Add scope checks to common system role definitions
Until keystone defaults ``keystone.conf [oslo_policy] enforce_scope=True`` we really should make sure we explicitly declare a system specific scope check in the new system policies. This is important because it prevents an authoritative regression when operators upgrade. For example, if the identity:get_domain's current check string is `rule:admin_require` and it's deprecated to be `role:reader` with enforce_scope=True, then we've successfully exposed more functionality to system users who have enforce_scope set to True. If they don't, which is likely since enforce_scope defaults to False, then it is possible for users with the reader role on a project to access an API that was traditionally meant for only system administrators. This is because oslo.policy will OR the old default and the new default on upgrade to smooth the transition. Note that the explicit scope checks in the actual check strings should be removed once keystone sets enforce_scope = True by default. Until then, we'll need to have something like this from opening up administrative APIs. Change-Id: I0e1f55dc6c18437b3356f9a2facfc95ecd1864e0
This commit is contained in:
parent
6975bf969b
commit
f4162e3680
@ -29,8 +29,21 @@ RULE_REVOKE_EVENT_OR_ADMIN = 'rule:revoke_event_or_admin'
|
||||
RULE_SERVICE_ADMIN_OR_TOKEN_SUBJECT = 'rule:service_admin_or_token_subject'
|
||||
RULE_SERVICE_OR_ADMIN = 'rule:service_or_admin'
|
||||
RULE_TRUST_OWNER = 'user_id:%(trust.trustor_user_id)s'
|
||||
READER_ROLE = 'role:reader'
|
||||
ADMIN_ROLE = 'role:admin'
|
||||
|
||||
# We are explicitly setting system_scope:all in these check strings because
|
||||
# they provide backwards compatibility in the event a deployment sets
|
||||
# ``keystone.conf [oslo_policy] enforce_scope = False``, which the default.
|
||||
# Otherwise, this might open up APIs to be more permissive unintentionally if a
|
||||
# deployment isn't enforcing scope. For example, the identity:get_endpoint
|
||||
# policy might be ``rule:admin_required`` today and eventually ``role:reader``
|
||||
# enforcing system scoped tokens. Until enforce_scope=True by default, it would
|
||||
# be possible for users with the ``reader`` role on a project to access an API
|
||||
# traditionally reserved for system administrators. Once keystone defaults
|
||||
# ``keystone.conf [oslo_policy] enforce_scope=True``, the ``system_scope:all``
|
||||
# bits of these check strings can be removed since that will be handled
|
||||
# automatically by scope_types in oslo.policy's RuleDefault objects.
|
||||
SYSTEM_READER = 'role:reader and system_scope:all'
|
||||
SYSTEM_ADMIN = 'role:admin and system_scope:all'
|
||||
|
||||
|
||||
rules = [
|
||||
|
@ -64,7 +64,7 @@ domain_policies = [
|
||||
deprecated_since=versionutils.deprecated.STEIN),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'list_domains',
|
||||
check_str=base.READER_ROLE,
|
||||
check_str=base.SYSTEM_READER,
|
||||
scope_types=['system'],
|
||||
description='List domains.',
|
||||
operations=[{'path': '/v3/domains',
|
||||
@ -74,7 +74,7 @@ domain_policies = [
|
||||
deprecated_since=versionutils.deprecated.STEIN),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'create_domain',
|
||||
check_str=base.ADMIN_ROLE,
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
scope_types=['system'],
|
||||
description='Create domain.',
|
||||
operations=[{'path': '/v3/domains',
|
||||
@ -84,7 +84,7 @@ domain_policies = [
|
||||
deprecated_since=versionutils.deprecated.STEIN),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'update_domain',
|
||||
check_str=base.ADMIN_ROLE,
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
scope_types=['system'],
|
||||
description='Update domain.',
|
||||
operations=[{'path': '/v3/domains/{domain_id}',
|
||||
@ -94,7 +94,7 @@ domain_policies = [
|
||||
deprecated_since=versionutils.deprecated.STEIN),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=base.IDENTITY % 'delete_domain',
|
||||
check_str=base.ADMIN_ROLE,
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
scope_types=['system'],
|
||||
description='Delete domain.',
|
||||
operations=[{'path': '/v3/domains/{domain_id}',
|
||||
|
Loading…
Reference in New Issue
Block a user