openstack/designate
Code Issues Proposed changes

Merge "More cleanup for the RBAC new default"

Browse Source
This commit is contained in:
Zuul
2025-02-11 03:07:54 +00:00
committed by Gerrit Code Review
parent 7ac4889a04 5aa3412826
commit fba08a7912
7 changed files with 217 additions and 393 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
.zuul.yaml
View File

@@ -62,7 +62,7 @@
nslookup_target: 'opendev.org' nslookup_target: 'opendev.org'
- job: - job:
name: designate-bind9-keystone-default-roles name: designate-bind9-keystone-old-default-roles
post-run: playbooks/designate-bind9/post.yaml post-run: playbooks/designate-bind9/post.yaml
parent: designate-base parent: designate-base
# TODO(gmann): As per the 2025.1 testing runtime, we # TODO(gmann): As per the 2025.1 testing runtime, we
@@ -74,11 +74,14 @@
post-config: post-config:
$DESIGNATE_CONF: $DESIGNATE_CONF:
oslo_policy: oslo_policy:
enforce_new_defaults: True enforce_new_defaults: False
enforce_scope: False
test-config: test-config:
"$TEMPEST_CONFIG": "$TEMPEST_CONFIG":
dns_feature_enabled: dns_feature_enabled:
enforce_new_defaults: True enforce_new_defaults: False
enforce_scope:
designate: False
- job: - job:
name: designate-bind9-centos-9-stream name: designate-bind9-centos-9-stream
@@ -219,7 +222,7 @@
voting: false voting: false
- designate-bind9-centos-9-stream: - designate-bind9-centos-9-stream:
voting: false voting: false
- designate-bind9-keystone-default-roles - designate-bind9-keystone-old-default-roles
- designate-pdns4 - designate-pdns4
- designate-grenade-bind9 - designate-grenade-bind9
- designate-grenade-pdns4 - designate-grenade-pdns4
@@ -231,7 +234,7 @@
fail-fast: true fail-fast: true
jobs: jobs:
- designate-bind9 - designate-bind9
- designate-bind9-keystone-default-roles - designate-bind9-keystone-old-default-roles
- designate-pdns4 - designate-pdns4
- designate-grenade-pdns4 - designate-grenade-pdns4
- designate-grenade-pdns4-skip-level - designate-grenade-pdns4-skip-level

6
designate/api/v2/controllers/zones/tasks/exports.py
View File

@@ -31,10 +31,8 @@ class ZoneExportController(rest.RestController):
@utils.validate_uuid('export_id') @utils.validate_uuid('export_id')
def get_all(self, export_id): def get_all(self, export_id):
context = pecan.request.environ['context'] context = pecan.request.environ['context']
if policy.enforce_new_defaults(): target = {constants.RBAC_PROJECT_ID: context.project_id,
target = {constants.RBAC_PROJECT_ID: context.project_id} 'tenant_id': context.project_id}
else:
target = {'tenant_id': context.project_id}
policy.check('zone_export', context, target) policy.check('zone_export', context, target)

