Implement system scoped RBAC for chassis
This commit updates the policies for baremetal chassis to understand scope checking and account for a read-only role. This is part of a broader series of changes across OpenStack to provide a consistent RBAC experience and improve security. Change-Id: I5ecb44a389b057519599c7b812f8c913db4f085a
This commit is contained in:
Lance Bragstad
Julia Kreger
parent
4fe64c9702
commit
eb8d7d6a8e
|
|
@ -830,29 +830,72 @@ portgroup_policies = [
|
|||
),
|
||||
]
|
||||
|
||||
|
||||
deprecated_chassis_get = policy.DeprecatedRule(
|
||||
name='baremetal:chassis:get',
|
||||
check_str='rule:is_admin or rule:is_observer'
|
||||
)
|
||||
deprecated_chassis_create = policy.DeprecatedRule(
|
||||
name='baremetal:chassis:create',
|
||||
check_str='rule:is_admin'
|
||||
)
|
||||
deprecated_chassis_delete = policy.DeprecatedRule(
|
||||
name='baremetal:chassis:delete',
|
||||
check_str='rule:is_admin'
|
||||
)
|
||||
deprecated_chassis_update = policy.DeprecatedRule(
|
||||
name='baremetal:chassis:update',
|
||||
check_str='rule:is_admin'
|
||||
)
|
||||
deprecated_chassis_reason = """
|
||||
The baremetal chassis API is now aware of system scope and default roles.
|
||||
"""
|
||||
|
||||
chassis_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
'baremetal:chassis:get',
|
||||
'rule:is_admin or rule:is_observer',
|
||||
'Retrieve Chassis records',
|
||||
[{'path': '/chassis', 'method': 'GET'},
|
||||
{'path': '/chassis/detail', 'method': 'GET'},
|
||||
{'path': '/chassis/{chassis_id}', 'method': 'GET'}]),
|
||||
name='baremetal:chassis:get',
|
||||
check_str=SYSTEM_READER,
|
||||
scope_types=['system'],
|
||||
description='Retrieve Chassis records',
|
||||
operations=[
|
||||
{'path': '/chassis', 'method': 'GET'},
|
||||
{'path': '/chassis/detail', 'method': 'GET'},
|
||||
{'path': '/chassis/{chassis_id}', 'method': 'GET'}
|
||||
],
|
||||
deprecated_rule=deprecated_chassis_get,
|
||||
deprecated_reason=deprecated_chassis_reason,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'baremetal:chassis:create',
|
||||
'rule:is_admin',
|
||||
'Create Chassis records',
|
||||
[{'path': '/chassis', 'method': 'POST'}]),
|
||||
name='baremetal:chassis:create',
|
||||
check_str=SYSTEM_ADMIN,
|
||||
scope_types=['system'],
|
||||
description='Create Chassis records',
|
||||
operations=[{'path': '/chassis', 'method': 'POST'}],
|
||||
deprecated_rule=deprecated_chassis_create,
|
||||
deprecated_reason=deprecated_chassis_reason,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'baremetal:chassis:delete',
|
||||
'rule:is_admin',
|
||||
'Delete Chassis records',
|
||||
[{'path': '/chassis/{chassis_id}', 'method': 'DELETE'}]),
|
||||
name='baremetal:chassis:delete',
|
||||
check_str=SYSTEM_ADMIN,
|
||||
scope_types=['system'],
|
||||
description='Delete Chassis records',
|
||||
operations=[{'path': '/chassis/{chassis_id}', 'method': 'DELETE'}],
|
||||
deprecated_rule=deprecated_chassis_delete,
|
||||
deprecated_reason=deprecated_chassis_reason,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
'baremetal:chassis:update',
|
||||
'rule:is_admin',
|
||||
'Update Chassis records',
|
||||
[{'path': '/chassis/{chassis_id}', 'method': 'PATCH'}]),
|
||||
name='baremetal:chassis:update',
|
||||
check_str=SYSTEM_MEMBER,
|
||||
scope_types=['system'],
|
||||
description='Update Chassis records',
|
||||
operations=[{'path': '/chassis/{chassis_id}', 'method': 'PATCH'}],
|
||||
deprecated_rule=deprecated_chassis_update,
|
||||
deprecated_reason=deprecated_chassis_reason,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
),
|
||||
]
|
||||
|
||||
driver_policies = [
|
||||
|
|
|
|||
|
|
@ -2049,6 +2049,7 @@ chassis_post_admin:
|
|||
body: &chassis_body
|
||||
description: 'test-chassis'
|
||||
assert_status: 201
|
||||
deprecated: true
|
||||
|
||||
chassis_post_member:
|
||||
path: '/v1/chassis'
|
||||
|
|
@ -2056,6 +2057,7 @@ chassis_post_member:
|
|||
headers: *member_headers
