Implement secure RBAC for service status

This commit updates the policies for service status to understand scope checking and account for a read-only role. This is part of a broader series of changes across OpenStack to provide a consistent RBAC experience and improve security. Change-Id: I11c3d7ec8dc871338db7fcd3746e56516683ecd1
2020-11-23 21:42:16 +00:00 · 2020-11-23 21:42:16 +00:00 · d9360b35fe
parent 5402e40319
commit d9360b35fe
1 changed files with 38 additions and 6 deletions
--- a/designate/common/policies/service_status.py
+++ b/designate/common/policies/service_status.py
@ -13,36 +13,68 @@
 #    under the License.


+from oslo_log import versionutils
 from oslo_policy import policy

 from designate.common.policies import base

+DEPRECATED_REASON = """
+The service status API now supports system scope and default roles.
+"""
+
+deprecated_find_service_status = policy.DeprecatedRule(
+    name="find_service_status",
+    check_str=base.RULE_ADMIN
+)
+deprecated_find_service_statuses = policy.DeprecatedRule(
+    name="find_service_statuses",
+    check_str=base.RULE_ADMIN
+)
+deprecated_update_service_status = policy.DeprecatedRule(
+    "update_service_status",
+    base.RULE_ADMIN
+)
+
+
 rules = [
    policy.DocumentedRuleDefault(
        name="find_service_status",
-        check_str=base.RULE_ADMIN,
+        check_str=base.SYSTEM_READER,
+        scope_types=['system'],
        description="Find a single Service Status",
        operations=[
            {
                'path': '/v2/service_status/{service_id}',
                'method': 'GET'
            }
-        ]
+        ],
+        deprecated_rule=deprecated_find_service_status,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since=versionutils.deprecated.WALLABY
    ),
    policy.DocumentedRuleDefault(
        name="find_service_statuses",
-        check_str=base.RULE_ADMIN,
+        check_str=base.SYSTEM_READER,
+        scope_types=['system'],
        description="List service statuses.",
        operations=[
            {
                'path': '/v2/service_status',
                'method': 'GET'
            }
-        ]
+        ],
+        deprecated_rule=deprecated_find_service_statuses,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since=versionutils.deprecated.WALLABY
    ),
    policy.RuleDefault(
-        "update_service_status",
-        base.RULE_ADMIN)
+        name="update_service_status",
+        check_str=base.SYSTEM_ADMIN,
+        scope_types=['system'],
+        deprecated_rule=deprecated_update_service_status,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since=versionutils.deprecated.WALLABY
+    )
 ]