504
designate/central/service.py
View File

@@ -524,11 +524,9 @@ class Service(service.RPCService):
# Quota Methods # Quota Methods
@rpc.expected_exceptions() @rpc.expected_exceptions()
def get_quotas(self, context, tenant_id): def get_quotas(self, context, tenant_id):
if policy.enforce_new_defaults(): target = {constants.RBAC_PROJECT_ID: tenant_id,
target = {constants.RBAC_PROJECT_ID: tenant_id, 'tenant_id': tenant_id,
'all_tenants': context.all_tenants} 'all_tenants': context.all_tenants}
else:
target = {'tenant_id': tenant_id}
policy.check('get_quotas', context, target) policy.check('get_quotas', context, target)
# NOTE(tkajinam): get_quotas now requires project scope so we assume # NOTE(tkajinam): get_quotas now requires project scope so we assume
# the context should contain project_id # the context should contain project_id
@@ -540,18 +538,12 @@ class Service(service.RPCService):
@rpc.expected_exceptions() @rpc.expected_exceptions()
@transaction @transaction
def set_quota(self, context, tenant_id, resource, hard_limit): def set_quota(self, context, tenant_id, resource, hard_limit):
if policy.enforce_new_defaults(): target = {
target = { constants.RBAC_PROJECT_ID: tenant_id,
constants.RBAC_PROJECT_ID: tenant_id, 'tenant_id': tenant_id,
'resource': resource, 'resource': resource,
'hard_limit': hard_limit, 'hard_limit': hard_limit,
} }
else:
target = {
'tenant_id': tenant_id,
'resource': resource,
'hard_limit': hard_limit,
}
policy.check('set_quota', context, target) policy.check('set_quota', context, target)
# NOTE(tkajinam): set_quota now requires project scope so we assume # NOTE(tkajinam): set_quota now requires project scope so we assume
@@ -563,10 +555,8 @@ class Service(service.RPCService):
@transaction @transaction
def reset_quotas(self, context, tenant_id): def reset_quotas(self, context, tenant_id):
if policy.enforce_new_defaults(): target = {constants.RBAC_PROJECT_ID: tenant_id,
target = {constants.RBAC_PROJECT_ID: tenant_id} 'tenant_id': tenant_id}
else:
target = {'tenant_id': tenant_id}
policy.check('reset_quotas', context, target) policy.check('reset_quotas', context, target)
self.quota.reset_quotas(context, tenant_id) self.quota.reset_quotas(context, tenant_id)
@@ -682,10 +672,8 @@ class Service(service.RPCService):
@rpc.expected_exceptions() @rpc.expected_exceptions()
def get_tenant(self, context, tenant_id): def get_tenant(self, context, tenant_id):
if policy.enforce_new_defaults(): target = {constants.RBAC_PROJECT_ID: tenant_id,
target = {constants.RBAC_PROJECT_ID: tenant_id} 'tenant_id': tenant_id}
else:
target = {'tenant_id': tenant_id}
policy.check('get_tenant', context, target) policy.check('get_tenant', context, target)
@@ -740,16 +728,11 @@ class Service(service.RPCService):
# Default to creating in the current users tenant # Default to creating in the current users tenant
zone.tenant_id = zone.tenant_id or context.project_id zone.tenant_id = zone.tenant_id or context.project_id
if policy.enforce_new_defaults(): target = {
target = { constants.RBAC_PROJECT_ID: zone.tenant_id,
constants.RBAC_PROJECT_ID: zone.tenant_id, 'tenant_id': zone.tenant_id,
'zone_name': zone.name 'zone_name': zone.name
} }
else:
target = {
'tenant_id': zone.tenant_id,
'zone_name': zone.name
}
policy.check('create_zone', context, target) policy.check('create_zone', context, target)
@@ -882,21 +865,13 @@ class Service(service.RPCService):
# TODO(johnsom) This should account for all-projects context # TODO(johnsom) This should account for all-projects context
# it passes today due to ADMIN # it passes today due to ADMIN
if policy.enforce_new_defaults(): target = {
target = { 'zone_id': zone_id,
'zone_id': zone_id, 'zone_name': zone.name,
'zone_name': zone.name, 'zone_shared': zone_shared,
'zone_shared': zone_shared, constants.RBAC_PROJECT_ID: zone.tenant_id,
constants.RBAC_PROJECT_ID: zone.tenant_id 'tenant_id': zone.tenant_id
} }
else:
target = {
'zone_id': zone_id,
'zone_name': zone.name,
'zone_shared': zone_shared,
'tenant_id': zone.tenant_id
}
policy.check('get_zone', context, target) policy.check('get_zone', context, target)
return zone return zone
@@ -909,18 +884,12 @@ class Service(service.RPCService):
else: else:
zone = self.storage.get_zone(context, zone_id) zone = self.storage.get_zone(context, zone_id)
if policy.enforce_new_defaults(): target = {
target = { 'zone_id': zone_id,
'zone_id': zone_id, 'zone_name': zone.name,
'zone_name': zone.name, constants.RBAC_PROJECT_ID: zone.tenant_id,
constants.RBAC_PROJECT_ID: zone.tenant_id 'tenant_id': zone.tenant_id
} }
else:
target = {
'zone_id': zone_id,
'zone_name': zone.name,
'tenant_id': zone.tenant_id
}
pool_id = zone.pool_id pool_id = zone.pool_id
policy.check('get_zone_ns_records', context, target) policy.check('get_zone_ns_records', context, target)
@@ -938,10 +907,8 @@ class Service(service.RPCService):
sort_key=None, sort_dir=None): sort_key=None, sort_dir=None):
"""List existing zones including the ones flagged for deletion. """List existing zones including the ones flagged for deletion.
""" """
if policy.enforce_new_defaults(): target = {constants.RBAC_PROJECT_ID: context.project_id,
target = {constants.RBAC_PROJECT_ID: context.project_id} 'tenant_id': context.project_id}
else:
target = {'tenant_id': context.project_id}
policy.check('find_zones', context, target) policy.check('find_zones', context, target)
@@ -962,19 +929,13 @@ class Service(service.RPCService):
:returns: updated zone :returns: updated zone
""" """
if policy.enforce_new_defaults(): target = {
target = { 'zone_id': zone.obj_get_original_value('id'),
'zone_id': zone.obj_get_original_value('id'), 'zone_name': zone.obj_get_original_value('name'),
'zone_name': zone.obj_get_original_value('name'), constants.RBAC_PROJECT_ID: (
constants.RBAC_PROJECT_ID: ( zone.obj_get_original_value('tenant_id')),
