From da1c94e47b5829fe14abd91bc835dbb83a984e9d Mon Sep 17 00:00:00 2001 From: Lance Bragstad Date: Mon, 23 Nov 2020 22:04:16 +0000 Subject: [PATCH] Implement secure RBAC for tsigkeys This commit updates the policies for tsigkeys to understand scope checking and account for a read-only role. This is part of a broader series of changes across OpenStack to provide a consistent RBAC experience and improve security. Change-Id: I8ad4e61337f00a2c7b0019a6748c2fab42a65255 --- designate/common/policies/tsigkey.py | 67 +++++++++++++++++++++++----- 1 file changed, 57 insertions(+), 10 deletions(-) diff --git a/designate/common/policies/tsigkey.py b/designate/common/policies/tsigkey.py index 6f5a7d64e..f13961253 100644 --- a/designate/common/policies/tsigkey.py +++ b/designate/common/policies/tsigkey.py @@ -13,36 +13,72 @@ # under the License. +from oslo_log import versionutils from oslo_policy import policy from designate.common.policies import base +DEPERCATED_REASON = """ +The tsigkey API now supports system scope and default roles. +""" + +deprecated_create_tsigkey = policy.DeprecatedRule( + name="create_tsigkey", + check_str=base.RULE_ADMIN +) +deprecated_find_tsigkeys = policy.DeprecatedRule( + name="find_tsigkeys", + check_str=base.RULE_ADMIN +) +deprecated_get_tsigkey = policy.DeprecatedRule( + name="get_tsigkey", + check_str=base.RULE_ADMIN +) +deprecated_update_tsigkey = policy.DeprecatedRule( + name="update_tsigkey", + check_str=base.RULE_ADMIN +) +deprecated_delete_tsigkey = policy.DeprecatedRule( + name="delete_tsigkey", + check_str=base.RULE_ADMIN +) + + rules = [ policy.DocumentedRuleDefault( name="create_tsigkey", - check_str=base.RULE_ADMIN, + check_str=base.SYSTEM_ADMIN, + scope_types=['system'], description="Create Tsigkey", operations=[ { 'path': '/v2/tsigkeys', 'method': 'POST' } - ] + ], + deprecated_rule=deprecated_create_tsigkey, + deprecated_reason=DEPERCATED_REASON, + deprecated_since=versionutils.deprecated.WALLABY ), policy.DocumentedRuleDefault( name="find_tsigkeys", - check_str=base.RULE_ADMIN, + check_str=base.SYSTEM_READER, + scope_types=['system'], description="List Tsigkeys", operations=[ { 'path': '/v2/tsigkeys', 'method': 'GET' } - ] + ], + deprecated_rule=deprecated_find_tsigkeys, + deprecated_reason=DEPERCATED_REASON, + deprecated_since=versionutils.deprecated.WALLABY ), policy.DocumentedRuleDefault( name="get_tsigkey", - check_str=base.RULE_ADMIN, + check_str=base.SYSTEM_READER, + scope_types=['system'], description="Show a Tsigkey", operations=[ { @@ -52,29 +88,40 @@ rules = [ 'path': '/v2/tsigkeys/{tsigkey_id}', 'method': 'GET' } - ] + ], + deprecated_rule=deprecated_get_tsigkey, + deprecated_reason=DEPERCATED_REASON, + deprecated_since=versionutils.deprecated.WALLABY ), policy.DocumentedRuleDefault( name="update_tsigkey", - check_str=base.RULE_ADMIN, + check_str=base.SYSTEM_ADMIN, + scope_types=['system'], description="Update Tsigkey", operations=[ { 'path': '/v2/tsigkeys/{tsigkey_id}', 'method': 'PATCH' } - ] + ], + deprecated_rule=deprecated_update_tsigkey, + deprecated_reason=DEPERCATED_REASON, + deprecated_since=versionutils.deprecated.WALLABY ), policy.DocumentedRuleDefault( name="delete_tsigkey", - check_str=base.RULE_ADMIN, + check_str=base.SYSTEM_ADMIN, + scope_types=['system'], description="Delete a Tsigkey", operations=[ { 'path': '/v2/tsigkeys/{tsigkey_id}', 'method': 'DELETE' } - ] + ], + deprecated_rule=deprecated_delete_tsigkey, + deprecated_reason=DEPERCATED_REASON, + deprecated_since=versionutils.deprecated.WALLABY ) ]