openstack/manila
Code Issues Proposed changes

Merge "Implement secure RBAC for group snapshots"

Browse Source
This commit is contained in:
Zuul 2021-03-09 17:17:20 +00:00 committed by Gerrit Code Review
commit 217438084b
1 changed files with 89 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

103
manila/policies/share_group_snapshot.py
View File

@ -10,6 +10,7 @@
# License for the specific language governing permissions and limitations # License for the specific language governing permissions and limitations
# under the License. # under the License.
from oslo_log import versionutils
from oslo_policy import policy from oslo_policy import policy
from manila.policies import base from manila.policies import base
@ -17,31 +18,75 @@ from manila.policies import base
BASE_POLICY_NAME = 'share_group_snapshot:%s' BASE_POLICY_NAME = 'share_group_snapshot:%s'
DEPRECATED_REASON = """
The share group snapshots API now supports system scope and default roles.
"""
deprecated_group_snapshot_create = policy.DeprecatedRule(
name=BASE_POLICY_NAME % 'create',
check_str=base.RULE_DEFAULT
)
deprecated_group_snapshot_get = policy.DeprecatedRule(
name=BASE_POLICY_NAME % 'get',
check_str=base.RULE_DEFAULT
)
deprecated_group_snapshot_get_all = policy.DeprecatedRule(
name=BASE_POLICY_NAME % 'get_all',
check_str=base.RULE_DEFAULT
)
deprecated_group_snapshot_update = policy.DeprecatedRule(
name=BASE_POLICY_NAME % 'update',
check_str=base.RULE_DEFAULT
)
deprecated_group_snapshot_delete = policy.DeprecatedRule(
name=BASE_POLICY_NAME % 'delete',
check_str=base.RULE_DEFAULT
)
deprecated_group_snapshot_force_delete = policy.DeprecatedRule(
name=BASE_POLICY_NAME % 'force_delete',
check_str=base.RULE_ADMIN_API
)
deprecated_group_snapshot_reset_status = policy.DeprecatedRule(
name=BASE_POLICY_NAME % 'reset_status',
check_str=base.RULE_ADMIN_API
)
share_group_snapshot_policies = [ share_group_snapshot_policies = [
policy.DocumentedRuleDefault( policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'create', name=BASE_POLICY_NAME % 'create',
check_str=base.RULE_DEFAULT, check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
scope_types=['system', 'project'],
description="Create a new share group snapshot.", description="Create a new share group snapshot.",
operations=[ operations=[
{ {
'method': 'POST', 'method': 'POST',
'path': '/share-group-snapshots' 'path': '/share-group-snapshots'
} }
]), ],
deprecated_rule=deprecated_group_snapshot_create,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY
),
policy.DocumentedRuleDefault( policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'get', name=BASE_POLICY_NAME % 'get',
check_str=base.RULE_DEFAULT, check_str=base.SYSTEM_OR_PROJECT_READER,
scope_types=['system', 'project'],
description="Get details of a share group snapshot.", description="Get details of a share group snapshot.",
operations=[ operations=[
{ {
'method': 'GET', 'method': 'GET',
'path': '/share-group-snapshots/{share_group_snapshot_id}' 'path': '/share-group-snapshots/{share_group_snapshot_id}'
} }
]), ],
deprecated_rule=deprecated_group_snapshot_get,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY
),
policy.DocumentedRuleDefault( policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'get_all', name=BASE_POLICY_NAME % 'get_all',
check_str=base.RULE_DEFAULT, check_str=base.SYSTEM_OR_PROJECT_READER,
scope_types=['system', 'project'],
description="Get all share group snapshots.", description="Get all share group snapshots.",
operations=[ operations=[
{ {
@ -60,30 +105,48 @@ share_group_snapshot_policies = [
'method': 'GET', 'method': 'GET',
'path': '/share-group-snapshots/detail?{query}' 'path': '/share-group-snapshots/detail?{query}'
} }
]), ],
deprecated_rule=deprecated_group_snapshot_get_all,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY
),
policy.DocumentedRuleDefault( policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'update', name=BASE_POLICY_NAME % 'update',
check_str=base.RULE_DEFAULT, check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
scope_types=['system', 'project'],
description="Update a share group snapshot.", description="Update a share group snapshot.",
operations=[ operations=[
{ {
'method': 'PUT', 'method': 'PUT',
'path': '/share-group-snapshots/{share_group_snapshot_id}' 'path': '/share-group-snapshots/{share_group_snapshot_id}'
} }
]), ],
deprecated_rule=deprecated_group_snapshot_update,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY
),
policy.DocumentedRuleDefault( policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'delete', name=BASE_POLICY_NAME % 'delete',
check_str=base.RULE_DEFAULT, check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
scope_types=['system', 'project'],
description="Delete a share group snapshot.", description="Delete a share group snapshot.",
operations=[ operations=[
{ {
'method': 'DELETE', 'method': 'DELETE',
'path': '/share-group-snapshots/{share_group_snapshot_id}' 'path': '/share-group-snapshots/{share_group_snapshot_id}'
} }
]), ],
deprecated_rule=deprecated_group_snapshot_delete,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY
),
policy.DocumentedRuleDefault( policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'force_delete', name=BASE_POLICY_NAME % 'force_delete',
check_str=base.RULE_ADMIN_API, # NOTE(lbragstad): This might make a good candidate for as a project
# administrator operation if it doesn't require any information that
# would violate tenancy
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
description="Force delete a share group snapshot.", description="Force delete a share group snapshot.",
operations=[ operations=[
{ {
@ -91,10 +154,18 @@ share_group_snapshot_policies = [
'path': '/share-group-snapshots/{share_group_snapshot_id}/' 'path': '/share-group-snapshots/{share_group_snapshot_id}/'
'action' 'action'
} }
]), ],
deprecated_rule=deprecated_group_snapshot_force_delete,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY
),
policy.DocumentedRuleDefault( policy.DocumentedRuleDefault(
name=BASE_POLICY_NAME % 'reset_status', name=BASE_POLICY_NAME % 'reset_status',
check_str=base.RULE_ADMIN_API, # NOTE(lbragstad): This might make a good candidate for as a project
# administrator operation if it doesn't require any information that
# would violate tenancy
check_str=base.SYSTEM_ADMIN,
scope_types=['system'],
description="Reset a share group snapshot's status.", description="Reset a share group snapshot's status.",
operations=[ operations=[
{ {
@ -102,7 +173,11 @@ share_group_snapshot_policies = [
'path': '/share-group-snapshots/{share_group_snapshot_id}/' 'path': '/share-group-snapshots/{share_group_snapshot_id}/'
'action' 'action'
} }
]), ],
deprecated_rule=deprecated_group_snapshot_reset_status,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY
),
] ]