zone.obj_get_original_value('tenant_id')), 'tenant_id': zone.obj_get_original_value('tenant_id')
} }
else:
target = {
'zone_id': zone.obj_get_original_value('id'),
'zone_name': zone.obj_get_original_value('name'),
'tenant_id': zone.obj_get_original_value('tenant_id'),
}
policy.check('update_zone', context, target) policy.check('update_zone', context, target)
self._enforce_catalog_zone_policy(context, zone) self._enforce_catalog_zone_policy(context, zone)
@@ -1042,18 +1003,12 @@ class Service(service.RPCService):
self._enforce_catalog_zone_policy(context, zone) self._enforce_catalog_zone_policy(context, zone)
if policy.enforce_new_defaults(): target = {
target = { 'zone_id': zone_id,
'zone_id': zone_id, 'zone_name': zone.name,
'zone_name': zone.name, constants.RBAC_PROJECT_ID: zone.tenant_id,
constants.RBAC_PROJECT_ID: zone.tenant_id 'tenant_id': zone.tenant_id
} }
else:
target = {
'zone_id': zone_id,
'zone_name': zone.name,
'tenant_id': zone.tenant_id
}
if hasattr(context, 'abandon') and context.abandon: if hasattr(context, 'abandon') and context.abandon:
policy.check('abandon_zone', context, target) policy.check('abandon_zone', context, target)
@@ -1127,18 +1082,12 @@ class Service(service.RPCService):
def xfr_zone(self, context, zone_id): def xfr_zone(self, context, zone_id):
zone = self.storage.get_zone(context, zone_id) zone = self.storage.get_zone(context, zone_id)
if policy.enforce_new_defaults(): target = {
target = { 'zone_id': zone_id,
'zone_id': zone_id, 'zone_name': zone.name,
'zone_name': zone.name, constants.RBAC_PROJECT_ID: zone.tenant_id,
constants.RBAC_PROJECT_ID: zone.tenant_id 'tenant_id': zone.tenant_id
} }
else:
target = {
'zone_id': zone_id,
'zone_name': zone.name,
'tenant_id': zone.tenant_id
}
policy.check('xfr_zone', context, target) policy.check('xfr_zone', context, target)
@@ -1163,14 +1112,10 @@ class Service(service.RPCService):
if criterion is None: if criterion is None:
criterion = {} criterion = {}
if policy.enforce_new_defaults(): target = {
target = { constants.RBAC_PROJECT_ID: criterion.get('tenant_id', None),
constants.RBAC_PROJECT_ID: criterion.get('tenant_id', None) 'tenant_id': criterion.get('tenant_id', None)
} }
else:
target = {
'tenant_id': criterion.get('tenant_id', None)
}
policy.check('count_zones', context, target) policy.check('count_zones', context, target)
@@ -1214,10 +1159,8 @@ class Service(service.RPCService):
# Ensure that zone exists and get the zone owner # Ensure that zone exists and get the zone owner
zone = self.storage.get_zone(context, zone_id) zone = self.storage.get_zone(context, zone_id)
if policy.enforce_new_defaults(): target = {constants.RBAC_PROJECT_ID: zone.tenant_id,
target = {constants.RBAC_PROJECT_ID: zone.tenant_id} 'tenant_id': zone.tenant_id}
else:
target = {'tenant_id': zone.tenant_id}
policy.check('share_zone', context, target) policy.check('share_zone', context, target)
@@ -1242,10 +1185,8 @@ class Service(service.RPCService):
# Ensure the share exists and get the share owner # Ensure the share exists and get the share owner
shared_zone = self.get_shared_zone(context, zone_id, zone_share_id) shared_zone = self.get_shared_zone(context, zone_id, zone_share_id)
if policy.enforce_new_defaults(): target = {constants.RBAC_PROJECT_ID: shared_zone.project_id,
target = {constants.RBAC_PROJECT_ID: shared_zone.project_id} 'tenant_id': shared_zone.project_id}
else:
target = {'tenant_id': shared_zone.project_id}
policy.check('unshare_zone', context, target) policy.check('unshare_zone', context, target)
@@ -1293,12 +1234,10 @@ class Service(service.RPCService):
if not context.all_tenants and criterion: if not context.all_tenants and criterion:
# Check that they are asking for another projects shares # Check that they are asking for another projects shares
if policy.enforce_new_defaults(): target = {constants.RBAC_PROJECT_ID: criterion.get(
target = {constants.RBAC_PROJECT_ID: criterion.get( 'target_project_id', context.project_id),
'target_project_id', context.project_id)} 'tenant_id': criterion.get(
else: 'target_project_id', context.project_id)}
target = {'tenant_id': criterion.get('target_project_id',
context.project_id)}
policy.check('find_project_zone_share', context, target) policy.check('find_project_zone_share', context, target)
@@ -1314,10 +1253,8 @@ class Service(service.RPCService):
zone_share = self.storage.get_shared_zone( zone_share = self.storage.get_shared_zone(
context, zone_id, zone_share_id) context, zone_id, zone_share_id)
if policy.enforce_new_defaults(): target = {constants.RBAC_PROJECT_ID: zone_share.project_id,
target = {constants.RBAC_PROJECT_ID: zone_share.project_id} 'tenant_id': zone_share.project_id}
else:
target = {'tenant_id': zone_share.project_id}
policy.check('get_zone_share', context, target) policy.check('get_zone_share', context, target)
@@ -1353,16 +1290,11 @@ class Service(service.RPCService):
:returns: moved zone :returns: moved zone
""" """
if policy.enforce_new_defaults(): target = {
target = { 'zone_id': zone_id,
'zone_id': zone_id, constants.RBAC_PROJECT_ID: context.project_id,
constants.RBAC_PROJECT_ID: context.project_id, 'tenant_id': context.project_id,
} }
else:
target = {
'zone_id': zone_id,
'tenant_id': context.project_id,
}
policy.check('pool_move_zone', context, target) policy.check('pool_move_zone', context, target)
@@ -1438,24 +1370,15 @@ class Service(service.RPCService):
if zone.action == 'DELETE': if zone.action == 'DELETE':
raise exceptions.BadRequest('Can not update a deleting zone') raise exceptions.BadRequest('Can not update a deleting zone')
if policy.enforce_new_defaults(): target = {
target = { 'zone_id': zone_id,
'zone_id': zone_id, 'zone_name': zone.name,
'zone_name': zone.name, 'zone_type': zone.type,
'zone_type': zone.type, 'zone_shared': zone_shared,
'zone_shared': zone_shared, 'recordset_name': recordset.name,
'recordset_name': recordset.name, constants.RBAC_PROJECT_ID: zone.tenant_id,
