5984e34862
Adding file based RBAC engine for Horizon using copies of nova and keystone policy.json files Policy engine builds on top of oslo incubator policy.py, fileutils was also pulled from oslo incubator as a dependency of policy.py When Horizon runs and a policy check is made, a path and mapping of services to policy files is used to load the rules into the policy engine. Each check is mapped to a service type and validated. This extra level of mapping is required because the policy.json files may each contain a 'default' rule or unqualified (no service name include) rule. Additionally, maintaining separate policy.json files per service will allow easier syncing with the service projects. The engine allows for compound 'and' checks at this time. E.g., the way the Create User action is written, multiple APIs are called to read data (roles, projects) and more are required to update data (grants, user). Other workflows e.g., Edit Project, should have separate save actions per step as they are unrelated. Only the applicable policy checks to that step were added. The separating unrelated steps saves will should be future work. The underlying engine supports more rule types that are used in the underlying policy.json files. Policy checks were added for all actions on tables in the Identity Panel only. And the service policy files imported are limited in this commit to reduce scope of the change. Additionally, changes were made to the base action class to add support or setting policy rules and an overridable method for determining the policy check target. This reduces the need for redundant code in each action policy check. Note, the benefit Horizon has is that the underlying APIs will correct us if we get it wrong, so if a policy file is not found for a particular service, permission is assumed and the actual API call to the service will fail if the action isn't authorized for that user. Finally, adding documentation regarding policy enforcement. Implements: blueprint rbac Change-Id: I4a4a71163186b973229a0461b165c16936bc10e5
91 lines
4.1 KiB
JSON
91 lines
4.1 KiB
JSON
{
|
|
"admin_required": [["role:admin"], ["is_admin:1"]],
|
|
"service_role": [["role:service"]],
|
|
"service_or_admin": [["rule:admin_required"], ["rule:service_role"]],
|
|
"owner" : [["user_id:%(user_id)s"]],
|
|
"admin_or_owner": [["rule:admin_required"], ["rule:owner"]],
|
|
|
|
"default": [["rule:admin_required"]],
|
|
|
|
"identity:get_service": [["rule:admin_required"]],
|
|
"identity:list_services": [["rule:admin_required"]],
|
|
"identity:create_service": [["rule:admin_required"]],
|
|
"identity:update_service": [["rule:admin_required"]],
|
|
"identity:delete_service": [["rule:admin_required"]],
|
|
|
|
"identity:get_endpoint": [["rule:admin_required"]],
|
|
"identity:list_endpoints": [["rule:admin_required"]],
|
|
"identity:create_endpoint": [["rule:admin_required"]],
|
|
"identity:update_endpoint": [["rule:admin_required"]],
|
|
"identity:delete_endpoint": [["rule:admin_required"]],
|
|
|
|
"identity:get_domain": [["rule:admin_required"]],
|
|
"identity:list_domains": [["rule:admin_required"]],
|
|
"identity:create_domain": [["rule:admin_required"]],
|
|
"identity:update_domain": [["rule:admin_required"]],
|
|
"identity:delete_domain": [["rule:admin_required"]],
|
|
|
|
"identity:get_project": [["rule:admin_required"]],
|
|
"identity:list_projects": [["rule:admin_required"]],
|
|
"identity:list_user_projects": [["rule:admin_or_owner"]],
|
|
"identity:create_project": [["rule:admin_required"]],
|
|
"identity:update_project": [["rule:admin_required"]],
|
|
"identity:delete_project": [["rule:admin_required"]],
|
|
|
|
"identity:get_user": [["rule:admin_required"]],
|
|
"identity:list_users": [["rule:admin_required"]],
|
|
"identity:create_user": [["rule:admin_required"]],
|
|
"identity:update_user": [["rule:admin_or_owner"]],
|
|
"identity:delete_user": [["rule:admin_required"]],
|
|
|
|
"identity:get_group": [["rule:admin_required"]],
|
|
"identity:list_groups": [["rule:admin_required"]],
|
|
"identity:list_groups_for_user": [["rule:admin_or_owner"]],
|
|
"identity:create_group": [["rule:admin_required"]],
|
|
"identity:update_group": [["rule:admin_required"]],
|
|
"identity:delete_group": [["rule:admin_required"]],
|
|
"identity:list_users_in_group": [["rule:admin_required"]],
|
|
"identity:remove_user_from_group": [["rule:admin_required"]],
|
|
"identity:check_user_in_group": [["rule:admin_required"]],
|
|
"identity:add_user_to_group": [["rule:admin_required"]],
|
|
|
|
"identity:get_credential": [["rule:admin_required"]],
|
|
"identity:list_credentials": [["rule:admin_required"]],
|
|
"identity:create_credential": [["rule:admin_required"]],
|
|
"identity:update_credential": [["rule:admin_required"]],
|
|
"identity:delete_credential": [["rule:admin_required"]],
|
|
|
|
"identity:get_role": [["rule:admin_required"]],
|
|
"identity:list_roles": [["rule:admin_required"]],
|
|
"identity:create_role": [["rule:admin_required"]],
|
|
"identity:update_role": [["rule:admin_required"]],
|
|
"identity:delete_role": [["rule:admin_required"]],
|
|
|
|
"identity:check_grant": [["rule:admin_required"]],
|
|
"identity:list_grants": [["rule:admin_required"]],
|
|
"identity:create_grant": [["rule:admin_required"]],
|
|
"identity:revoke_grant": [["rule:admin_required"]],
|
|
|
|
"identity:list_role_assignments": [["rule:admin_required"]],
|
|
|
|
"identity:get_policy": [["rule:admin_required"]],
|
|
"identity:list_policies": [["rule:admin_required"]],
|
|
"identity:create_policy": [["rule:admin_required"]],
|
|
"identity:update_policy": [["rule:admin_required"]],
|
|
"identity:delete_policy": [["rule:admin_required"]],
|
|
|
|
"identity:check_token": [["rule:admin_required"]],
|
|
"identity:validate_token": [["rule:service_or_admin"]],
|
|
"identity:validate_token_head": [["rule:service_or_admin"]],
|
|
"identity:revocation_list": [["rule:service_or_admin"]],
|
|
"identity:revoke_token": [["rule:admin_or_owner"]],
|
|
|
|
"identity:create_trust": [["user_id:%(trust.trustor_user_id)s"]],
|
|
"identity:get_trust": [["rule:admin_or_owner"]],
|
|
"identity:list_trusts": [["@"]],
|
|
"identity:list_roles_for_trust": [["@"]],
|
|
"identity:check_role_for_trust": [["@"]],
|
|
"identity:get_role_for_trust": [["@"]],
|
|
"identity:delete_trust": [["@"]]
|
|
}
|