Implement system scoped RBAC for the event APIs

This commit updates the policies for baremetal event policies to understand scope checking and account for a read-only role. This is part of a broader series of changes across OpenStack to provide a consistent RBAC experience and improve security. Change-Id: I9543b0524f2e85eae0d4fd4331ea1ed9a66322d8
2020-11-18 21:55:57 +00:00 · 2020-11-18 21:55:57 +00:00 · 046e99c0b4
parent d146064cb5
commit 046e99c0b4
3 changed files with 47 additions and 5 deletions
--- a/ironic/common/policy.py
+++ b/ironic/common/policy.py
@ -1292,12 +1292,27 @@ allocation_policies = [
    ),
 ]

+
+deprecated_event_create = policy.DeprecatedRule(
+    name='baremetal:events:post',
+    check_str='rule:is_admin'
+)
+deprecated_event_reason = """
+The baremetal event API is now aware of system scope and default
+roles.
+"""
+
 event_policies = [
    policy.DocumentedRuleDefault(
-        'baremetal:events:post',
-        'rule:is_admin',
-        'Post events',
-        [{'path': '/events', 'method': 'POST'}])
+        name='baremetal:events:post',
+        check_str=SYSTEM_ADMIN,
+        scope_types=['system'],
+        description='Post events',
+        operations=[{'path': '/events', 'method': 'POST'}],
+        deprecated_rule=deprecated_event_create,
+        deprecated_reason=deprecated_event_reason,
+        deprecated_since=versionutils.deprecated.WALLABY
+    )
 ]


--- a/ironic/tests/unit/api/controllers/v1/test_event.py
+++ b/ironic/tests/unit/api/controllers/v1/test_event.py
@ -14,6 +14,10 @@ Tests for the API /events methods.
 """

 from http import client as http_client
+from unittest import mock
+
+from keystonemiddleware import auth_token
+from oslo_config import cfg

 from ironic.api.controllers import base as api_base
 from ironic.api.controllers.v1 import event
@ -214,3 +218,26 @@ class TestPost(test_api_base.BaseApiTest):
        self.assertEqual(http_client.NOT_FOUND, response.status_int)
        self.assertEqual('application/json', response.content_type)
        self.assertTrue(response.json['error_message'])
+
+
+@mock.patch.object(auth_token.AuthProtocol, 'process_request',
+                   lambda *_: None)
+class TestPostRBAC(TestPost):
+
+    """Test class to execute the Event post tests with RBAC enforcement."""
+    def setUp(self):
+        super(TestPostRBAC, self).setUp()
+
+        cfg.CONF.set_override('enforce_scope', True, group='oslo_policy')
+        cfg.CONF.set_override('enforce_new_defaults', True,
+                              group='oslo_policy')
+        cfg.CONF.set_override('auth_strategy', 'keystone')
+        # Headers required for this to pass in system scope restricted
+        # authentication, as our default for api tests is noauth.
+        self.headers = {
+            api_base.Version.string: str(
+                versions.max_version_string()),
+            'X-Auth-Token': 'test-auth-token',
+            'X-Roles': 'admin',
+            'OpenStack-System-Scope': 'all',
+        }
--- a/releasenotes/notes/system-scoped-authentication-28e3651de250bea8.yaml
+++ b/releasenotes/notes/system-scoped-authentication-28e3651de250bea8.yaml
@ -4,7 +4,7 @@ features:
    The Baremetal API, provided by the ironic-api process, now supports use of
    ``system`` scoped ``keystone`` authentication for the following endpoints:
    nodes, ports, portgroups, chassis, drivers, driver vendor passthru,
-    volume targets, volume connectors, conductors, allocations
+    volume targets, volume connectors, conductors, allocations, events
 upgrade:
  - |
    Deprecated policy rules are not expressed via a default policy file