Implement secure RBAC for tenant policies
This commit updates the tenant policies to understand scope checking and account for a read-only role. This is part of a broader series of changes across OpenStack to provide a consistent RBAC experience and improve security. I'm not entirely sure I understand these policies. It'll be good to work through these policy changes with someone more familiar with desginate and why these policies exist. Change-Id: I9b6bce0c43720f61cdebfa416d953e5a2b920e87
This commit is contained in:
parent
d9360b35fe
commit
e477cf33b4
|
@ -13,26 +13,56 @@
|
||||||
# under the License.
|
# under the License.
|
||||||
|
|
||||||
|
|
||||||
|
from oslo_log import versionutils
|
||||||
from oslo_policy import policy
|
from oslo_policy import policy
|
||||||
|
|
||||||
from designate.common.policies import base
|
from designate.common.policies import base
|
||||||
|
|
||||||
|
DEPRECATED_REASON = """
|
||||||
|
The tenant API now supports system scope and default roles.
|
||||||
|
"""
|
||||||
|
|
||||||
|
deprecated_find_tenants = policy.DeprecatedRule(
|
||||||
|
name="find_tenants",
|
||||||
|
check_str=base.RULE_ADMIN
|
||||||
|
)
|
||||||
|
deprecated_get_tenant = policy.DeprecatedRule(
|
||||||
|
name="get_tenant",
|
||||||
|
check_str=base.RULE_ADMIN
|
||||||
|
)
|
||||||
|
deprecated_count_tenants = policy.DeprecatedRule(
|
||||||
|
name="count_tenants",
|
||||||
|
check_str=base.RULE_ADMIN
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
rules = [
|
rules = [
|
||||||
policy.RuleDefault(
|
policy.RuleDefault(
|
||||||
name="find_tenants",
|
name="find_tenants",
|
||||||
check_str=base.RULE_ADMIN,
|
check_str=base.SYSTEM_READER,
|
||||||
description="Find all Tenants."
|
scope_types=['system'],
|
||||||
|
description="Find all Tenants.",
|
||||||
|
deprecated_rule=deprecated_find_tenants,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.WALLABY
|
||||||
),
|
),
|
||||||
policy.RuleDefault(
|
policy.RuleDefault(
|
||||||
name="get_tenant",
|
name="get_tenant",
|
||||||
check_str=base.RULE_ADMIN,
|
check_str=base.SYSTEM_READER,
|
||||||
description="Get all Tenants."
|
scope_types=['system'],
|
||||||
|
description="Get all Tenants.",
|
||||||
|
deprecated_rule=deprecated_get_tenant,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.WALLABY
|
||||||
),
|
),
|
||||||
policy.RuleDefault(
|
policy.RuleDefault(
|
||||||
name="count_tenants",
|
name="count_tenants",
|
||||||
check_str=base.RULE_ADMIN,
|
check_str=base.SYSTEM_READER,
|
||||||
description="Count tenants"
|
scope_types=['system'],
|
||||||
|
description="Count tenants",
|
||||||
|
deprecated_rule=deprecated_count_tenants,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.WALLABY
|
||||||
)
|
)
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue