Add separate policy for updates with no changes

Allow operators to set a different (presumably looser) policy on PATCH updates that don't make any changes to the stack, but just retrigger a new update traversal (that will result in e.g. replacing any unhealthy resources). Change-Id: Id29e7ec7f6cf127177ea7ab29127b0568afaa18b Task: 37305
2019-10-25 17:07:12 -04:00 · 2019-10-25 17:07:12 -04:00 · 5d1e89f8e1
parent 53976e9998
commit 5d1e89f8e1
4 changed files with 50 additions and 1 deletions
--- a/heat/api/openstack/v1/stacks.py
+++ b/heat/api/openstack/v1/stacks.py
@ -497,13 +497,23 @@ class StackController(object):

        raise exc.HTTPAccepted()

-    @util.registered_identified_stack
+    @util.no_policy_enforce
+    @util._identified_stack
    def update_patch(self, req, identity, body):
        """Update an existing stack with a new template.

        Update an existing stack with a new template by patching the parameters
        Add the flag patch to the args so the engine code can distinguish
        """
+        policy_name = 'update_patch' if body else 'update_no_change'
+        allowed = req.context.policy.enforce(
+            context=req.context,
+            action=policy_name,
+            scope=self.REQUEST_SCOPE,
+            is_registered_policy=True)
+        if not allowed:
+            raise exc.HTTPForbidden()
+
        data = InstantiationData(body, patch=True)

        args = self.prepare_args(data, is_update=True)
--- a/heat/api/openstack/v1/util.py
+++ b/heat/api/openstack/v1/util.py
@ -42,6 +42,20 @@ def registered_policy_enforce(handler):
    return handle_stack_method


+def no_policy_enforce(handler):
+    """Decorator that does *not* enforce policies.
+
+    Checks the path matches the request context.
+
+    This is a handler method decorator.
+    """
+    @six.wraps(handler)
+    def handle_stack_method(controller, req, tenant_id, **kwargs):
+        if req.context.tenant_id != tenant_id and not req.context.is_admin:
+            raise exc.HTTPForbidden()
+        return handler(controller, req, **kwargs)
+
+
 def registered_identified_stack(handler):
    """Decorator that passes a stack identifier instead of path components.

--- a/heat/policies/stacks.py
+++ b/heat/policies/stacks.py
@ -244,6 +244,25 @@ stacks_policies = [
            }
        ]
    ),
+    policy.DocumentedRuleDefault(
+        name=POLICY_ROOT % 'update_no_change',
+        check_str=base.RULE_DENY_STACK_USER,
+        description='Update stack (PATCH).',
+        operations=[
+            {
+                'path': '/v1/{tenant_id}/stacks/{stack_name}/{stack_id}',
+                'method': 'PATCH'
+            }
+        ],
+        deprecated_rule=policy.DeprecatedRule(
+            name=POLICY_ROOT % 'update_patch',
+            check_str=base.RULE_DENY_STACK_USER,
+        ),
+        deprecated_reason='Separate policy is now available for patch updates '
+                          'that make no changes to the template, parameters, '
+                          'or environment.',
+        deprecated_since='U'
+    ),
    policy.DocumentedRuleDefault(
        name=POLICY_ROOT % 'preview_update',
        check_str=base.RULE_DENY_STACK_USER,
--- a/releasenotes/notes/update-no-change-policy-728ed49e6b81da53.yaml
+++ b/releasenotes/notes/update-no-change-policy-728ed49e6b81da53.yaml
@ -0,0 +1,6 @@
+---
+features:
+  - |
+    Operators can now set a separate ``stacks:update_no_change`` policy for
+    PATCH updates that don't modify the stack, independently of the existing
+    ``stacks:update_patch`` policy.