openstack/designate
Code Issues Proposed changes

Merge "More cleanup for the RBAC new default"

Browse Source
This commit is contained in:
Zuul 2025-02-11 03:07:54 +00:00 committed by Gerrit Code Review
commit fba08a7912
7 changed files with 217 additions and 393 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
.zuul.yaml
View File

@ -62,7 +62,7 @@
nslookup_target: 'opendev.org'
- job:
name: designate-bind9-keystone-default-roles
name: designate-bind9-keystone-old-default-roles
post-run: playbooks/designate-bind9/post.yaml
parent: designate-base
# TODO(gmann): As per the 2025.1 testing runtime, we
@ -74,11 +74,14 @@
post-config:
$DESIGNATE_CONF:
oslo_policy:
enforce_new_defaults: True
enforce_new_defaults: False
enforce_scope: False
test-config:
"$TEMPEST_CONFIG":
dns_feature_enabled:
enforce_new_defaults: True
enforce_new_defaults: False
enforce_scope:
designate: False
- job:
name: designate-bind9-centos-9-stream
@ -219,7 +222,7 @@
voting: false
- designate-bind9-centos-9-stream:
voting: false
- designate-bind9-keystone-default-roles
- designate-bind9-keystone-old-default-roles
- designate-pdns4
- designate-grenade-bind9
- designate-grenade-pdns4
@ -231,7 +234,7 @@
fail-fast: true
jobs:
- designate-bind9
- designate-bind9-keystone-default-roles
- designate-bind9-keystone-old-default-roles
- designate-pdns4
- designate-grenade-pdns4
- designate-grenade-pdns4-skip-level

6
designate/api/v2/controllers/zones/tasks/exports.py
View File

@ -31,10 +31,8 @@ class ZoneExportController(rest.RestController):
@utils.validate_uuid('export_id')
def get_all(self, export_id):
context = pecan.request.environ['context']
if policy.enforce_new_defaults():
target = {constants.RBAC_PROJECT_ID: context.project_id}
else:
target = {'tenant_id': context.project_id}
target = {constants.RBAC_PROJECT_ID: context.project_id,
'tenant_id': context.project_id}
policy.check('zone_export', context, target)