|
||||
body: *chassis_body
|
||||
assert_status: 403
|
||||
deprecated: true
|
||||
|
||||
chassis_post_observer:
|
||||
path: '/v1/chassis'
|
||||
|
|
@ -2063,60 +2065,70 @@ chassis_post_observer:
|
|||
headers: *observer_headers
|
||||
body: *chassis_body
|
||||
assert_status: 403
|
||||
deprecated: true
|
||||
|
||||
chassis_get_admin:
|
||||
path: '/v1/chassis'
|
||||
method: get
|
||||
headers: *admin_headers
|
||||
assert_status: 200
|
||||
deprecated: true
|
||||
|
||||
chassis_get_member:
|
||||
path: '/v1/chassis'
|
||||
method: get
|
||||
headers: *member_headers
|
||||
assert_status: 403
|
||||
deprecated: true
|
||||
|
||||
chassis_get_observer:
|
||||
path: '/v1/chassis'
|
||||
method: get
|
||||
headers: *observer_headers
|
||||
assert_status: 200
|
||||
deprecated: true
|
||||
|
||||
chassis_detail_get_admin:
|
||||
path: '/v1/chassis/detail'
|
||||
method: get
|
||||
headers: *admin_headers
|
||||
assert_status: 200
|
||||
deprecated: true
|
||||
|
||||
chassis_detail_get_member:
|
||||
path: '/v1/chassis/detail'
|
||||
method: get
|
||||
headers: *member_headers
|
||||
assert_status: 403
|
||||
deprecated: true
|
||||
|
||||
chassis_detail_get_observer:
|
||||
path: '/v1/chassis/detail'
|
||||
method: get
|
||||
headers: *observer_headers
|
||||
assert_status: 200
|
||||
deprecated: true
|
||||
|
||||
chassis_chassis_id_get_admin:
|
||||
path: '/v1/chassis/{chassis_ident}'
|
||||
method: get
|
||||
headers: *admin_headers
|
||||
assert_status: 200
|
||||
deprecated: true
|
||||
|
||||
chassis_chassis_id_get_member:
|
||||
path: '/v1/chassis/{chassis_ident}'
|
||||
method: get
|
||||
headers: *member_headers
|
||||
assert_status: 403
|
||||
deprecated: true
|
||||
|
||||
chassis_chassis_id_get_observer:
|
||||
path: '/v1/chassis/{chassis_ident}'
|
||||
method: get
|
||||
headers: *observer_headers
|
||||
assert_status: 200
|
||||
deprecated: true
|
||||
|
||||
chassis_chassis_id_patch_admin:
|
||||
path: '/v1/chassis/{chassis_ident}'
|
||||
|
|
@ -2127,6 +2139,7 @@ chassis_chassis_id_patch_admin:
|
|||
value: meow
|
||||
headers: *admin_headers
|
||||
assert_status: 200
|
||||
deprecated: true
|
||||
|
||||
chassis_chassis_id_patch_member:
|
||||
path: '/v1/chassis/{chassis_ident}'
|
||||
|
|
@ -2134,6 +2147,7 @@ chassis_chassis_id_patch_member:
|
|||
body: *chassis_patch
|
||||
headers: *member_headers
|
||||
assert_status: 403
|
||||
deprecated: true
|
||||
|
||||
chassis_chassis_id_patch_observer:
|
||||
path: '/v1/chassis/{chassis_ident}'
|
||||
|
|
@ -2141,21 +2155,25 @@ chassis_chassis_id_patch_observer:
|
|||
body: *chassis_patch
|
||||
headers: *observer_headers
|
||||
assert_status: 403
|
||||
deprecated: true
|
||||
|
||||
chassis_chassis_id_delete_admin:
|
||||
path: '/v1/chassis/{chassis_ident}'
|
||||
method: delete
|
||||
headers: *admin_headers
|
||||
assert_status: 204
|
||||
deprecated: true
|
||||
|
||||
chassis_chassis_id_delete_member:
|
||||
path: '/v1/chassis/{chassis_ident}'
|
||||
method: delete
|
||||
headers: *member_headers
|
||||
assert_status: 403
|
||||
deprecated: true
|
||||
|
||||
chassis_chassis_id_delete_observer:
|
||||
path: '/v1/chassis/{chassis_ident}'
|
||||
method: delete
|
||||
headers: *observer_headers
|
||||
assert_status: 403
|
||||
deprecated: true
|
||||
|
|
|
|||
|
|
@ -2025,7 +2025,6 @@ chassis_post_admin:
|
|||
body: &chassis_body
|
||||
description: 'test-chassis'
|
||||
assert_status: 201
|
||||
skip_reason: not updated for scope testing
|
||||
|
||||
chassis_post_member:
|
||||
path: '/v1/chassis'
|
||||
|
|
@ -2033,78 +2032,67 @@ chassis_post_member:
|
|||
headers: *scoped_member_headers
|
||||
body: *chassis_body
|
||||
assert_status: 403
|
||||
skip_reason: not updated for scope testing
|
||||
|
||||
chassis_post_member:
|
||||
chassis_post_observer:
|
||||
path: '/v1/chassis'
|
||||
method: post
|
||||
headers: *observer_headers
|
||||
body: *chassis_body
|
||||
assert_status: 403
|
||||