constants.RBAC_PROJECT_ID: zone.tenant_id, 'tenant_id': zone.tenant_id
} }
else:
target = {
'zone_id': zone_id,
'zone_name': zone.name,
'zone_type': zone.type,
'zone_shared': zone_shared,
'recordset_name': recordset.name,
'tenant_id': zone.tenant_id,
}
policy.check('create_recordset', context, target) policy.check('create_recordset', context, target)
@@ -1554,22 +1477,14 @@ class Service(service.RPCService):
zone_shared = self._check_zone_share_permission(context, zone) zone_shared = self._check_zone_share_permission(context, zone)
# TODO(johnsom) This should account for all_projects # TODO(johnsom) This should account for all_projects
if policy.enforce_new_defaults(): target = {
target = { 'zone_id': zone.id,
'zone_id': zone.id, 'zone_name': zone.name,
'zone_name': zone.name, 'zone_shared': zone_shared,
'zone_shared': zone_shared, 'recordset_id': recordset.id,
'recordset_id': recordset.id, constants.RBAC_PROJECT_ID: zone.tenant_id,
constants.RBAC_PROJECT_ID: zone.tenant_id, 'tenant_id': zone.tenant_id
} }
else:
target = {
'zone_id': zone.id,
'zone_name': zone.name,
'zone_shared': zone_shared,
'recordset_id': recordset.id,
'tenant_id': zone.tenant_id,
}
policy.check('get_recordset', context, target) policy.check('get_recordset', context, target)
@@ -1595,10 +1510,8 @@ class Service(service.RPCService):
zone_shared = self._check_zone_share_permission(context, zone) zone_shared = self._check_zone_share_permission(context, zone)
# TODO(johnsom) Fix this to be useful # TODO(johnsom) Fix this to be useful
if policy.enforce_new_defaults(): target = {constants.RBAC_PROJECT_ID: context.project_id,
target = {constants.RBAC_PROJECT_ID: context.project_id} 'tenant_id': context.project_id}
else:
target = {'tenant_id': context.project_id}
policy.check('find_recordsets', context, target) policy.check('find_recordsets', context, target)
@@ -1616,10 +1529,8 @@ class Service(service.RPCService):
def find_recordset(self, context, criterion=None): def find_recordset(self, context, criterion=None):
# TODO(johnsom) Fix this to be useful # TODO(johnsom) Fix this to be useful
if policy.enforce_new_defaults(): target = {constants.RBAC_PROJECT_ID: context.project_id,
target = {constants.RBAC_PROJECT_ID: context.project_id} 'tenant_id': context.project_id}
else:
target = {'tenant_id': context.project_id}
policy.check('find_recordset', context, target) policy.check('find_recordset', context, target)
recordset = self.storage.find_recordset(context, criterion) recordset = self.storage.find_recordset(context, criterion)
@@ -1686,28 +1597,17 @@ class Service(service.RPCService):
# TODO(johnsom) This should account for all-projects context # TODO(johnsom) This should account for all-projects context
# it passes today due to ADMIN # it passes today due to ADMIN
if policy.enforce_new_defaults(): target = {
target = { 'recordset_id': recordset.obj_get_original_value('id'),
'recordset_id': recordset.obj_get_original_value('id'), 'recordset_project_id': recordset.obj_get_original_value(
'recordset_project_id': recordset.obj_get_original_value( 'tenant_id'),
'tenant_id'), 'zone_id': recordset.obj_get_original_value('zone_id'),
'zone_id': recordset.obj_get_original_value('zone_id'), 'zone_name': zone.name,
'zone_name': zone.name, 'zone_shared': zone_shared,
'zone_shared': zone_shared, 'zone_type': zone.type,
'zone_type': zone.type, constants.RBAC_PROJECT_ID: zone.tenant_id,
constants.RBAC_PROJECT_ID: zone.tenant_id 'tenant_id': zone.tenant_id
} }
else:
target = {
'recordset_id': recordset.obj_get_original_value('id'),
'recordset_project_id': recordset.obj_get_original_value(
'tenant_id'),
'zone_id': recordset.obj_get_original_value('zone_id'),
'zone_name': zone.name,
'zone_shared': zone_shared,
'zone_type': zone.type,
'tenant_id': zone.tenant_id
}
policy.check('update_recordset', context, target) policy.check('update_recordset', context, target)
@@ -1782,24 +1682,15 @@ class Service(service.RPCService):
raise exceptions.BadRequest('Can not update a deleting zone') raise exceptions.BadRequest('Can not update a deleting zone')
# TODO(johnsom) should handle all_projects # TODO(johnsom) should handle all_projects
if policy.enforce_new_defaults(): target = {
target = { 'zone_id': zone_id,
'zone_id': zone_id, 'zone_name': zone.name,
'zone_name': zone.name, 'zone_type': zone.type,
'zone_type': zone.type, 'recordset_id': recordset.id,
'recordset_id': recordset.id, 'recordset_project_id': recordset.tenant_id,
'recordset_project_id': recordset.tenant_id, constants.RBAC_PROJECT_ID: zone.tenant_id,
constants.RBAC_PROJECT_ID: zone.tenant_id 'tenant_id': zone.tenant_id
} }
else:
target = {
'zone_id': zone_id,
'zone_name': zone.name,
'zone_type': zone.type,
'recordset_id': recordset.id,
'recordset_project_id': recordset.tenant_id,
'tenant_id': zone.tenant_id
}
policy.check('delete_recordset', context, target) policy.check('delete_recordset', context, target)
@@ -1849,12 +1740,10 @@ class Service(service.RPCService):
if criterion is None: if criterion is None:
criterion = {} criterion = {}
if policy.enforce_new_defaults(): target = {
target = { constants.RBAC_PROJECT_ID: criterion.get('tenant_id', None),
constants.RBAC_PROJECT_ID: criterion.get('tenant_id', None) 'tenant_id': criterion.get('tenant_id', None)
} }
else:
target = {'tenant_id': criterion.get('tenant_id', None)}
policy.check('count_recordsets', context, target) policy.check('count_recordsets', context, target)
@@ -1864,10 +1753,8 @@ class Service(service.RPCService):
def find_records(self, context, criterion=None, marker=None, limit=None, def find_records(self, context, criterion=None, marker=None, limit=None,
sort_key=None, sort_dir=None): sort_key=None, sort_dir=None):
if policy.enforce_new_defaults(): target = {constants.RBAC_PROJECT_ID: context.project_id,
target = {constants.RBAC_PROJECT_ID: context.project_id} 'tenant_id': context.project_id}