504
designate/central/service.py
View File

@ -524,11 +524,9 @@ class Service(service.RPCService):
# Quota Methods
@rpc.expected_exceptions()
def get_quotas(self, context, tenant_id):
if policy.enforce_new_defaults():
target = {constants.RBAC_PROJECT_ID: tenant_id,
'all_tenants': context.all_tenants}
else:
target = {'tenant_id': tenant_id}
target = {constants.RBAC_PROJECT_ID: tenant_id,
'tenant_id': tenant_id,
'all_tenants': context.all_tenants}
policy.check('get_quotas', context, target)
# NOTE(tkajinam): get_quotas now requires project scope so we assume
# the context should contain project_id
@ -540,18 +538,12 @@ class Service(service.RPCService):
@rpc.expected_exceptions()
@transaction
def set_quota(self, context, tenant_id, resource, hard_limit):
if policy.enforce_new_defaults():
target = {
constants.RBAC_PROJECT_ID: tenant_id,
'resource': resource,
'hard_limit': hard_limit,
}
else:
target = {
'tenant_id': tenant_id,
'resource': resource,
'hard_limit': hard_limit,
}
target = {
constants.RBAC_PROJECT_ID: tenant_id,
'tenant_id': tenant_id,
'resource': resource,
'hard_limit': hard_limit,
}
policy.check('set_quota', context, target)
# NOTE(tkajinam): set_quota now requires project scope so we assume
@ -563,10 +555,8 @@ class Service(service.RPCService):
@transaction
def reset_quotas(self, context, tenant_id):
if policy.enforce_new_defaults():
target = {constants.RBAC_PROJECT_ID: tenant_id}
else:
target = {'tenant_id': tenant_id}
target = {constants.RBAC_PROJECT_ID: tenant_id,
'tenant_id': tenant_id}
policy.check('reset_quotas', context, target)
self.quota.reset_quotas(context, tenant_id)
@ -682,10 +672,8 @@ class Service(service.RPCService):
@rpc.expected_exceptions()
def get_tenant(self, context, tenant_id):
if policy.enforce_new_defaults():
target = {constants.RBAC_PROJECT_ID: tenant_id}
else:
target = {'tenant_id': tenant_id}
target = {constants.RBAC_PROJECT_ID: tenant_id,
'tenant_id': tenant_id}
policy.check('get_tenant', context, target)
@ -740,16 +728,11 @@ class Service(service.RPCService):
# Default to creating in the current users tenant
zone.tenant_id = zone.tenant_id or context.project_id
if policy.enforce_new_defaults():
target = {
constants.RBAC_PROJECT_ID: zone.tenant_id,
'zone_name': zone.name
}
else:
target = {
'tenant_id': zone.tenant_id,
'zone_name': zone.name
}
target = {
constants.RBAC_PROJECT_ID: zone.tenant_id,
'tenant_id': zone.tenant_id,
'zone_name': zone.name
}
policy.check('create_zone', context, target)
@ -882,21 +865,13 @@ class Service(service.RPCService):
# TODO(johnsom) This should account for all-projects context
# it passes today due to ADMIN
if policy.enforce_new_defaults():
target = {
'zone_id': zone_id,
'zone_name': zone.name,
'zone_shared': zone_shared,
constants.RBAC_PROJECT_ID: zone.tenant_id
}
else:
target = {
'zone_id': zone_id,
'zone_name': zone.name,
'zone_shared': zone_shared,
'tenant_id': zone.tenant_id
}
target = {
'zone_id': zone_id,
'zone_name': zone.name,
'zone_shared': zone_shared,
constants.RBAC_PROJECT_ID: zone.tenant_id,
'tenant_id': zone.tenant_id
}
policy.check('get_zone', context, target)
return zone
@ -909,18 +884,12 @@ class Service(service.RPCService):
else:
zone = self.storage.get_zone(context, zone_id)
if policy.enforce_new_defaults():
target = {
'zone_id': zone_id,
'zone_name': zone.name,
constants.RBAC_PROJECT_ID: zone.tenant_id
}
else:
target = {
'zone_id': zone_id,
'zone_name': zone.name,
'tenant_id': zone.tenant_id
}
target = {
'zone_id': zone_id,
'zone_name': zone.name,
constants.RBAC_PROJECT_ID: zone.tenant_id,
'tenant_id': zone.tenant_id
}
pool_id = zone.pool_id
policy.check('get_zone_ns_records', context, target)
@ -938,10 +907,8 @@ class Service(service.RPCService):
sort_key=None, sort_dir=None):
"""List existing zones including the ones flagged for deletion.
"""
if policy.enforce_new_defaults():
target = {constants.RBAC_PROJECT_ID: context.project_id}
else:
target = {'tenant_id': context.project_id}
target = {constants.RBAC_PROJECT_ID: context.project_id,
'tenant_id': context.project_id}
policy.check('find_zones', context, target)
@ -962,19 +929,13 @@ class Service(service.RPCService):
:returns: updated zone
"""
if policy.enforce_new_defaults():
target = {
'zone_id': zone.obj_get_original_value('id'),
'zone_name': zone.obj_get_original_value('name'),
constants.RBAC_PROJECT_ID: (
zone.obj_get_original_value('tenant_id')),
}
else:
target = {
'zone_id': zone.obj_get_original_value('id'),
'zone_name': zone.obj_get_original_value('name'),
'tenant_id': zone.obj_get_original_value('tenant_id'),
}
