Adding RBAC policy system and checks for identity
Adding file based RBAC engine for Horizon using copies of nova and
keystone policy.json files
Policy engine builds on top of oslo incubator policy.py, fileutils
was also pulled from oslo incubator as a dependency of policy.py
When Horizon runs and a policy check is made, a path and mapping of
services to policy files is used to load the rules into the policy
engine. Each check is mapped to a service type and validated. This
extra level of mapping is required because the policy.json files
may each contain a 'default' rule or unqualified (no service name
include) rule. Additionally, maintaining separate policy.json
files per service will allow easier syncing with the service
projects.
The engine allows for compound 'and' checks at this time. E.g.,
the way the Create User action is written, multiple APIs are
called to read data (roles, projects) and more are required to
update data (grants, user).
Other workflows e.g., Edit Project, should have separate save
actions per step as they are unrelated. Only the applicable
policy checks to that step were added. The separating unrelated
steps saves will should be future work.
The underlying engine supports more rule types that are used in the
underlying policy.json files.
Policy checks were added for all actions on tables in the Identity
Panel only. And the service policy files imported are limited in
this commit to reduce scope of the change.
Additionally, changes were made to the base action class to add
support or setting policy rules and an overridable method for
determining the policy check target. This reduces the need for
redundant code in each action policy check.
Note, the benefit Horizon has is that the underlying APIs will
correct us if we get it wrong, so if a policy file is not found for
a particular service, permission is assumed and the actual API call
to the service will fail if the action isn't authorized for that user.
Finally, adding documentation regarding policy enforcement.
Implements: blueprint rbac
Change-Id: I4a4a71163186b973229a0461b165c16936bc10e5
2013-08-16 23:28:46 +00:00
|
|
|
#
|
|
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
|
|
# not use this file except in compliance with the License. You may obtain
|
|
|
|
# a copy of the License at
|
|
|
|
#
|
|
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
#
|
|
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
|
|
# License for the specific language governing permissions and limitations
|
|
|
|
# under the License.
|
|
|
|
|
2014-11-18 00:05:58 +00:00
|
|
|
from django.test.utils import override_settings
|
|
|
|
|
Adding RBAC policy system and checks for identity
Adding file based RBAC engine for Horizon using copies of nova and
keystone policy.json files
Policy engine builds on top of oslo incubator policy.py, fileutils
was also pulled from oslo incubator as a dependency of policy.py
When Horizon runs and a policy check is made, a path and mapping of
services to policy files is used to load the rules into the policy
engine. Each check is mapped to a service type and validated. This
extra level of mapping is required because the policy.json files
may each contain a 'default' rule or unqualified (no service name
include) rule. Additionally, maintaining separate policy.json
files per service will allow easier syncing with the service
projects.
The engine allows for compound 'and' checks at this time. E.g.,
the way the Create User action is written, multiple APIs are
called to read data (roles, projects) and more are required to
update data (grants, user).
Other workflows e.g., Edit Project, should have separate save
actions per step as they are unrelated. Only the applicable
policy checks to that step were added. The separating unrelated
steps saves will should be future work.
The underlying engine supports more rule types that are used in the
underlying policy.json files.
Policy checks were added for all actions on tables in the Identity
Panel only. And the service policy files imported are limited in
this commit to reduce scope of the change.
Additionally, changes were made to the base action class to add
support or setting policy rules and an overridable method for
determining the policy check target. This reduces the need for
redundant code in each action policy check.
Note, the benefit Horizon has is that the underlying APIs will
correct us if we get it wrong, so if a policy file is not found for
a particular service, permission is assumed and the actual API call
to the service will fail if the action isn't authorized for that user.
Finally, adding documentation regarding policy enforcement.
Implements: blueprint rbac
Change-Id: I4a4a71163186b973229a0461b165c16936bc10e5
2013-08-16 23:28:46 +00:00
|
|
|
from openstack_dashboard import policy
|
2014-11-18 00:05:58 +00:00
|
|
|
from openstack_dashboard import policy_backend
|
Adding RBAC policy system and checks for identity
Adding file based RBAC engine for Horizon using copies of nova and
keystone policy.json files
Policy engine builds on top of oslo incubator policy.py, fileutils
was also pulled from oslo incubator as a dependency of policy.py
When Horizon runs and a policy check is made, a path and mapping of
services to policy files is used to load the rules into the policy
engine. Each check is mapped to a service type and validated. This
extra level of mapping is required because the policy.json files
may each contain a 'default' rule or unqualified (no service name
include) rule. Additionally, maintaining separate policy.json
files per service will allow easier syncing with the service
projects.
The engine allows for compound 'and' checks at this time. E.g.,
the way the Create User action is written, multiple APIs are
called to read data (roles, projects) and more are required to
update data (grants, user).
Other workflows e.g., Edit Project, should have separate save
actions per step as they are unrelated. Only the applicable
policy checks to that step were added. The separating unrelated
steps saves will should be future work.
The underlying engine supports more rule types that are used in the
underlying policy.json files.
Policy checks were added for all actions on tables in the Identity
Panel only. And the service policy files imported are limited in
this commit to reduce scope of the change.
Additionally, changes were made to the base action class to add
support or setting policy rules and an overridable method for
determining the policy check target. This reduces the need for
redundant code in each action policy check.
Note, the benefit Horizon has is that the underlying APIs will
correct us if we get it wrong, so if a policy file is not found for
a particular service, permission is assumed and the actual API call
to the service will fail if the action isn't authorized for that user.
Finally, adding documentation regarding policy enforcement.
Implements: blueprint rbac
Change-Id: I4a4a71163186b973229a0461b165c16936bc10e5
2013-08-16 23:28:46 +00:00
|
|
|
from openstack_dashboard.test import helpers as test
|
|
|
|
|
|
|
|
|
|
|
|
class PolicyTestCase(test.TestCase):
|
2014-11-18 00:05:58 +00:00
|
|
|
@override_settings(POLICY_CHECK_FUNCTION=policy_backend.check)
|
|
|
|
def test_policy_check_set(self):
|
Adding RBAC policy system and checks for identity
Adding file based RBAC engine for Horizon using copies of nova and
keystone policy.json files
Policy engine builds on top of oslo incubator policy.py, fileutils
was also pulled from oslo incubator as a dependency of policy.py
When Horizon runs and a policy check is made, a path and mapping of
services to policy files is used to load the rules into the policy
engine. Each check is mapped to a service type and validated. This
extra level of mapping is required because the policy.json files
may each contain a 'default' rule or unqualified (no service name
include) rule. Additionally, maintaining separate policy.json
files per service will allow easier syncing with the service
projects.
The engine allows for compound 'and' checks at this time. E.g.,
the way the Create User action is written, multiple APIs are
called to read data (roles, projects) and more are required to
update data (grants, user).
Other workflows e.g., Edit Project, should have separate save
actions per step as they are unrelated. Only the applicable
policy checks to that step were added. The separating unrelated
steps saves will should be future work.
The underlying engine supports more rule types that are used in the
underlying policy.json files.
Policy checks were added for all actions on tables in the Identity
Panel only. And the service policy files imported are limited in
this commit to reduce scope of the change.
Additionally, changes were made to the base action class to add
support or setting policy rules and an overridable method for
determining the policy check target. This reduces the need for
redundant code in each action policy check.
Note, the benefit Horizon has is that the underlying APIs will
correct us if we get it wrong, so if a policy file is not found for
a particular service, permission is assumed and the actual API call
to the service will fail if the action isn't authorized for that user.
Finally, adding documentation regarding policy enforcement.
