Implement secure RBAC for service status
This commit updates the policies for service status to understand scope checking and account for a read-only role. This is part of a broader series of changes across OpenStack to provide a consistent RBAC experience and improve security. Change-Id: I11c3d7ec8dc871338db7fcd3746e56516683ecd1
This commit is contained in:
parent
5402e40319
commit
d9360b35fe
|
@ -13,36 +13,68 @@
|
|||
# under the License.
|
||||
|
||||
|
||||
from oslo_log import versionutils
|
||||
from oslo_policy import policy
|
||||
|
||||
from designate.common.policies import base
|
||||
|
||||
DEPRECATED_REASON = """
|
||||
The service status API now supports system scope and default roles.
|
||||
"""
|
||||
|
||||
deprecated_find_service_status = policy.DeprecatedRule(
|
||||
name="find_service_status",
|
||||
check_str=base.RULE_ADMIN
|
||||
)
|
||||
deprecated_find_service_statuses = policy.DeprecatedRule(
|
||||
name="find_service_statuses",
|
||||
check_str=base.RULE_ADMIN
|
||||
)
|
||||
deprecated_update_service_status = policy.DeprecatedRule(
|
||||
"update_service_status",
|
||||
base.RULE_ADMIN
|
||||
)
|
||||
|
||||
|
||||
rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name="find_service_status",
|
||||
check_str=base.RULE_ADMIN,
|
||||
check_str=base.SYSTEM_READER,
|
||||
scope_types=['system'],
|
||||
description="Find a single Service Status",
|
||||
operations=[
|
||||
{
|
||||
'path': '/v2/service_status/{service_id}',
|
||||
'method': 'GET'
|
||||
}
|
||||
]
|
||||
],
|
||||
deprecated_rule=deprecated_find_service_status,
|
||||
deprecated_reason=DEPRECATED_REASON,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name="find_service_statuses",
|
||||
check_str=base.RULE_ADMIN,
|
||||
check_str=base.SYSTEM_READER,
|
||||
scope_types=['system'],
|
||||
description="List service statuses.",
|
||||
operations=[
|
||||
{
|
||||
'path': '/v2/service_status',
|
||||
'method': 'GET'
|
||||
}
|
||||
]
|
||||
],
|
||||
deprecated_rule=deprecated_find_service_statuses,
|
||||
deprecated_reason=DEPRECATED_REASON,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
),
|
||||
policy.RuleDefault(
|
||||
"update_service_status",
|
||||
base.RULE_ADMIN)
|
||||
name="update_service_status",
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
scope_types=['system'],
|
||||
deprecated_rule=deprecated_update_service_status,
|
||||
deprecated_reason=DEPRECATED_REASON,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
)
|
||||
]
|
||||
|
||||
|
||||
|
|
Loading…
Reference in New Issue