target = {
'zone_id': zone.obj_get_original_value('id'),
'zone_name': zone.obj_get_original_value('name'),
constants.RBAC_PROJECT_ID: (
zone.obj_get_original_value('tenant_id')),
'tenant_id': zone.obj_get_original_value('tenant_id')
}
policy.check('update_zone', context, target)
self._enforce_catalog_zone_policy(context, zone)
@ -1042,18 +1003,12 @@ class Service(service.RPCService):
self._enforce_catalog_zone_policy(context, zone)
if policy.enforce_new_defaults():
target = {
'zone_id': zone_id,
'zone_name': zone.name,
constants.RBAC_PROJECT_ID: zone.tenant_id
}
else:
target = {
'zone_id': zone_id,
'zone_name': zone.name,
'tenant_id': zone.tenant_id
}
target = {
'zone_id': zone_id,
'zone_name': zone.name,
constants.RBAC_PROJECT_ID: zone.tenant_id,
'tenant_id': zone.tenant_id
}
if hasattr(context, 'abandon') and context.abandon:
policy.check('abandon_zone', context, target)
@ -1127,18 +1082,12 @@ class Service(service.RPCService):
def xfr_zone(self, context, zone_id):
zone = self.storage.get_zone(context, zone_id)
if policy.enforce_new_defaults():
target = {
'zone_id': zone_id,
'zone_name': zone.name,
constants.RBAC_PROJECT_ID: zone.tenant_id
}
else:
target = {
'zone_id': zone_id,
'zone_name': zone.name,
'tenant_id': zone.tenant_id
}
target = {
'zone_id': zone_id,
'zone_name': zone.name,
constants.RBAC_PROJECT_ID: zone.tenant_id,
'tenant_id': zone.tenant_id
}
policy.check('xfr_zone', context, target)
@ -1163,14 +1112,10 @@ class Service(service.RPCService):
if criterion is None:
criterion = {}
if policy.enforce_new_defaults():
target = {
constants.RBAC_PROJECT_ID: criterion.get('tenant_id', None)
}
else:
target = {
'tenant_id': criterion.get('tenant_id', None)
}
target = {
constants.RBAC_PROJECT_ID: criterion.get('tenant_id', None),
'tenant_id': criterion.get('tenant_id', None)
}
policy.check('count_zones', context, target)
@ -1214,10 +1159,8 @@ class Service(service.RPCService):
# Ensure that zone exists and get the zone owner
zone = self.storage.get_zone(context, zone_id)
if policy.enforce_new_defaults():
target = {constants.RBAC_PROJECT_ID: zone.tenant_id}
else:
target = {'tenant_id': zone.tenant_id}
target = {constants.RBAC_PROJECT_ID: zone.tenant_id,
'tenant_id': zone.tenant_id}
policy.check('share_zone', context, target)
@ -1242,10 +1185,8 @@ class Service(service.RPCService):
# Ensure the share exists and get the share owner
shared_zone = self.get_shared_zone(context, zone_id, zone_share_id)
if policy.enforce_new_defaults():
target = {constants.RBAC_PROJECT_ID: shared_zone.project_id}
else:
target = {'tenant_id': shared_zone.project_id}
target = {constants.RBAC_PROJECT_ID: shared_zone.project_id,
'tenant_id': shared_zone.project_id}
policy.check('unshare_zone', context, target)
@ -1293,12 +1234,10 @@ class Service(service.RPCService):
if not context.all_tenants and criterion:
# Check that they are asking for another projects shares
if policy.enforce_new_defaults():
target = {constants.RBAC_PROJECT_ID: criterion.get(
'target_project_id', context.project_id)}
else:
target = {'tenant_id': criterion.get('target_project_id',
context.project_id)}
target = {constants.RBAC_PROJECT_ID: criterion.get(
'target_project_id', context.project_id),
'tenant_id': criterion.get(
'target_project_id', context.project_id)}
policy.check('find_project_zone_share', context, target)
@ -1314,10 +1253,8 @@ class Service(service.RPCService):
zone_share = self.storage.get_shared_zone(
context, zone_id, zone_share_id)
if policy.enforce_new_defaults():
target = {constants.RBAC_PROJECT_ID: zone_share.project_id}
else:
target = {'tenant_id': zone_share.project_id}
target = {constants.RBAC_PROJECT_ID: zone_share.project_id,
'tenant_id': zone_share.project_id}
policy.check('get_zone_share', context, target)
@ -1353,16 +1290,11 @@ class Service(service.RPCService):
:returns: moved zone
"""
if policy.enforce_new_defaults():
target = {
'zone_id': zone_id,
constants.RBAC_PROJECT_ID: context.project_id,
}
else:
target = {
'zone_id': zone_id,
'tenant_id': context.project_id,
}
target = {
'zone_id': zone_id,
constants.RBAC_PROJECT_ID: context.project_id,
'tenant_id': context.project_id,
}
policy.check('pool_move_zone', context, target)
@ -1438,24 +1370,15 @@ class Service(service.RPCService):
if zone.action == 'DELETE':
raise exceptions.BadRequest('Can not update a deleting zone')
if policy.enforce_new_defaults():
target = {
'zone_id': zone_id,
'zone_name': zone.name,
'zone_type': zone.type,
'zone_shared': zone_shared,
'recordset_name': recordset.name,
constants.RBAC_PROJECT_ID: zone.tenant_id,
}
else:
target = {
'zone_id': zone_id,
'zone_name': zone.name,
'zone_type': zone.type,
'zone_shared': zone_shared,
'recordset_name': recordset.name,
'tenant_id': zone.tenant_id,
}
target = {
'zone_id': zone_id,
'zone_name': zone.name,
'zone_type': zone.type,
'zone_shared': zone_shared,
'recordset_name': recordset.name,
constants.RBAC_PROJECT_ID: zone.tenant_id,
'tenant_id': zone.tenant_id
}
policy.check('create_recordset', context, target)
@ -1554,22 +1477,14 @@ class Service(service.RPCService):
zone_shared = self._check_zone_share_permission(context, zone)
# TODO(johnsom) This should account for all_projects
if policy.enforce_new_defaults():
target = {
'zone_id': zone.id,
'zone_name': zone.name,
'zone_shared': zone_shared,
'recordset_id': recordset.id,
constants.RBAC_PROJECT_ID: zone.tenant_id,
}
else:
target = {
'zone_id': zone.id,
'zone_name': zone.name,
'zone_shared': zone_shared,
'recordset_id': recordset.id,
'tenant_id': zone.tenant_id,
}
target = {
'zone_id': zone.id,
'zone_name': zone.name,
'zone_shared': zone_shared,
'recordset_id': recordset.id,
constants.RBAC_PROJECT_ID: zone.tenant_id,
'tenant_id': zone.tenant_id
}
policy.check('get_recordset', context, target)
@ -1595,10 +1510,8 @@ class Service(service.RPCService):
zone_shared = self._check_zone_share_permission(context, zone)
# TODO(johnsom) Fix this to be useful
if policy.enforce_new_defaults():
target = {constants.RBAC_PROJECT_ID: context.project_id}
else:
target = {'tenant_id': context.project_id}
target = {constants.RBAC_PROJECT_ID: context.project_id,
'tenant_id': context.project_id}
policy.check('find_recordsets', context, target)
@ -1616,10 +1529,8 @@ class Service(service.RPCService):
def find_recordset(self, context, criterion=None):
# TODO(johnsom) Fix this to be useful
if policy.enforce_new_defaults():
target = {constants.RBAC_PROJECT_ID: context.project_id}
else:
target = {'tenant_id': context.project_id}
target = {constants.RBAC_PROJECT_ID: context.project_id,
'tenant_id': context.project_id}
policy.check('find_recordset', context, target)
recordset = self.storage.find_recordset(context, criterion)
@ -1686,28 +1597,17 @@ class Service(service.RPCService):
# TODO(johnsom) This should account for all-projects context
# it passes today due to ADMIN
if policy.enforce_new_defaults():
target = {
'recordset_id': recordset.obj_get_original_value('id'),
'recordset_project_id': recordset.obj_get_original_value(
'tenant_id'),
'zone_id': recordset.obj_get_original_value('zone_id'),
'zone_name': zone.name,
'zone_shared': zone_shared,
'zone_type': zone.type,
constants.RBAC_PROJECT_ID: zone.tenant_id
}
else:
target = {
'recordset_id': recordset.obj_get_original_value('id'),
'recordset_project_id': recordset.obj_get_original_value(
'tenant_id'),
'zone_id': recordset.obj_get_original_value('zone_id'),
'zone_name': zone.name,
'zone_shared': zone_shared,
'zone_type': zone.type,
'tenant_id': zone.tenant_id
}
target = {
'recordset_id': recordset.obj_get_original_value('id'),
'recordset_project_id': recordset.obj_get_original_value(
'tenant_id'),
'zone_id': recordset.obj_get_original_value('zone_id'),
'zone_name': zone.name,
'zone_shared': zone_shared,
'zone_type': zone.type,
constants.RBAC_PROJECT_ID: zone.tenant_id,
'tenant_id': zone.tenant_id
}
policy.check('update_recordset', context, target)
@ -1782,24 +1682,15 @@ class Service(service.RPCService):
raise exceptions.BadRequest('Can not update a deleting zone')
# TODO(johnsom) should handle all_projects
if policy.enforce_new_defaults():
target = {
'zone_id': zone_id,
'zone_name': zone.name,
'zone_type': zone.type,
'recordset_id': recordset.id,
'recordset_project_id': recordset.tenant_id,
constants.RBAC_PROJECT_ID: zone.tenant_id
}
else:
target = {
'zone_id': zone_id,
'zone_name': zone.name,
'zone_type': zone.type,
'recordset_id': recordset.id,
'recordset_project_id': recordset.tenant_id,
'tenant_id': zone.tenant_id
}
target = {
'zone_id': zone_id,
'zone_name': zone.name,
'zone_type': zone.type,
'recordset_id': recordset.id,
'recordset_project_id': recordset.tenant_id,
constants.RBAC_PROJECT_ID: zone.tenant_id,
'tenant_id': zone.tenant_id
}
policy.check('delete_recordset', context, target)
@ -1849,12 +1740,10 @@ class Service(service.RPCService):
if criterion is None:
criterion = {}
if policy.enforce_new_defaults():
target = {
constants.RBAC_PROJECT_ID: criterion.get('tenant_id', None)
}
else:
target = {'tenant_id': criterion.get('tenant_id', None)}
target = {
constants.RBAC_PROJECT_ID: criterion.get('tenant_id', None),
'tenant_id': criterion.get('tenant_id', None)
