id)) @@ -1498,7 +1504,8 @@ class SQLAlchemyStorage(sqlalchemy_base.SQLAlchemy, storage_base.Storage): exceptions.ZoneTransferRequestNotFound, criterion, one=one, marker=marker, limit=limit, sort_dir=sort_dir, - sort_key=sort_key, query=query, apply_tenant_criteria=False + sort_key=sort_key, query=query, + apply_tenant_criteria=False ) def create_zone_transfer_request(self, context, zone_transfer_request): diff --git a/designate/tests/__init__.py b/designate/tests/__init__.py index 3479f275a..778dd5379 100644 --- a/designate/tests/__init__.py +++ b/designate/tests/__init__.py @@ -387,6 +387,8 @@ class TestCase(base.BaseTestCase): self.central_service = self.start_service('central') self.admin_context = self.get_admin_context() + self.admin_context_all_tenants = self.get_admin_context( + all_tenants=True) storage_driver = CONF['service:central'].storage_driver self.storage = storage.get_storage(storage_driver) @@ -436,10 +438,11 @@ class TestCase(base.BaseTestCase): def get_context(self, **kwargs): return DesignateContext(**kwargs) - def get_admin_context(self): + def get_admin_context(self, **kwargs): return DesignateContext.get_admin_context( project_id=utils.generate_uuid(), - user_id=utils.generate_uuid()) + user_id=utils.generate_uuid(), + **kwargs) # Fixture methods def get_quota_fixture(self, fixture=0, values=None): @@ -794,7 +797,7 @@ class TestCase(base.BaseTestCase): # Retrieve it, and ensure it's the same zone_import = self.central_service.get_zone_import( - self.admin_context, zone_import_id) + self.admin_context_all_tenants, zone_import_id) # If the import is done, we're done if zone_import.status == 'COMPLETE': diff --git a/designate/tests/test_api/test_middleware.py b/designate/tests/test_api/test_middleware.py index dc754ae4a..ea1624963 100644 --- a/designate/tests/test_api/test_middleware.py +++ b/designate/tests/test_api/test_middleware.py @@ -102,7 +102,8 @@ class KeystoneContextMiddlewareTest(ApiTestCase): # Process the request response = app(request) - self.assertEqual(401, response.status_code) + # Ensure request was not blocked + self.assertEqual(response, 'FakeResponse') class NoAuthContextMiddlewareTest(ApiTestCase): diff --git a/designate/tests/test_central/test_service.py b/designate/tests/test_central/test_service.py index 4c6a7ef1f..0daf47ec9 100644 --- a/designate/tests/test_central/test_service.py +++ b/designate/tests/test_central/test_service.py @@ -36,6 +36,7 @@ from designate import objects from designate.storage.impl_sqlalchemy import tables from designate.tests import fixtures from designate.tests.test_central import CentralTestCase +from designate import utils LOG = logging.getLogger(__name__) @@ -3537,7 +3538,7 @@ class CentralServiceTest(CentralTestCase): # Zone Import Tests def test_create_zone_import(self): # Create a Zone Import - context = self.get_context() + context = self.get_context(project_id=utils.generate_uuid()) request_body = self.get_zonefile_fixture() zone_import = self.central_service.create_zone_import(context, request_body) @@ -3551,7 +3552,7 @@ class CentralServiceTest(CentralTestCase): self.wait_for_import(zone_import.id) def test_find_zone_imports(self): - context = self.get_context() + context = self.get_context(project_id=utils.generate_uuid()) # Ensure we have no zone_imports to start with. zone_imports = self.central_service.find_zone_imports( @@ -3568,7 +3569,7 @@ class CentralServiceTest(CentralTestCase): # Ensure we can retrieve the newly created zone_import zone_imports = self.central_service.find_zone_imports( - self.admin_context) + self.admin_context_all_tenants) self.assertEqual(1, len(zone_imports)) # Create a second zone_import @@ -3581,14 +3582,14 @@ class CentralServiceTest(CentralTestCase): # Ensure we can retrieve both zone_imports zone_imports = self.central_service.find_zone_imports( - self.admin_context) + self.admin_context_all_tenants) self.assertEqual(2, len(zone_imports)) self.assertEqual('COMPLETE', zone_imports[0].status) self.assertEqual('COMPLETE', zone_imports[1].status) def test_get_zone_import(self): # Create a Zone Import - context = self.get_context() + context = self.get_context(project_id=utils.generate_uuid()) request_body = self.get_zonefile_fixture() zone_import = self.central_service.create_zone_import( context, request_body) @@ -3598,7 +3599,7 @@ class CentralServiceTest(CentralTestCase): # Retrieve it, and ensure it's the same zone_import = self.central_service.get_zone_import( - self.admin_context, zone_import.id) + self.admin_context_all_tenants, zone_import.id) self.assertEqual(zone_import.id, zone_import['id']) self.assertEqual(zone_import.status, zone_import['status']) @@ -3606,7 +3607,7 @@ class CentralServiceTest(CentralTestCase): def test_update_zone_import(self): # Create a Zone Import - context = self.get_context() + context = self.get_context(project_id=utils.generate_uuid()) request_body = self.get_zonefile_fixture() zone_import = self.central_service.create_zone_import( context, request_body) @@ -3618,7 +3619,7 @@ class CentralServiceTest(CentralTestCase): # Perform the update zone_import = self.central_service.update_zone_import( - self.admin_context, zone_import) + self.admin_context_all_tenants, zone_import) # Fetch the zone_import again zone_import = self.central_service.get_zone_import(context, @@ -3629,7 +3630,7 @@ class CentralServiceTest(CentralTestCase): def test_delete_zone_import(self): # Create a Zone Import - context = self.get_context() + context = self.get_context(project_id=utils.generate_uuid()) request_body = self.get_zonefile_fixture() zone_import = self.central_service.create_zone_import( context, request_body) diff --git a/designate/tests/unit/test_central/test_basic.py b/designate/tests/unit/test_central/test_basic.py index 45f528e4f..492a66641 100644 --- a/designate/tests/unit/test_central/test_basic.py +++ b/designate/tests/unit/test_central/test_basic.py @@ -256,6 +256,7 @@ class CentralBasic(TestCase): 'set_rules', 'init', 'check', + 'enforce_new_defaults', ]) designate.central.service.quota = mock.NonCallableMock(spec_set=[ @@ -932,7 +933,7 @@ class CentralZoneTestCase(CentralBasic): n, ctx, target = designate.central.service.policy.check.call_args[0] self.assertEqual(CentralZoneTestCase.zone__id, target['zone_id']) self.assertEqual('foo', target['zone_name']) - self.assertEqual('2', target['tenant_id']) + self.assertEqual('2', target['project_id']) def test_get_zone_servers(self): self.service.storage.get_zone.return_value = RoObject( @@ -995,6 +996,7 @@ class CentralZoneTestCase(CentralBasic): 'set_rules', 'init', 'check', + 'enforce_new_defaults', ]) self.context.abandon = True self.service.storage.count_zones.return_value = 0 @@ -1187,7 +1189,7 @@ class CentralZoneTestCase(CentralBasic): 'zone_id': CentralZoneTestCase.zone__id_2, 'zone_name': 'example.org.', 'recordset_id': CentralZoneTestCase.recordset__id, - 'tenant_id': '2'}, target) + 'project_id': '2'}, target) def test_find_recordsets(self): self.context = mock.Mock() @@ -1196,7 +1198,7 @@ class CentralZoneTestCase(CentralBasic): self.assertTrue(self.service.storage.find_recordsets.called) n, ctx, target = designate.central.service.policy.check.call_args[0] self.assertEqual('find_recordsets', n) - self.assertEqual({'tenant_id': 't'}, target) + self.assertEqual({'project_id': 't'}, target) def test_find_recordset(self): self.context = mock.Mock() @@ -1205,7 +1207,7 @@ class CentralZoneTestCase(CentralBasic): self.assertTrue(self.service.storage.find_recordset.called) n, ctx, target = designate.central.service.policy.check.call_args[0] self.assertEqual('find_recordset', n) - self.assertEqual({'tenant_id': 't'}, target) + self.assertEqual({'project_id': 't'}, target) def test_update_recordset_fail_on_changes(self): self.service.storage.get_zone.return_value = RoObject() @@ -1298,7 +1300,7 @@ class CentralZoneTestCase(CentralBasic): 'zone_name': 'example.org.', 'zone_type': 'foo', 'recordset_id': '9c85d9b0-1e9d-4e99-aede-a06664f1af2e', - 'tenant_id': '2'}, target) + 'project_id': '2'}, target) def test__update_recordset_in_storage(self): recordset = mock.Mock() @@ -1532,7 +1534,7 @@ class CentralZoneTestCase(CentralBasic): self.service.count_recordsets(self.context) n, ctx, target = designate.central.service.policy.check.call_args[0] self.assertEqual('count_recordsets', n) - self.assertEqual({'tenant_id': None}, target) + self.assertEqual({'project_id': None}, target) self.assertEqual( {}, self.service.storage.count_recordsets.call_args[0][1] @@ -1587,7 +1589,7 @@ class CentralZoneTestCase(CentralBasic): 'zone_type': 'foo', 'recordset_id': CentralZoneTestCase.recordset__id, 'recordset_name': 'rs', - 'tenant_id': '2'}, target) + 'project_id': '2'}, target) def test_create_record_worker(self): self._test_create_record() @@ -1689,7 +1691,7 @@ class CentralZoneTestCase(CentralBasic): 'record_id': CentralZoneTestCase.record__id, 'recordset_id': CentralZoneTestCase.recordset__id_2, 'recordset_name': 'foo', - 'tenant_id': 2}, target) + 'project_id': 2}, target) def test_update_record_fail_on_changes(self): self.service.storage.get_zone.return_value = RoObject( @@ -1789,7 +1791,7 @@ class CentralZoneTestCase(CentralBasic): 'record_id': 'abc12a-1e9d-4e99-aede-a06664f1af2e', 'recordset_id': 'abc12a-1e9d-4e99-aede-a06664f1af2e', 'recordset_name': 'rsn', - 'tenant_id': 'tid'}, target) + 'project_id': 'tid'}, target) def test__update_record_in_storage(self): self.service._update_zone_in_storage = mock.Mock() @@ -1893,7 +1895,7 @@ class CentralZoneTestCase(CentralBasic): 'record_id': CentralZoneTestCase.record__id_2, 'recordset_id': CentralZoneTestCase.recordset__id_2, 'recordset_name': 'rsn', - 'tenant_id': 'tid'}, target) + 'project_id': 'tid'}, target) def test_delete_record_in_storage(self): self.service._delete_record_in_storage( @@ -1911,7 +1913,7 @@ class CentralZoneTestCase(CentralBasic): self.service.count_records(self.context) t, ctx, target = designate.central.service.policy.check.call_args[0] self.assertEqual('count_records', t) - self.assertEqual({'tenant_id': None}, target) + self.assertEqual({'project_id': None}, target) def test_sync_zones(self): self.service._sync_zone = mock.Mock() @@ -1938,7 +1940,7 @@ class CentralZoneTestCase(CentralBasic): t, ctx, target = designate.central.service.policy.check.call_args[0] self.assertEqual('diagnostics_sync_zone', t) - self.assertEqual({'tenant_id': 'tid', + self.assertEqual({'project_id': 'tid', 'zone_id': CentralZoneTestCase.zone__id, 'zone_name': 'n'}, target) @@ -1965,7 +1967,7 @@ class CentralZoneTestCase(CentralBasic): 'record_id': CentralZoneTestCase.record__id, 'recordset_id': CentralZoneTestCase.recordset__id, 'recordset_name': 'n', - 'tenant_id': 'tid'}, target) + 'project_id': 'tid'}, target) def test_ping(self): self.service.storage.ping.return_value = True @@ -2118,7 +2120,7 @@ class CentralZoneExportTests(CentralBasic): n, ctx, target = designate.central.service.policy.check.call_args[0] # Check arguments to policy - self.assertEqual('t', target['tenant_id']) + self.assertEqual('t', target['project_id']) # Check output self.assertEqual(CentralZoneTestCase.zone__id, out.zone_id) diff --git a/releasenotes/notes/Support-scoped-tokens-6b7d6052a258cd11.yaml b/releasenotes/notes/Support-scoped-tokens-6b7d6052a258cd11.yaml new file mode 100644 index 000000000..3571dbb36 --- /dev/null +++ b/releasenotes/notes/Support-scoped-tokens-6b7d6052a258cd11.yaml @@ -0,0 +1,4 @@ +--- +features: + - | + Adds support for keystone default roles and scoped tokens.