Fix artifical rbac policy constraint that resulted in 500s

Some of the endpoints are *highly* restricted in ironic's newer
more stringently enforced RBAC world. Some of these endpoints would
emit 500s by default, when realistically it was the policy definition
saying "only system scope could be used" for the endpoint, but the
reality is that 403 is what should have been returned for a client to
properly understand what is going on.

Change-Id: If5e13764dad886ba3ee1a848f3ff9f3279f4d7f6
This commit is contained in:
Julia Kreger 2024-03-04 08:47:43 -08:00
parent 43861609a8
commit c6a4005049
3 changed files with 22 additions and 14 deletions

View File

@ -1638,7 +1638,7 @@ conductor_policies = [
policy.DocumentedRuleDefault( policy.DocumentedRuleDefault(
name='baremetal:conductor:get', name='baremetal:conductor:get',
check_str=SYSTEM_READER, check_str=SYSTEM_READER,
scope_types=['system'], scope_types=['system', 'project'],
description='Retrieve Conductor records', description='Retrieve Conductor records',
operations=[ operations=[
{'path': '/conductors', 'method': 'GET'}, {'path': '/conductors', 'method': 'GET'},
@ -1839,7 +1839,7 @@ deploy_template_policies = [
policy.DocumentedRuleDefault( policy.DocumentedRuleDefault(
name='baremetal:deploy_template:get', name='baremetal:deploy_template:get',
check_str=SYSTEM_READER, check_str=SYSTEM_READER,
scope_types=['system'], scope_types=['system', 'project'],
description='Retrieve Deploy Template records', description='Retrieve Deploy Template records',
operations=[ operations=[
{'path': '/deploy_templates', 'method': 'GET'}, {'path': '/deploy_templates', 'method': 'GET'},
@ -1851,7 +1851,7 @@ deploy_template_policies = [
policy.DocumentedRuleDefault( policy.DocumentedRuleDefault(
name='baremetal:deploy_template:create', name='baremetal:deploy_template:create',
check_str=SYSTEM_ADMIN, check_str=SYSTEM_ADMIN,
scope_types=['system'], scope_types=['system', 'project'],
description='Create Deploy Template records', description='Create Deploy Template records',
operations=[{'path': '/deploy_templates', 'method': 'POST'}], operations=[{'path': '/deploy_templates', 'method': 'POST'}],
deprecated_rule=deprecated_deploy_template_create deprecated_rule=deprecated_deploy_template_create
@ -1859,7 +1859,7 @@ deploy_template_policies = [
policy.DocumentedRuleDefault( policy.DocumentedRuleDefault(
name='baremetal:deploy_template:delete', name='baremetal:deploy_template:delete',
check_str=SYSTEM_ADMIN, check_str=SYSTEM_ADMIN,
scope_types=['system'], scope_types=['system', 'project'],
description='Delete Deploy Template records', description='Delete Deploy Template records',
operations=[ operations=[
{'path': '/deploy_templates/{deploy_template_ident}', {'path': '/deploy_templates/{deploy_template_ident}',
@ -1870,7 +1870,7 @@ deploy_template_policies = [
policy.DocumentedRuleDefault( policy.DocumentedRuleDefault(
name='baremetal:deploy_template:update', name='baremetal:deploy_template:update',
check_str=SYSTEM_ADMIN, check_str=SYSTEM_ADMIN,
scope_types=['system'], scope_types=['system', 'project'],
description='Update Deploy Template records', description='Update Deploy Template records',
operations=[ operations=[
{'path': '/deploy_templates/{deploy_template_ident}', {'path': '/deploy_templates/{deploy_template_ident}',

View File

@ -3383,19 +3383,19 @@ owner_reader_cannot_get_conductors:
path: '/v1/conductors' path: '/v1/conductors'
method: get method: get
headers: *owner_reader_headers headers: *owner_reader_headers
assert_status: 500 assert_status: 403
lessee_reader_cannot_get_conductors: lessee_reader_cannot_get_conductors:
path: '/v1/conductors' path: '/v1/conductors'
method: get method: get
headers: *lessee_reader_headers headers: *lessee_reader_headers
assert_status: 500 assert_status: 403
third_party_admin_cannot_get_conductors: third_party_admin_cannot_get_conductors:
path: '/v1/conductors' path: '/v1/conductors'
method: get method: get
headers: *third_party_admin_headers headers: *third_party_admin_headers
assert_status: 500 assert_status: 403
# Allocations - https://docs.openstack.org/api-ref/baremetal/#allocations-allocations # Allocations - https://docs.openstack.org/api-ref/baremetal/#allocations-allocations
@ -3631,19 +3631,19 @@ owner_reader_cannot_get_deploy_templates:
path: '/v1/deploy_templates' path: '/v1/deploy_templates'
method: get method: get
headers: *owner_reader_headers headers: *owner_reader_headers
assert_status: 500 assert_status: 403
lessee_reader_cannot_get_deploy_templates: lessee_reader_cannot_get_deploy_templates:
path: '/v1/deploy_templates' path: '/v1/deploy_templates'
method: get method: get
headers: *lessee_reader_headers headers: *lessee_reader_headers
assert_status: 500 assert_status: 403
third_party_admin_cannot_get_deploy_templates: third_party_admin_cannot_get_deploy_templates:
path: '/v1/deploy_templates' path: '/v1/deploy_templates'
method: get method: get
headers: *third_party_admin_headers headers: *third_party_admin_headers
assert_status: 500 assert_status: 403
third_party_admin_cannot_post_deploy_template: third_party_admin_cannot_post_deploy_template:
path: '/v1/deploy_templates' path: '/v1/deploy_templates'
@ -3656,20 +3656,20 @@ third_party_admin_cannot_post_deploy_template:
args: {} args: {}
priority: 0 priority: 0
headers: *third_party_admin_headers headers: *third_party_admin_headers
assert_status: 500 assert_status: 403
service_cannot_get_deploy_templates: service_cannot_get_deploy_templates:
path: '/v1/deploy_templates' path: '/v1/deploy_templates'
method: get method: get
headers: *service_headers headers: *service_headers
assert_status: 500 assert_status: 403
service_cannot_post_deploy_template: service_cannot_post_deploy_template:
path: '/v1/deploy_templates' path: '/v1/deploy_templates'
method: post method: post
body: *deploy_template body: *deploy_template
headers: *service_headers headers: *service_headers
assert_status: 500 assert_status: 403
# Chassis endpoints - https://docs.openstack.org/api-ref/baremetal/#chassis-chassis # Chassis endpoints - https://docs.openstack.org/api-ref/baremetal/#chassis-chassis

View File

@ -0,0 +1,8 @@
---
fixes:
- |
Some of Ironic's API endpoints, when the new RBAC policy is being enforced,
were previously emitting *500* error codes when insufficent access rights were
being used, specifically because the policy required ``system`` scope. This
has been corrected, and the endpoints should now properly signal a *403* error
code if insufficient access rights are present for an authenticated requestor.