}
policy.check('count_recordsets', context, target)
@ -1864,10 +1753,8 @@ class Service(service.RPCService):
def find_records(self, context, criterion=None, marker=None, limit=None,
sort_key=None, sort_dir=None):
if policy.enforce_new_defaults():
target = {constants.RBAC_PROJECT_ID: context.project_id}
else:
target = {'tenant_id': context.project_id}
target = {constants.RBAC_PROJECT_ID: context.project_id,
'tenant_id': context.project_id}
policy.check('find_records', context, target)
return self.storage.find_records(context, criterion, marker, limit,
@ -1878,12 +1765,10 @@ class Service(service.RPCService):
if criterion is None:
criterion = {}
if policy.enforce_new_defaults():
target = {
constants.RBAC_PROJECT_ID: criterion.get('tenant_id', None)
}
else:
target = {'tenant_id': criterion.get('tenant_id', None)}
target = {
constants.RBAC_PROJECT_ID: criterion.get('tenant_id', None),
'tenant_id': criterion.get('tenant_id', None)
}
policy.check('count_records', context, target)
return self.storage.count_records(context, criterion)
@ -2610,10 +2495,8 @@ class Service(service.RPCService):
if zone.action == 'DELETE':
raise exceptions.BadRequest('Can not transfer a deleting zone')
if policy.enforce_new_defaults():
target = {constants.RBAC_PROJECT_ID: zone.tenant_id}
else:
target = {'tenant_id': zone.tenant_id}
target = {constants.RBAC_PROJECT_ID: zone.tenant_id,
'tenant_id': zone.tenant_id}
policy.check('create_zone_transfer_request', context, target)
@ -2640,17 +2523,13 @@ class Service(service.RPCService):
elevated_context, zone_transfer_request_id)
LOG.info('Target Tenant ID found - using scoped policy')
if policy.enforce_new_defaults():
target = {
constants.RBAC_TARGET_PROJECT_ID: (zone_transfer_request.
target_tenant_id),
constants.RBAC_PROJECT_ID: zone_transfer_request.tenant_id,
}
else:
target = {
'target_tenant_id': zone_transfer_request.target_tenant_id,
'tenant_id': zone_transfer_request.tenant_id,
}
target = {
constants.RBAC_TARGET_PROJECT_ID: (zone_transfer_request.
target_tenant_id),
constants.RBAC_PROJECT_ID: zone_transfer_request.tenant_id,
'target_tenant_id': zone_transfer_request.target_tenant_id,
'tenant_id': zone_transfer_request.tenant_id,
}
policy.check('get_zone_transfer_request', context, target)
@ -2677,14 +2556,10 @@ class Service(service.RPCService):
if 'zone_id' in zone_transfer_request.obj_what_changed():
raise exceptions.InvalidOperation('Zone cannot be changed')
if policy.enforce_new_defaults():
target = {
constants.RBAC_PROJECT_ID: zone_transfer_request.tenant_id,
}
else:
target = {
'tenant_id': zone_transfer_request.tenant_id,
}
target = {
constants.RBAC_PROJECT_ID: zone_transfer_request.tenant_id,
'tenant_id': zone_transfer_request.tenant_id,
}
policy.check('update_zone_transfer_request', context, target)
request = self.storage.update_zone_transfer_request(
context, zone_transfer_request)
@ -2699,12 +2574,9 @@ class Service(service.RPCService):
zone_transfer_request = self.storage.get_zone_transfer_request(
context, zone_transfer_request_id)
if policy.enforce_new_defaults():
target = {
constants.RBAC_PROJECT_ID: zone_transfer_request.tenant_id
}
else:
target = {'tenant_id': zone_transfer_request.tenant_id}
target = {
constants.RBAC_PROJECT_ID: zone_transfer_request.tenant_id,
'tenant_id': zone_transfer_request.tenant_id}
policy.check('delete_zone_transfer_request', context, target)
return self.storage.delete_zone_transfer_request(
@ -2732,15 +2604,11 @@ class Service(service.RPCService):
raise exceptions.IncorrectZoneTransferKey(
'Key does not match stored key for request')
if policy.enforce_new_defaults():
target = {
constants.RBAC_TARGET_PROJECT_ID: (zone_transfer_request.
target_tenant_id)
}
else:
target = {
'target_tenant_id': zone_transfer_request.target_tenant_id
}
target = {
constants.RBAC_TARGET_PROJECT_ID: (
zone_transfer_request.target_tenant_id),
'target_tenant_id': zone_transfer_request.target_tenant_id
}
policy.check('create_zone_transfer_accept', context, target)
@ -2791,14 +2659,10 @@ class Service(service.RPCService):
zone_transfer_accept = self.storage.get_zone_transfer_accept(
context, zone_transfer_accept_id)
if policy.enforce_new_defaults():
target = {
constants.RBAC_PROJECT_ID: zone_transfer_accept.tenant_id
}
else:
target = {
'tenant_id': zone_transfer_accept.tenant_id
}
target = {
constants.RBAC_PROJECT_ID: zone_transfer_accept.tenant_id,
'tenant_id': zone_transfer_accept.tenant_id
}
policy.check('get_zone_transfer_accept', context, target)
@ -2816,10 +2680,8 @@ class Service(service.RPCService):
@rpc.expected_exceptions()