else:
target = {'tenant_id': context.project_id}
policy.check('find_records', context, target) policy.check('find_records', context, target)
return self.storage.find_records(context, criterion, marker, limit, return self.storage.find_records(context, criterion, marker, limit,
@@ -1878,12 +1765,10 @@ class Service(service.RPCService):
if criterion is None: if criterion is None:
criterion = {} criterion = {}
if policy.enforce_new_defaults(): target = {
target = { constants.RBAC_PROJECT_ID: criterion.get('tenant_id', None),
constants.RBAC_PROJECT_ID: criterion.get('tenant_id', None) 'tenant_id': criterion.get('tenant_id', None)
} }
else:
target = {'tenant_id': criterion.get('tenant_id', None)}
policy.check('count_records', context, target) policy.check('count_records', context, target)
return self.storage.count_records(context, criterion) return self.storage.count_records(context, criterion)
@@ -2610,10 +2495,8 @@ class Service(service.RPCService):
if zone.action == 'DELETE': if zone.action == 'DELETE':
raise exceptions.BadRequest('Can not transfer a deleting zone') raise exceptions.BadRequest('Can not transfer a deleting zone')
if policy.enforce_new_defaults(): target = {constants.RBAC_PROJECT_ID: zone.tenant_id,
target = {constants.RBAC_PROJECT_ID: zone.tenant_id} 'tenant_id': zone.tenant_id}
else:
target = {'tenant_id': zone.tenant_id}
policy.check('create_zone_transfer_request', context, target) policy.check('create_zone_transfer_request', context, target)
@@ -2640,17 +2523,13 @@ class Service(service.RPCService):
elevated_context, zone_transfer_request_id) elevated_context, zone_transfer_request_id)
LOG.info('Target Tenant ID found - using scoped policy') LOG.info('Target Tenant ID found - using scoped policy')
if policy.enforce_new_defaults(): target = {
target = { constants.RBAC_TARGET_PROJECT_ID: (zone_transfer_request.
constants.RBAC_TARGET_PROJECT_ID: (zone_transfer_request. target_tenant_id),
target_tenant_id), constants.RBAC_PROJECT_ID: zone_transfer_request.tenant_id,
constants.RBAC_PROJECT_ID: zone_transfer_request.tenant_id, 'target_tenant_id': zone_transfer_request.target_tenant_id,
} 'tenant_id': zone_transfer_request.tenant_id,
else: }
target = {
'target_tenant_id': zone_transfer_request.target_tenant_id,
'tenant_id': zone_transfer_request.tenant_id,
}
policy.check('get_zone_transfer_request', context, target) policy.check('get_zone_transfer_request', context, target)
@@ -2677,14 +2556,10 @@ class Service(service.RPCService):
if 'zone_id' in zone_transfer_request.obj_what_changed(): if 'zone_id' in zone_transfer_request.obj_what_changed():
raise exceptions.InvalidOperation('Zone cannot be changed') raise exceptions.InvalidOperation('Zone cannot be changed')
if policy.enforce_new_defaults(): target = {
target = { constants.RBAC_PROJECT_ID: zone_transfer_request.tenant_id,
constants.RBAC_PROJECT_ID: zone_transfer_request.tenant_id, 'tenant_id': zone_transfer_request.tenant_id,
} }
else:
target = {
'tenant_id': zone_transfer_request.tenant_id,
}
policy.check('update_zone_transfer_request', context, target) policy.check('update_zone_transfer_request', context, target)
request = self.storage.update_zone_transfer_request( request = self.storage.update_zone_transfer_request(
context, zone_transfer_request) context, zone_transfer_request)
@@ -2699,12 +2574,9 @@ class Service(service.RPCService):
zone_transfer_request = self.storage.get_zone_transfer_request( zone_transfer_request = self.storage.get_zone_transfer_request(
context, zone_transfer_request_id) context, zone_transfer_request_id)
if policy.enforce_new_defaults(): target = {
target = { constants.RBAC_PROJECT_ID: zone_transfer_request.tenant_id,
constants.RBAC_PROJECT_ID: zone_transfer_request.tenant_id 'tenant_id': zone_transfer_request.tenant_id}
}
else:
target = {'tenant_id': zone_transfer_request.tenant_id}
policy.check('delete_zone_transfer_request', context, target) policy.check('delete_zone_transfer_request', context, target)
return self.storage.delete_zone_transfer_request( return self.storage.delete_zone_transfer_request(
@@ -2732,15 +2604,11 @@ class Service(service.RPCService):
raise exceptions.IncorrectZoneTransferKey( raise exceptions.IncorrectZoneTransferKey(
'Key does not match stored key for request') 'Key does not match stored key for request')
if policy.enforce_new_defaults(): target = {
target = { constants.RBAC_TARGET_PROJECT_ID: (
constants.RBAC_TARGET_PROJECT_ID: (zone_transfer_request. zone_transfer_request.target_tenant_id),
target_tenant_id) 'target_tenant_id': zone_transfer_request.target_tenant_id
} }
else:
target = {
'target_tenant_id': zone_transfer_request.target_tenant_id
}
policy.check('create_zone_transfer_accept', context, target) policy.check('create_zone_transfer_accept', context, target)
@@ -2791,14 +2659,10 @@ class Service(service.RPCService):
zone_transfer_accept = self.storage.get_zone_transfer_accept( zone_transfer_accept = self.storage.get_zone_transfer_accept(
context, zone_transfer_accept_id) context, zone_transfer_accept_id)
if policy.enforce_new_defaults(): target = {
target = { constants.RBAC_PROJECT_ID: zone_transfer_accept.tenant_id,
constants.RBAC_PROJECT_ID: zone_transfer_accept.tenant_id 'tenant_id': zone_transfer_accept.tenant_id
} }
else:
target = {
'tenant_id': zone_transfer_accept.tenant_id
}
policy.check('get_zone_transfer_accept', context, target) policy.check('get_zone_transfer_accept', context, target)
@@ -2816,10 +2680,8 @@ class Service(service.RPCService):
@rpc.expected_exceptions() @rpc.expected_exceptions()
@notification.notify_type('dns.zone_import.create') @notification.notify_type('dns.zone_import.create')
def create_zone_import(self, context, request_body): def create_zone_import(self, context, request_body):
if policy.enforce_new_defaults(): target = {constants.RBAC_PROJECT_ID: context.project_id,
