Implement secure RBAC for auto_allocated_topology API

This commit updates the policies for auto_allocated_topology API to understand scope checking and account for a read-only role. This is part of a broader series of changes across OpenStack to provide a consistent RBAC experience and improve security. Partially-Implements blueprint: secure-rbac-roles Change-Id: I109c73b7ad5f1157f40b8340723084f8c51272b2
2020-12-03 16:43:10 +01:00 · 2020-12-03 16:43:10 +01:00 · 05ab8c591f
parent 6a8fa65302
commit 05ab8c591f
1 changed files with 25 additions and 10 deletions
--- a/neutron/conf/policies/auto_allocated_topology.py
+++ b/neutron/conf/policies/auto_allocated_topology.py
@ -17,29 +17,44 @@ from neutron.conf.policies import base

 RESOURCE_PATH = '/auto-allocated-topology/{project_id}'

+DEPRECATION_REASON = (
+    "The Auto allocated topology API now supports system scope "
+    "and default roles.")

 rules = [
    policy.DocumentedRuleDefault(
-        'get_auto_allocated_topology',
-        base.RULE_ADMIN_OR_OWNER,
-        "Get a project's auto-allocated topology",
-        [
+        name='get_auto_allocated_topology',
+        check_str=base.SYSTEM_OR_PROJECT_READER,
+        description="Get a project's auto-allocated topology",
+        operations=[
            {
                'method': 'GET',
                'path': RESOURCE_PATH,
            },
-        ]
+        ],
+        scope_types=['system', 'project'],
+        deprecated_rule=policy.DeprecatedRule(
+            name='get_auto_allocated_topology',
+            check_str=base.RULE_ADMIN_OR_OWNER),
+        deprecated_reason=DEPRECATION_REASON,
+        deprecated_since='Wallaby'
    ),
    policy.DocumentedRuleDefault(
-        'delete_auto_allocated_topology',
-        base.RULE_ADMIN_OR_OWNER,
-        "Delete a project's auto-allocated topology",
-        [
+        name='delete_auto_allocated_topology',
+        check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
+        description="Delete a project's auto-allocated topology",
+        operations=[
            {
                'method': 'DELETE',
                'path': RESOURCE_PATH,
            },
-        ]
+        ],
+        scope_types=['system', 'project'],
+        deprecated_rule=policy.DeprecatedRule(
+            name='delete_auto_allocated_topology',
+            check_str=base.RULE_ADMIN_OR_OWNER),
+        deprecated_reason=DEPRECATION_REASON,
+        deprecated_since='Wallaby'
    ),
 ]