@notification.notify_type('dns.zone_import.create')
def create_zone_import(self, context, request_body):
if policy.enforce_new_defaults():
target = {constants.RBAC_PROJECT_ID: context.project_id}
else:
target = {'tenant_id': context.project_id}
target = {constants.RBAC_PROJECT_ID: context.project_id,
'tenant_id': context.project_id}
policy.check('create_zone_import', context, target)
@ -2911,10 +2773,8 @@ class Service(service.RPCService):
@notification.notify_type('dns.zone_import.update')
def update_zone_import(self, context, zone_import):
if policy.enforce_new_defaults():
target = {constants.RBAC_PROJECT_ID: zone_import.tenant_id}
else:
target = {'tenant_id': zone_import.tenant_id}
target = {constants.RBAC_PROJECT_ID: zone_import.tenant_id,
'tenant_id': zone_import.tenant_id}
policy.check('update_zone_import', context, target)
return self.storage.update_zone_import(context, zone_import)
@ -2923,10 +2783,8 @@ class Service(service.RPCService):
def find_zone_imports(self, context, criterion=None, marker=None,
limit=None, sort_key=None, sort_dir=None):
if policy.enforce_new_defaults():
target = {constants.RBAC_PROJECT_ID: context.project_id}
else:
target = {'tenant_id': context.project_id}
target = {constants.RBAC_PROJECT_ID: context.project_id,
'tenant_id': context.project_id}
policy.check('find_zone_imports', context, target)
@ -2943,10 +2801,8 @@ class Service(service.RPCService):
@rpc.expected_exceptions()
def get_zone_import(self, context, zone_import_id):
if policy.enforce_new_defaults():
target = {constants.RBAC_PROJECT_ID: context.project_id}
else:
target = {'tenant_id': context.project_id}
target = {constants.RBAC_PROJECT_ID: context.project_id,
'tenant_id': context.project_id}
policy.check('get_zone_import', context, target)
return self.storage.get_zone_import(context, zone_import_id)
@ -2956,16 +2812,11 @@ class Service(service.RPCService):
@transaction
def delete_zone_import(self, context, zone_import_id):
if policy.enforce_new_defaults():
target = {
'zone_import_id': zone_import_id,
constants.RBAC_PROJECT_ID: context.project_id
}
else:
target = {
target = {
'zone_import_id': zone_import_id,
constants.RBAC_PROJECT_ID: context.project_id,
'tenant_id': context.project_id
}
}
policy.check('delete_zone_import', context, target)
@ -2980,10 +2831,8 @@ class Service(service.RPCService):
# Try getting the zone to ensure it exists
zone = self.storage.get_zone(context, zone_id)
if policy.enforce_new_defaults():
target = {constants.RBAC_PROJECT_ID: zone.tenant_id}
else:
target = {'tenant_id': zone.tenant_id}
target = {constants.RBAC_PROJECT_ID: zone.tenant_id,
'tenant_id': zone.tenant_id}
policy.check('create_zone_export', context, target)
@ -3010,10 +2859,8 @@ class Service(service.RPCService):
def find_zone_exports(self, context, criterion=None, marker=None,
limit=None, sort_key=None, sort_dir=None):
if policy.enforce_new_defaults():
target = {constants.RBAC_PROJECT_ID: context.project_id}
else:
target = {'tenant_id': context.project_id}
target = {constants.RBAC_PROJECT_ID: context.project_id,
'tenant_id': context.project_id}
policy.check('find_zone_exports', context, target)
if not criterion:
@ -3029,10 +2876,8 @@ class Service(service.RPCService):
@rpc.expected_exceptions()
def get_zone_export(self, context, zone_export_id):
if policy.enforce_new_defaults():
target = {constants.RBAC_PROJECT_ID: context.project_id}
else:
target = {'tenant_id': context.project_id}
target = {constants.RBAC_PROJECT_ID: context.project_id,
'tenant_id': context.project_id}
policy.check('get_zone_export', context, target)
@ -3042,10 +2887,8 @@ class Service(service.RPCService):
@notification.notify_type('dns.zone_export.update')
def update_zone_export(self, context, zone_export):
if policy.enforce_new_defaults():
target = {constants.RBAC_PROJECT_ID: zone_export.tenant_id}
else:
target = {'tenant_id': zone_export.tenant_id}
target = {constants.RBAC_PROJECT_ID: zone_export.tenant_id,
'tenant_id': zone_export.tenant_id}
policy.check('update_zone_export', context, target)
@ -3056,16 +2899,11 @@ class Service(service.RPCService):
@transaction
def delete_zone_export(self, context, zone_export_id):
if policy.enforce_new_defaults():
target = {
'zone_export_id': zone_export_id,
constants.RBAC_PROJECT_ID: context.project_id
}
else:
target = {
'zone_export_id': zone_export_id,
'tenant_id': context.project_id
}
target = {
'zone_export_id': zone_export_id,
constants.RBAC_PROJECT_ID: context.project_id,
'tenant_id': context.project_id
}
policy.check('delete_zone_export', context, target)