Implements: blueprint rbac
Change-Id: I4a4a71163186b973229a0461b165c16936bc10e5
2013-08-16 23:28:46 +00:00
|
|
|
value = policy.check((("identity", "admin_required"),),
|
|
|
|
request=self.request)
|
|
|
|
self.assertFalse(value)
|
|
|
|
|
2014-11-18 00:05:58 +00:00
|
|
|
@override_settings(POLICY_CHECK_FUNCTION=None)
|
|
|
|
def test_policy_check_not_set(self):
|
Adding RBAC policy system and checks for identity
Adding file based RBAC engine for Horizon using copies of nova and
keystone policy.json files
Policy engine builds on top of oslo incubator policy.py, fileutils
was also pulled from oslo incubator as a dependency of policy.py
When Horizon runs and a policy check is made, a path and mapping of
services to policy files is used to load the rules into the policy
engine. Each check is mapped to a service type and validated. This
extra level of mapping is required because the policy.json files
may each contain a 'default' rule or unqualified (no service name
include) rule. Additionally, maintaining separate policy.json
files per service will allow easier syncing with the service
projects.
The engine allows for compound 'and' checks at this time. E.g.,
the way the Create User action is written, multiple APIs are
called to read data (roles, projects) and more are required to
update data (grants, user).
Other workflows e.g., Edit Project, should have separate save
actions per step as they are unrelated. Only the applicable
policy checks to that step were added. The separating unrelated
steps saves will should be future work.
The underlying engine supports more rule types that are used in the
underlying policy.json files.
Policy checks were added for all actions on tables in the Identity
Panel only. And the service policy files imported are limited in
this commit to reduce scope of the change.
Additionally, changes were made to the base action class to add
support or setting policy rules and an overridable method for
determining the policy check target. This reduces the need for
redundant code in each action policy check.
Note, the benefit Horizon has is that the underlying APIs will
correct us if we get it wrong, so if a policy file is not found for
a particular service, permission is assumed and the actual API call
to the service will fail if the action isn't authorized for that user.
Finally, adding documentation regarding policy enforcement.
Implements: blueprint rbac
Change-Id: I4a4a71163186b973229a0461b165c16936bc10e5
2013-08-16 23:28:46 +00:00
|
|
|
value = policy.check((("identity", "admin_required"),),
|
|
|
|
request=self.request)
|
|
|
|
self.assertTrue(value)
|
|
|
|
|
2013-10-09 21:12:54 +00:00
|
|
|
|
2014-11-18 00:05:58 +00:00
|
|
|
class PolicyBackendTestCaseAdmin(test.BaseAdminViewTests):
|
|
|
|
@override_settings(POLICY_CHECK_FUNCTION=policy_backend.check)
|
|
|
|
def test_policy_check_set_admin(self):
|
|
|
|
value = policy.check((("identity", "admin_required"),),
|
Adding RBAC policy system and checks for identity
Adding file based RBAC engine for Horizon using copies of nova and
keystone policy.json files
Policy engine builds on top of oslo incubator policy.py, fileutils
was also pulled from oslo incubator as a dependency of policy.py
When Horizon runs and a policy check is made, a path and mapping of
services to policy files is used to load the rules into the policy
engine. Each check is mapped to a service type and validated. This
extra level of mapping is required because the policy.json files
may each contain a 'default' rule or unqualified (no service name
include) rule. Additionally, maintaining separate policy.json
files per service will allow easier syncing with the service
projects.
The engine allows for compound 'and' checks at this time. E.g.,
the way the Create User action is written, multiple APIs are
called to read data (roles, projects) and more are required to
update data (grants, user).
Other workflows e.g., Edit Project, should have separate save
actions per step as they are unrelated. Only the applicable
policy checks to that step were added. The separating unrelated
steps saves will should be future work.
The underlying engine supports more rule types that are used in the
underlying policy.json files.
Policy checks were added for all actions on tables in the Identity
Panel only. And the service policy files imported are limited in
this commit to reduce scope of the change.
Additionally, changes were made to the base action class to add
support or setting policy rules and an overridable method for
determining the policy check target. This reduces the need for
redundant code in each action policy check.
Note, the benefit Horizon has is that the underlying APIs will
correct us if we get it wrong, so if a policy file is not found for
a particular service, permission is assumed and the actual API call
to the service will fail if the action isn't authorized for that user.
Finally, adding documentation regarding policy enforcement.
Implements: blueprint rbac
Change-Id: I4a4a71163186b973229a0461b165c16936bc10e5
2013-08-16 23:28:46 +00:00
|
|
|
request=self.request)
|
|
|
|
self.assertTrue(value)
|