From 904089f308df1015822f58911e2060d43820013a Mon Sep 17 00:00:00 2001 From: Lance Bragstad Date: Thu, 19 Nov 2020 20:37:00 +0000 Subject: [PATCH] Implement secure RBAC for share type extra spec This commit updates the policies for share type extra spec to understand scope checking and account for a read-only role. This is part of a broader series of changes across OpenStack to provide a consistent RBAC experience and improve security. Change-Id: Ib2f71bdbe22f092016df25a7118abf3337f8cb8d --- manila/policies/share_types_extra_spec.py | 72 +++++++++++++++++++---- 1 file changed, 62 insertions(+), 10 deletions(-) diff --git a/manila/policies/share_types_extra_spec.py b/manila/policies/share_types_extra_spec.py index 67fc460c1c..51bb36cfb0 100644 --- a/manila/policies/share_types_extra_spec.py +++ b/manila/policies/share_types_extra_spec.py @@ -10,6 +10,7 @@ # License for the specific language governing permissions and limitations # under the License. +from oslo_log import versionutils from oslo_policy import policy from manila.policies import base @@ -17,57 +18,108 @@ from manila.policies import base BASE_POLICY_NAME = 'share_types_extra_spec:%s' +DEPRECATED_REASON = """ +The share types extra specs API now supports system scope and default roles. +""" + +deprecated_extra_spec_create = policy.DeprecatedRule( + name=BASE_POLICY_NAME % 'create', + check_str=base.RULE_ADMIN_API +) +deprecated_extra_spec_show = policy.DeprecatedRule( + name=BASE_POLICY_NAME % 'show', + check_str=base.RULE_ADMIN_API +) +deprecated_extra_spec_index = policy.DeprecatedRule( + name=BASE_POLICY_NAME % 'index', + check_str=base.RULE_ADMIN_API +) +deprecated_extra_spec_update = policy.DeprecatedRule( + name=BASE_POLICY_NAME % 'update', + check_str=base.RULE_ADMIN_API +) +deprecated_extra_spec_delete = policy.DeprecatedRule( + name=BASE_POLICY_NAME % 'delete', + check_str=base.RULE_ADMIN_API +) + + share_types_extra_spec_policies = [ policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'create', - check_str=base.RULE_ADMIN_API, + check_str=base.SYSTEM_ADMIN, + scope_types=['system'], description="Create share type extra spec.", operations=[ { 'method': 'POST', 'path': '/types/{share_type_id}/extra_specs', } - ]), + ], + deprecated_rule=deprecated_extra_spec_create, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.WALLABY + ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'show', - check_str=base.RULE_ADMIN_API, + check_str=base.SYSTEM_READER, + scope_types=['system'], description="Get share type extra specs of a given share type.", operations=[ { 'method': 'GET', 'path': '/types/{share_type_id}/extra_specs', } - ]), + ], + deprecated_rule=deprecated_extra_spec_show, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.WALLABY + ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'index', - check_str=base.RULE_ADMIN_API, + check_str=base.SYSTEM_READER, + scope_types=['system'], description="Get details of a share type extra spec.", operations=[ { 'method': 'GET', 'path': '/types/{share_type_id}/extra_specs/{extra_spec_id}', }, - ]), + ], + deprecated_rule=deprecated_extra_spec_index, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.WALLABY + ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'update', - check_str=base.RULE_ADMIN_API, + check_str=base.SYSTEM_ADMIN, + scope_types=['system'], description="Update share type extra spec.", operations=[ { 'method': 'PUT', 'path': '/types/{share_type_id}/extra_specs', } - ]), + ], + deprecated_rule=deprecated_extra_spec_update, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.WALLABY + ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'delete', - check_str=base.RULE_ADMIN_API, + check_str=base.SYSTEM_ADMIN, + scope_types=['system'], description="Delete share type extra spec.", operations=[ { 'method': 'DELETE', 'path': '/types/{share_type_id}/extra_specs/{key}', } - ]), + ], + deprecated_rule=deprecated_extra_spec_delete, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.WALLABY + ), ]