6
designate/objects/adapters/api_v2/zone_transfer_request.py
View File

@ -64,10 +64,8 @@ class ZoneTransferRequestAPIv2Adapter(base.APIv2Adapter):
obj, *args, **kwargs
)
try:
if policy.enforce_new_defaults():
target = {constants.RBAC_PROJECT_ID: obj.tenant_id}
else:
target = {'tenant_id': obj.tenant_id}
target = {constants.RBAC_PROJECT_ID: obj.tenant_id,
'tenant_id': obj.tenant_id}
policy.check(
'get_zone_transfer_request_detailed', kwargs['context'], target
)

11
designate/policy.py
View File

@ -66,10 +66,7 @@ def init(default_rule=None, policy_file=None):
def check(rule, ctxt, target=None, do_raise=True, exc=exceptions.Forbidden):
if enforce_new_defaults():
creds = ctxt.to_policy_values()
else:
creds = ctxt.to_dict()
creds = ctxt.to_policy_values()
target = target or {}
try:
result = _ENFORCER.enforce(rule, target, creds, do_raise, exc)
@ -95,12 +92,6 @@ def check(rule, ctxt, target=None, do_raise=True, exc=exceptions.Forbidden):
{'rule': rule, 'target': repr(target)}, extra=extra)
def enforce_new_defaults():
if CONF.get('oslo_policy'):
return CONF['oslo_policy'].get('enforce_new_defaults', False)
return False
def get_enforcer():
# This method is used by oslopolicy CLI scripts in order to generate policy
# files from overrides on disk and defaults in code.

50
designate/tests/functional/central/test_basic.py
View File

@ -149,8 +149,6 @@ class CentralBasic(designate.tests.functional.TestCase):
policy, 'set_rules', return_value=mock.Mock()).start()
mock.patch.object(
policy, 'init', return_value=mock.Mock()).start()
mock.patch.object(
policy, 'enforce_new_defaults', return_value=mock.Mock()).start()
self.mock_policy_check = mock.patch.object(
policy, 'check', return_value=mock.Mock()).start()
self.mock_get_quota = mock.patch.object(
@ -789,7 +787,8 @@ class CentralZoneTestCase(CentralBasic):
'zone_id': CentralZoneTestCase.zone_id,
'zone_name': 'foo',
'zone_shared': False,
'project_id': '2'
'project_id': '2',
'tenant_id': '2'
}
)
@ -815,7 +814,7 @@ class CentralZoneTestCase(CentralBasic):
self.assertTrue(self.service.storage.find_zones.called)
self.mock_policy_check.assert_called_with(
'find_zones', mock.ANY, {'project_id': 't'}
'find_zones', mock.ANY, {'project_id': 't', 'tenant_id': 't'}
)
def test_delete_zone_has_subzone(self):
@ -838,7 +837,8 @@ class CentralZoneTestCase(CentralBasic):
'delete_zone', mock.ANY, {
'zone_id': CentralZoneTestCase.zone_id,
'zone_name': 'foo',
'project_id': '2'
'project_id': '2',
'tenant_id': '2'
}
)
@ -864,7 +864,8 @@ class CentralZoneTestCase(CentralBasic):
'abandon_zone', mock.ANY, {
'zone_id': CentralZoneTestCase.zone_id,
'zone_name': 'foo',
'project_id': '2'
'project_id': '2',
'tenant_id': '2'
}
)
@ -900,7 +901,8 @@ class CentralZoneTestCase(CentralBasic):
'delete_zone', mock.ANY, {
'zone_id': CentralZoneTestCase.zone_id,
'zone_name': 'foo',
'project_id': '2'
'project_id': '2',
'tenant_id': '2'
}
)
@ -937,7 +939,8 @@ class CentralZoneTestCase(CentralBasic):
'delete_zone', mock.ANY, {
'zone_id': CentralZoneTestCase.zone_id,
'zone_name': 'foo',
'project_id': '2'
'project_id': '2',
'tenant_id': '2'
}
)
@ -973,7 +976,8 @@ class CentralZoneTestCase(CentralBasic):
'xfr_zone', mock.ANY, {
'zone_id': CentralZoneTestCase.zone_id,
'zone_name': 'example.org.',
'project_id': '2'
'project_id': '2',
'tenant_id': '2'
}
)
@ -1086,7 +1090,8 @@ class CentralZoneTestCase(CentralBasic):
'zone_name': 'example.org.',
'zone_shared': False,
'recordset_id': CentralZoneTestCase.recordset_id,
'project_id': '2'
'project_id': '2',
'tenant_id': '2'
}
)
@ -1118,7 +1123,8 @@ class CentralZoneTestCase(CentralBasic):
'zone_name': 'example.org.',
'zone_shared': False,
'recordset_id': CentralZoneTestCase.recordset_id,
'project_id': '2'
'project_id': '2',
'tenant_id': '2'
}
)
@ -1129,7 +1135,7 @@ class CentralZoneTestCase(CentralBasic):
self.assertTrue(self.service.storage.find_recordsets.called)
self.mock_policy_check.assert_called_with(
'find_recordsets', mock.ANY, {'project_id': 't'}
'find_recordsets', mock.ANY, {'project_id': 't', 'tenant_id': 't'}
)
def test_find_recordset(self):
@ -1139,7 +1145,7 @@ class CentralZoneTestCase(CentralBasic):
self.service.find_recordset(self.context)
self.assertTrue(self.service.storage.find_recordset.called)
self.mock_policy_check.assert_called_with(
'find_recordset', mock.ANY, {'project_id': 't'}
'find_recordset', mock.ANY, {'project_id': 't', 'tenant_id': 't'}
)
def test_update_recordset_fail_on_changes(self):
@ -1237,7 +1243,8 @@ class CentralZoneTestCase(CentralBasic):
'zone_name': 'example.org.',
'zone_shared': self.zone_shared,
'zone_type': 'foo',
'project_id': '2'
'project_id': '2',
'tenant_id': '2'
}
)
@ -1474,13 +1481,14 @@ class CentralZoneTestCase(CentralBasic):
def test_count_recordset(self):
self.service.count_recordsets(self.context)
self.mock_policy_check.assert_called_with(
'count_recordsets', mock.ANY, {'project_id': None}
'count_recordsets', mock.ANY, {
'project_id': None, 'tenant_id': None}
)
def test_count_records(self):
self.service.count_records(self.context)
self.mock_policy_check.assert_called_with(
'count_records', mock.ANY, {'project_id': None}
'count_records', mock.ANY, {'project_id': None, 'tenant_id': None}
)
def test_determine_floatingips(self):
@ -1620,7 +1628,7 @@ class CentralZoneExportTests(CentralBasic):
CentralZoneTestCase.zone_export_id)
self.mock_policy_check.assert_called_with(
'get_zone_export', mock.ANY, {'project_id': 't'}
'get_zone_export', mock.ANY, {'project_id': 't', 'tenant_id': 't'}
)
# Check output
@ -1640,7 +1648,8 @@ class CentralZoneExportTests(CentralBasic):
self.assertTrue(self.service.storage.find_zone_exports.called)
self.mock_policy_check.assert_called_with(
'find_zone_exports', mock.ANY, {'project_id': 't'}
'find_zone_exports', mock.ANY, {
'project_id': 't', 'tenant_id': 't'}
)
def test_find_zone_exports_with_custom_criterion(self):
@ -1655,7 +1664,8 @@ class CentralZoneExportTests(CentralBasic):
self.assertTrue(self.service.storage.find_zone_exports.called)
self.mock_policy_check.assert_called_with(
'find_zone_exports', mock.ANY, {'project_id': 't'}
'find_zone_exports', mock.ANY, {
'project_id': 't', 'tenant_id': 't'}
)
def test_delete_zone_export(self):
@ -1688,7 +1698,7 @@ class CentralZoneExportTests(CentralBasic):
self.mock_policy_check.assert_called_with(
'delete_zone_export', mock.ANY, {
'zone_export_id': 'e887597f-9697-47dd-a202-7a2711f8669c',
'project_id': 't'
'project_id': 't', 'tenant_id': 't'
}
)