target = {constants.RBAC_PROJECT_ID: context.project_id} 'tenant_id': context.project_id}
else:
target = {'tenant_id': context.project_id}
policy.check('create_zone_import', context, target) policy.check('create_zone_import', context, target)
@@ -2911,10 +2773,8 @@ class Service(service.RPCService):
@notification.notify_type('dns.zone_import.update') @notification.notify_type('dns.zone_import.update')
def update_zone_import(self, context, zone_import): def update_zone_import(self, context, zone_import):
if policy.enforce_new_defaults(): target = {constants.RBAC_PROJECT_ID: zone_import.tenant_id,
target = {constants.RBAC_PROJECT_ID: zone_import.tenant_id} 'tenant_id': zone_import.tenant_id}
else:
target = {'tenant_id': zone_import.tenant_id}
policy.check('update_zone_import', context, target) policy.check('update_zone_import', context, target)
return self.storage.update_zone_import(context, zone_import) return self.storage.update_zone_import(context, zone_import)
@@ -2923,10 +2783,8 @@ class Service(service.RPCService):
def find_zone_imports(self, context, criterion=None, marker=None, def find_zone_imports(self, context, criterion=None, marker=None,
limit=None, sort_key=None, sort_dir=None): limit=None, sort_key=None, sort_dir=None):
if policy.enforce_new_defaults(): target = {constants.RBAC_PROJECT_ID: context.project_id,
target = {constants.RBAC_PROJECT_ID: context.project_id} 'tenant_id': context.project_id}
else:
target = {'tenant_id': context.project_id}
policy.check('find_zone_imports', context, target) policy.check('find_zone_imports', context, target)
@@ -2943,10 +2801,8 @@ class Service(service.RPCService):
@rpc.expected_exceptions() @rpc.expected_exceptions()
def get_zone_import(self, context, zone_import_id): def get_zone_import(self, context, zone_import_id):
if policy.enforce_new_defaults(): target = {constants.RBAC_PROJECT_ID: context.project_id,
target = {constants.RBAC_PROJECT_ID: context.project_id} 'tenant_id': context.project_id}
else:
target = {'tenant_id': context.project_id}
policy.check('get_zone_import', context, target) policy.check('get_zone_import', context, target)
return self.storage.get_zone_import(context, zone_import_id) return self.storage.get_zone_import(context, zone_import_id)
@@ -2956,16 +2812,11 @@ class Service(service.RPCService):
@transaction @transaction
def delete_zone_import(self, context, zone_import_id): def delete_zone_import(self, context, zone_import_id):
if policy.enforce_new_defaults(): target = {
target = {
'zone_import_id': zone_import_id,
constants.RBAC_PROJECT_ID: context.project_id
}
else:
target = {
'zone_import_id': zone_import_id, 'zone_import_id': zone_import_id,
constants.RBAC_PROJECT_ID: context.project_id,
'tenant_id': context.project_id 'tenant_id': context.project_id
} }
policy.check('delete_zone_import', context, target) policy.check('delete_zone_import', context, target)
@@ -2980,10 +2831,8 @@ class Service(service.RPCService):
# Try getting the zone to ensure it exists # Try getting the zone to ensure it exists
zone = self.storage.get_zone(context, zone_id) zone = self.storage.get_zone(context, zone_id)
if policy.enforce_new_defaults(): target = {constants.RBAC_PROJECT_ID: zone.tenant_id,
target = {constants.RBAC_PROJECT_ID: zone.tenant_id} 'tenant_id': zone.tenant_id}
else:
target = {'tenant_id': zone.tenant_id}
policy.check('create_zone_export', context, target) policy.check('create_zone_export', context, target)
@@ -3010,10 +2859,8 @@ class Service(service.RPCService):
def find_zone_exports(self, context, criterion=None, marker=None, def find_zone_exports(self, context, criterion=None, marker=None,
limit=None, sort_key=None, sort_dir=None): limit=None, sort_key=None, sort_dir=None):
if policy.enforce_new_defaults(): target = {constants.RBAC_PROJECT_ID: context.project_id,
target = {constants.RBAC_PROJECT_ID: context.project_id} 'tenant_id': context.project_id}
else:
target = {'tenant_id': context.project_id}
policy.check('find_zone_exports', context, target) policy.check('find_zone_exports', context, target)
if not criterion: if not criterion:
@@ -3029,10 +2876,8 @@ class Service(service.RPCService):
@rpc.expected_exceptions() @rpc.expected_exceptions()
def get_zone_export(self, context, zone_export_id): def get_zone_export(self, context, zone_export_id):
if policy.enforce_new_defaults(): target = {constants.RBAC_PROJECT_ID: context.project_id,
target = {constants.RBAC_PROJECT_ID: context.project_id} 'tenant_id': context.project_id}
else:
target = {'tenant_id': context.project_id}
policy.check('get_zone_export', context, target) policy.check('get_zone_export', context, target)
@@ -3042,10 +2887,8 @@ class Service(service.RPCService):
@notification.notify_type('dns.zone_export.update') @notification.notify_type('dns.zone_export.update')
def update_zone_export(self, context, zone_export): def update_zone_export(self, context, zone_export):
if policy.enforce_new_defaults(): target = {constants.RBAC_PROJECT_ID: zone_export.tenant_id,
target = {constants.RBAC_PROJECT_ID: zone_export.tenant_id} 'tenant_id': zone_export.tenant_id}
else:
target = {'tenant_id': zone_export.tenant_id}
policy.check('update_zone_export', context, target) policy.check('update_zone_export', context, target)
@@ -3056,16 +2899,11 @@ class Service(service.RPCService):
@transaction @transaction
def delete_zone_export(self, context, zone_export_id): def delete_zone_export(self, context, zone_export_id):
if policy.enforce_new_defaults(): target = {
target = { 'zone_export_id': zone_export_id,
'zone_export_id': zone_export_id, constants.RBAC_PROJECT_ID: context.project_id,
constants.RBAC_PROJECT_ID: context.project_id 'tenant_id': context.project_id
} }
else:
target = {
'zone_export_id': zone_export_id,
'tenant_id': context.project_id
}
policy.check('delete_zone_export', context, target) policy.check('delete_zone_export', context, target)