skip_reason: not updated for scope testing
|
||||
|
||||
chassis_get_admin:
|
||||
path: '/v1/chassis'
|
||||
method: get
|
||||
headers: *admin_headers
|
||||
assert_status: 200
|
||||
skip_reason: not updated for scope testing
|
||||
|
||||
chassis_get_member:
|
||||
path: '/v1/chassis'
|
||||
method: get
|
||||
headers: *scoped_member_headers
|
||||
assert_status: 403
|
||||
skip_reason: not updated for scope testing
|
||||
assert_status: 200
|
||||
|
||||
chassis_get_observer:
|
||||
path: '/v1/chassis'
|
||||
method: get
|
||||
headers: *observer_headers
|
||||
assert_status: 200
|
||||
skip_reason: not updated for scope testing
|
||||
|
||||
chassis_detail_get_admin:
|
||||
path: '/v1/chassis/detail'
|
||||
method: get
|
||||
headers: *admin_headers
|
||||
assert_status: 200
|
||||
skip_reason: not updated for scope testing
|
||||
|
||||
chassis_detail_get_member:
|
||||
path: '/v1/chassis/detail'
|
||||
method: get
|
||||
headers: *scoped_member_headers
|
||||
assert_status: 403
|
||||
skip_reason: not updated for scope testing
|
||||
assert_status: 200
|
||||
|
||||
chassis_detail_get_observer:
|
||||
path: '/v1/chassis/detail'
|
||||
method: get
|
||||
headers: *observer_headers
|
||||
assert_status: 200
|
||||
skip_reason: not updated for scope testing
|
||||
|
||||
chassis_chassis_id_get_admin:
|
||||
path: '/v1/chassis/{chassis_ident}'
|
||||
method: get
|
||||
headers: *admin_headers
|
||||
assert_status: 200
|
||||
skip_reason: not updated for scope testing
|
||||
|
||||
chassis_chassis_id_get_member:
|
||||
path: '/v1/chassis/{chassis_ident}'
|
||||
method: get
|
||||
headers: *scoped_member_headers
|
||||
assert_status: 403
|
||||
skip_reason: not updated for scope testing
|
||||
assert_status: 200
|
||||
|
||||
chassis_chassis_id_get_observer:
|
||||
path: '/v1/chassis/{chassis_ident}'
|
||||
method: get
|
||||
headers: *observer_headers
|
||||
assert_status: 200
|
||||
skip_reason: not updated for scope testing
|
||||
|
||||
chassis_chassis_id_patch_admin:
|
||||
path: '/v1/chassis/{chassis_ident}'
|
||||
|
|
@ -2115,15 +2103,13 @@ chassis_chassis_id_patch_admin:
|
|||
value: meow
|
||||
headers: *admin_headers
|
||||
assert_status: 200
|
||||
skip_reason: not updated for scope testing
|
||||
|
||||
chassis_chassis_id_patch_member:
|
||||
path: '/v1/chassis/{chassis_ident}'
|
||||
method: patch
|
||||
body: *chassis_patch
|
||||
headers: *scoped_member_headers
|
||||
assert_status: 403
|
||||
skip_reason: not updated for scope testing
|
||||
assert_status: 200
|
||||
|
||||
chassis_chassis_id_patch_observer:
|
||||
path: '/v1/chassis/{chassis_ident}'
|
||||
|
|
@ -2131,25 +2117,21 @@ chassis_chassis_id_patch_observer:
|
|||
body: *chassis_patch
|
||||
headers: *observer_headers
|
||||
assert_status: 403
|
||||
skip_reason: not updated for scope testing
|
||||
|
||||
chassis_chassis_id_delete_admin:
|
||||
path: '/v1/chassis/{chassis_ident}'
|
||||
method: delete
|
||||
headers: *admin_headers
|
||||
assert_status: 204
|
||||
skip_reason: not updated for scope testing
|
||||
|
||||
chassis_chassis_id_delete_member:
|
||||
path: '/v1/chassis/{chassis_ident}'
|
||||
method: delete
|
||||
headers: *scoped_member_headers
|
||||
assert_status: 403
|
||||
skip_reason: not updated for scope testing
|
||||
|
||||
chassis_chassis_id_delete_observer:
|
||||
path: '/v1/chassis/{chassis_ident}'
|
||||
method: delete
|
||||
headers: *observer_headers
|
||||
assert_status: 403
|
||||
skip_reason: not updated for scope testing
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@ features:
|
|||
- |
|
||||
The Baremetal API, provided by the ironic-api process, now supports use of
|
||||
``system`` scoped ``keystone`` authentication for the following endpoints:
|
||||
nodes, ports, portgroups
|
||||
nodes, ports, portgroups, chassis
|
||||
upgrade:
|
||||
- |
|
||||
Deprecated policy rules are not expressed via a default policy file
|
||||
|
|
|
|||
Loading…
Reference in New Issue