20
doc/source/admin/policy.rst
View File

@ -43,8 +43,7 @@ handled by Designate. Those two settings are `enforce_scope
When you enable `Keystone Default Roles`_ and `Keystone Scoped Tokens`_ the
Designate policy honors the following roles:
* System scoped - Admin
* System scoped - Reader
* Admin
* Project scoped - Reader
* Project scoped - Member
@ -63,9 +62,8 @@ configuration file::
[oslo_policy]
enforce_scope = True
The primary effect of this setting is to allow a system scoped admin token when
performing administrative API calls to the Designate API. The Designate API
already enforces the project scoping in Keystone tokens.
The primary effect of this setting is to allow only project scoped calls
to the Designate API. The system scope token will return 403.
[oslo_policy] enforce_new_defaults
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@ -82,18 +80,6 @@ policies by adding the following setting to your Designate configuration file::
[oslo_policy]
enforce_new_defaults = True
Example OpenStack Client Command
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
After you have enabled enforce_new_defaults and enforce_scope, administrative
commands require a system scoped admin token. An example `OpenStack Client <https://docs.openstack.org/python-designateclient/latest/cli/index.html>`_ command
to create a `Top Level Domain (TLD) <https://docs.openstack.org/designate/latest/admin/tlds.html>`_ would look like:
.. code-block:: bash
openstack --os-system-scope all --os-auth-url <identity endpoint URL> --os-password <admin password> --os-username admin --os-user-domain-name default create tld --name example.org
Oslo Tools For Policy Management
--------------------------------