openstack/ironic
Code Issues Proposed changes

project scoped manager support

Browse Source 
Adds support for project manager role support which is a state between
project scoped admin and project scoped member.

Finally enabling to be merged since the higher end goal/work finally
merged on March 1st.

Related: https://review.opendev.org/c/openstack/governance/+/815158
Change-Id: Ia35f4a4c3c2af68dc64bfe32f206e57056876dc7
This commit is contained in:
Julia Kreger 2021-11-17 15:33:10 -08:00
parent 4e6a3d52ed
commit 0311ea7c92
4 changed files with 673 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
doc/source/admin/secure-rbac.rst
View File

@ -62,6 +62,12 @@ Project Scoped
Project scoped authentication is when a request token and associated records Project scoped authentication is when a request token and associated records
indicate an associated ``project_id`` value. indicate an associated ``project_id`` value.
The Secure RBAC model, since the introduction of the base capability has been
extended as a result of an OpenStack community goal to include a ``manager``
role in the project scope. By default, this access is equivelent to a Project
scoped ``admin`` user, however it may be delineated further as time moves
forward.
Legacy Behavior Legacy Behavior
--------------- ---------------

21
ironic/common/policy.py
View File

@ -64,6 +64,13 @@ SYSTEM_READER = 'role:reader and system_scope:all'
# default volume type for a project) # default volume type for a project)
PROJECT_ADMIN = ('role:admin and ' PROJECT_ADMIN = ('role:admin and '
'project_id:%(node.owner)s') 'project_id:%(node.owner)s')
# This check string is reserved for an intermediate point between
# a Project Admin and a Project Member. This is an outcome of the
# revised Yoga Secure RBAC community goal.
# The advantage here may be that this rule *does* match against node owners
# and lessees.
PROJECT_MANAGER = ('role:manager and '
'(project_id:%(node.owner)s or project_id:%(node.lessee)s)')
# This check string is the primary use case for typical end-users, who are # This check string is the primary use case for typical end-users, who are
# working with resources that belong to a project (e.g., creating volumes and # working with resources that belong to a project (e.g., creating volumes and
# backups). # backups).
@ -88,24 +95,30 @@ SYSTEM_OR_PROJECT_READER = (
) )
PROJECT_OWNER_ADMIN = ('role:admin and project_id:%(node.owner)s') PROJECT_OWNER_ADMIN = ('role:admin and project_id:%(node.owner)s')
PROJECT_OWNER_MANAGER = ('role:manager and project_id:%(node.owner)s')
PROJECT_OWNER_MEMBER = ('role:member and project_id:%(node.owner)s') PROJECT_OWNER_MEMBER = ('role:member and project_id:%(node.owner)s')
PROJECT_OWNER_READER = ('role:reader and project_id:%(node.owner)s') PROJECT_OWNER_READER = ('role:reader and project_id:%(node.owner)s')
PROJECT_LESSEE_ADMIN = ('role:admin and project_id:%(node.lessee)s') PROJECT_LESSEE_ADMIN = ('role:admin and project_id:%(node.lessee)s')
PROJECT_LESSEE_MANAGER = ('role:manager and project_id:%(node.lessee)s')
# Not used - Members can create/destroy their allocations.
ALLOCATION_OWNER_ADMIN = ('role:admin and project_id:%(allocation.owner)s') ALLOCATION_OWNER_ADMIN = ('role:admin and project_id:%(allocation.owner)s')
# Not used - Members can create/destroy their allocations.
ALLOCATION_OWNER_MANAGER = ('role:manager and project_id:%(allocation.owner)s')
ALLOCATION_OWNER_MEMBER = ('role:member and project_id:%(allocation.owner)s') ALLOCATION_OWNER_MEMBER = ('role:member and project_id:%(allocation.owner)s')
ALLOCATION_OWNER_READER = ('role:reader and project_id:%(allocation.owner)s') ALLOCATION_OWNER_READER = ('role:reader and project_id:%(allocation.owner)s')
SYSTEM_OR_OWNER_MEMBER_AND_LESSEE_ADMIN = ( SYSTEM_OR_OWNER_MEMBER_AND_LESSEE_ADMIN = (
'(' + SYSTEM_MEMBER + ') or (' + PROJECT_OWNER_MEMBER + ') or (' + PROJECT_LESSEE_ADMIN + ')' # noqa '(' + SYSTEM_MEMBER + ') or (' + PROJECT_OWNER_MEMBER + ') or (' + PROJECT_LESSEE_ADMIN + ') or (' + PROJECT_LESSEE_MANAGER + ')' # noqa
) )
SYSTEM_ADMIN_OR_OWNER_ADMIN = ( SYSTEM_ADMIN_OR_OWNER_ADMIN = (
'(' + SYSTEM_ADMIN + ') or (' + PROJECT_OWNER_ADMIN + ')' '(' + SYSTEM_ADMIN + ') or (' + PROJECT_OWNER_ADMIN + ') or (' + PROJECT_OWNER_MANAGER + ')' # noqa
) )
SYSTEM_MEMBER_OR_OWNER_ADMIN = ( SYSTEM_MEMBER_OR_OWNER_ADMIN = (
'(' + SYSTEM_MEMBER + ') or (' + PROJECT_OWNER_ADMIN + ')' '(' + SYSTEM_MEMBER + ') or (' + PROJECT_OWNER_ADMIN + ') or (' + PROJECT_OWNER_MANAGER + ')' # noqa
) )
SYSTEM_MEMBER_OR_OWNER_MEMBER = ( SYSTEM_MEMBER_OR_OWNER_MEMBER = (
@ -117,7 +130,7 @@ SYSTEM_OR_OWNER_READER = (
) )
SYSTEM_MEMBER_OR_OWNER_LESSEE_ADMIN = ( SYSTEM_MEMBER_OR_OWNER_LESSEE_ADMIN = (
'(' + SYSTEM_MEMBER + ') or (' + PROJECT_OWNER_ADMIN + ') or (' + PROJECT_LESSEE_ADMIN + ')' # noqa '(' + SYSTEM_MEMBER + ') or (' + PROJECT_OWNER_ADMIN + ') or (' + PROJECT_OWNER_MANAGER + ') or (' + PROJECT_LESSEE_ADMIN + ') or (' + PROJECT_LESSEE_MANAGER + ')' # noqa
) )

646
ironic/tests/unit/api/test_rbac_project_scoped.yaml
View File

File diff suppressed because it is too large Load Diff

8
releasenotes/notes/add-rbac-project-manager-role-7ffc52f78ff93432.yaml Normal file
View File

@ -0,0 +1,8 @@
---
features:
- |
Adds a default ``project`` scoped ``manager`` role to the RBAC model.
In the ironic model, access is generally explicitly delegated, and such
the ``manager`` role is presently equivelent to project scoped ``admin``
role, however future delineation may occur as the new features and
capabilities are added.