6
designate/objects/adapters/api_v2/zone_transfer_request.py
View File

@@ -64,10 +64,8 @@ class ZoneTransferRequestAPIv2Adapter(base.APIv2Adapter):
obj, *args, **kwargs obj, *args, **kwargs
) )
try: try:
if policy.enforce_new_defaults(): target = {constants.RBAC_PROJECT_ID: obj.tenant_id,
target = {constants.RBAC_PROJECT_ID: obj.tenant_id} 'tenant_id': obj.tenant_id}
else:
target = {'tenant_id': obj.tenant_id}
policy.check( policy.check(
'get_zone_transfer_request_detailed', kwargs['context'], target 'get_zone_transfer_request_detailed', kwargs['context'], target
) )

11
designate/policy.py
View File

@@ -66,10 +66,7 @@ def init(default_rule=None, policy_file=None):
def check(rule, ctxt, target=None, do_raise=True, exc=exceptions.Forbidden): def check(rule, ctxt, target=None, do_raise=True, exc=exceptions.Forbidden):
if enforce_new_defaults(): creds = ctxt.to_policy_values()
creds = ctxt.to_policy_values()
else:
creds = ctxt.to_dict()
target = target or {} target = target or {}
try: try:
result = _ENFORCER.enforce(rule, target, creds, do_raise, exc) result = _ENFORCER.enforce(rule, target, creds, do_raise, exc)
@@ -95,12 +92,6 @@ def check(rule, ctxt, target=None, do_raise=True, exc=exceptions.Forbidden):
{'rule': rule, 'target': repr(target)}, extra=extra) {'rule': rule, 'target': repr(target)}, extra=extra)
def enforce_new_defaults():
if CONF.get('oslo_policy'):
return CONF['oslo_policy'].get('enforce_new_defaults', False)
return False
def get_enforcer(): def get_enforcer():
# This method is used by oslopolicy CLI scripts in order to generate policy # This method is used by oslopolicy CLI scripts in order to generate policy
# files from overrides on disk and defaults in code. # files from overrides on disk and defaults in code.

50
designate/tests/functional/central/test_basic.py
View File

@@ -149,8 +149,6 @@ class CentralBasic(designate.tests.functional.TestCase):
policy, 'set_rules', return_value=mock.Mock()).start() policy, 'set_rules', return_value=mock.Mock()).start()
mock.patch.object( mock.patch.object(
policy, 'init', return_value=mock.Mock()).start() policy, 'init', return_value=mock.Mock()).start()
mock.patch.object(
policy, 'enforce_new_defaults', return_value=mock.Mock()).start()
self.mock_policy_check = mock.patch.object( self.mock_policy_check = mock.patch.object(
policy, 'check', return_value=mock.Mock()).start() policy, 'check', return_value=mock.Mock()).start()
self.mock_get_quota = mock.patch.object( self.mock_get_quota = mock.patch.object(
@@ -789,7 +787,8 @@ class CentralZoneTestCase(CentralBasic):
'zone_id': CentralZoneTestCase.zone_id, 'zone_id': CentralZoneTestCase.zone_id,
'zone_name': 'foo', 'zone_name': 'foo',
'zone_shared': False, 'zone_shared': False,
'project_id': '2' 'project_id': '2',
'tenant_id': '2'
} }
) )
@@ -815,7 +814,7 @@ class CentralZoneTestCase(CentralBasic):
self.assertTrue(self.service.storage.find_zones.called) self.assertTrue(self.service.storage.find_zones.called)
self.mock_policy_check.assert_called_with( self.mock_policy_check.assert_called_with(
'find_zones', mock.ANY, {'project_id': 't'} 'find_zones', mock.ANY, {'project_id': 't', 'tenant_id': 't'}
) )
def test_delete_zone_has_subzone(self): def test_delete_zone_has_subzone(self):
@@ -838,7 +837,8 @@ class CentralZoneTestCase(CentralBasic):
'delete_zone', mock.ANY, { 'delete_zone', mock.ANY, {
'zone_id': CentralZoneTestCase.zone_id, 'zone_id': CentralZoneTestCase.zone_id,
'zone_name': 'foo', 'zone_name': 'foo',
'project_id': '2' 'project_id': '2',
'tenant_id': '2'
} }
) )
@@ -864,7 +864,8 @@ class CentralZoneTestCase(CentralBasic):
'abandon_zone', mock.ANY, { 'abandon_zone', mock.ANY, {
'zone_id': CentralZoneTestCase.zone_id, 'zone_id': CentralZoneTestCase.zone_id,
'zone_name': 'foo', 'zone_name': 'foo',
'project_id': '2' 'project_id': '2',
'tenant_id': '2'
} }
) )
@@ -900,7 +901,8 @@ class CentralZoneTestCase(CentralBasic):
'delete_zone', mock.ANY, { 'delete_zone', mock.ANY, {
'zone_id': CentralZoneTestCase.zone_id, 'zone_id': CentralZoneTestCase.zone_id,
'zone_name': 'foo', 'zone_name': 'foo',
'project_id': '2' 'project_id': '2',
'tenant_id': '2'
} }
) )
@@ -937,7 +939,8 @@ class CentralZoneTestCase(CentralBasic):
'delete_zone', mock.ANY, { 'delete_zone', mock.ANY, {
'zone_id': CentralZoneTestCase.zone_id, 'zone_id': CentralZoneTestCase.zone_id,
'zone_name': 'foo', 'zone_name': 'foo',
'project_id': '2' 'project_id': '2',
'tenant_id': '2'
} }
) )
@@ -973,7 +976,8 @@ class CentralZoneTestCase(CentralBasic):
'xfr_zone', mock.ANY, { 'xfr_zone', mock.ANY, {
'zone_id': CentralZoneTestCase.zone_id, 'zone_id': CentralZoneTestCase.zone_id,
'zone_name': 'example.org.', 'zone_name': 'example.org.',
'project_id': '2' 'project_id': '2',
'tenant_id': '2'
} }
) )
@@ -1086,7 +1090,8 @@ class CentralZoneTestCase(CentralBasic):
'zone_name': 'example.org.', 'zone_name': 'example.org.',
'zone_shared': False, 'zone_shared': False,
'recordset_id': CentralZoneTestCase.recordset_id, 'recordset_id': CentralZoneTestCase.recordset_id,
'project_id': '2' 'project_id': '2',
'tenant_id': '2'
} }
) )
@@ -1118,7 +1123,8 @@ class CentralZoneTestCase(CentralBasic):
'zone_name': 'example.org.', 'zone_name': 'example.org.',
'zone_shared': False, 'zone_shared': False,
'recordset_id': CentralZoneTestCase.recordset_id, 'recordset_id': CentralZoneTestCase.recordset_id,
'project_id': '2' 'project_id': '2',
'tenant_id': '2'
} }
) )
@@ -1129,7 +1135,7 @@ class CentralZoneTestCase(CentralBasic):
self.assertTrue(self.service.storage.find_recordsets.called) self.assertTrue(self.service.storage.find_recordsets.called)
self.mock_policy_check.assert_called_with( self.mock_policy_check.assert_called_with(
'find_recordsets', mock.ANY, {'project_id': 't'} 'find_recordsets', mock.ANY, {'project_id': 't', 'tenant_id': 't'}
) )
def test_find_recordset(self): def test_find_recordset(self):
@@ -1139,7 +1145,7 @@ class CentralZoneTestCase(CentralBasic):
self.service.find_recordset(self.context) self.service.find_recordset(self.context)
self.assertTrue(self.service.storage.find_recordset.called) self.assertTrue(self.service.storage.find_recordset.called)
self.mock_policy_check.assert_called_with( self.mock_policy_check.assert_called_with(
'find_recordset', mock.ANY, {'project_id': 't'} 'find_recordset', mock.ANY, {'project_id': 't', 'tenant_id': 't'}
) )
def test_update_recordset_fail_on_changes(self): def test_update_recordset_fail_on_changes(self):
@@ -1237,7 +1243,8 @@ class CentralZoneTestCase(CentralBasic):
'zone_name': 'example.org.', 'zone_name': 'example.org.',
'zone_shared': self.zone_shared, 'zone_shared': self.zone_shared,
'zone_type': 'foo', 'zone_type': 'foo',
'project_id': '2' 'project_id': '2',
'tenant_id': '2'
} }
) )
@@ -1474,13 +1481,14 @@ class CentralZoneTestCase(CentralBasic):
def test_count_recordset(self): def test_count_recordset(self):
self.service.count_recordsets(self.context) self.service.count_recordsets(self.context)
self.mock_policy_check.assert_called_with( self.mock_policy_check.assert_called_with(
'count_recordsets', mock.ANY, {'project_id': None} 'count_recordsets', mock.ANY, {
'project_id': None, 'tenant_id': None}
) )
def test_count_records(self): def test_count_records(self):
self.service.count_records(self.context) self.service.count_records(self.context)
self.mock_policy_check.assert_called_with( self.mock_policy_check.assert_called_with(
'count_records', mock.ANY, {'project_id': None} 'count_records', mock.ANY, {'project_id': None, 'tenant_id': None}
) )
def test_determine_floatingips(self): def test_determine_floatingips(self):
@@ -1620,7 +1628,7 @@ class CentralZoneExportTests(CentralBasic):
CentralZoneTestCase.zone_export_id) CentralZoneTestCase.zone_export_id)
self.mock_policy_check.assert_called_with( self.mock_policy_check.assert_called_with(
'get_zone_export', mock.ANY, {'project_id': 't'} 'get_zone_export', mock.ANY, {'project_id': 't', 'tenant_id': 't'}
) )
# Check output # Check output
@@ -1640,7 +1648,8 @@ class CentralZoneExportTests(CentralBasic):
self.assertTrue(self.service.storage.find_zone_exports.called) self.assertTrue(self.service.storage.find_zone_exports.called)
self.mock_policy_check.assert_called_with( self.mock_policy_check.assert_called_with(
'find_zone_exports', mock.ANY, {'project_id': 't'} 'find_zone_exports', mock.ANY, {
'project_id': 't', 'tenant_id': 't'}
) )
def test_find_zone_exports_with_custom_criterion(self): def test_find_zone_exports_with_custom_criterion(self):
@@ -1655,7 +1664,8 @@ class CentralZoneExportTests(CentralBasic):
self.assertTrue(self.service.storage.find_zone_exports.called) self.assertTrue(self.service.storage.find_zone_exports.called)
self.mock_policy_check.assert_called_with( self.mock_policy_check.assert_called_with(
'find_zone_exports', mock.ANY, {'project_id': 't'} 'find_zone_exports', mock.ANY, {
'project_id': 't', 'tenant_id': 't'}
) )
def test_delete_zone_export(self): def test_delete_zone_export(self):
@@ -1688,7 +1698,7 @@ class CentralZoneExportTests(CentralBasic):
self.mock_policy_check.assert_called_with( self.mock_policy_check.assert_called_with(
'delete_zone_export', mock.ANY, { 'delete_zone_export', mock.ANY, {
'zone_export_id': 'e887597f-9697-47dd-a202-7a2711f8669c', 'zone_export_id': 'e887597f-9697-47dd-a202-7a2711f8669c',
'project_id': 't' 'project_id': 't', 'tenant_id': 't'
} }
) )

20
doc/source/admin/policy.rst
View File

@@ -43,8 +43,7 @@ handled by Designate. Those two settings are `enforce_scope
When you enable `Keystone Default Roles`_ and `Keystone Scoped Tokens`_ the When you enable `Keystone Default Roles`_ and `Keystone Scoped Tokens`_ the
Designate policy honors the following roles: Designate policy honors the following roles:
* System scoped - Admin * Admin
* System scoped - Reader
* Project scoped - Reader * Project scoped - Reader
* Project scoped - Member * Project scoped - Member
@@ -63,9 +62,8 @@ configuration file::
[oslo_policy] [oslo_policy]
enforce_scope = True enforce_scope = True
The primary effect of this setting is to allow a system scoped admin token when The primary effect of this setting is to allow only project scoped calls
performing administrative API calls to the Designate API. The Designate API to the Designate API. The system scope token will return 403.
already enforces the project scoping in Keystone tokens.
[oslo_policy] enforce_new_defaults [oslo_policy] enforce_new_defaults
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -82,18 +80,6 @@ policies by adding the following setting to your Designate configuration file::
[oslo_policy] [oslo_policy]
enforce_new_defaults = True enforce_new_defaults = True
Example OpenStack Client Command
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
After you have enabled enforce_new_defaults and enforce_scope, administrative
commands require a system scoped admin token. An example `OpenStack Client <https://docs.openstack.org/python-designateclient/latest/cli/index.html>`_ command
to create a `Top Level Domain (TLD) <https://docs.openstack.org/designate/latest/admin/tlds.html>`_ would look like:
.. code-block:: bash
openstack --os-system-scope all --os-auth-url <identity endpoint URL> --os-password <admin password> --os-username admin --os-user-domain-name default create tld --name example.org
Oslo Tools For Policy Management Oslo Tools For Policy Management
-------------------------------- --------------------------------