From 09664c593f36044bb6667cd35b8205db2fffa2db Mon Sep 17 00:00:00 2001 From: Slawek Kaplonski Date: Fri, 4 Dec 2020 13:40:01 +0100 Subject: [PATCH] Implement secure RBAC for Floating IP API This commit updates the policies for Floating IP API to understand scope checking and account for a read-only role. This is part of a broader series of changes across OpenStack to provide a consistent RBAC experience and improve security. Partially-Implements blueprint: secure-rbac-roles Change-Id: Ia27bfff290730eb44c641a18e9c30d91664a2510 --- neutron/conf/policies/floatingip.py | 82 ++++++++++++++++++++--------- 1 file changed, 57 insertions(+), 25 deletions(-) diff --git a/neutron/conf/policies/floatingip.py b/neutron/conf/policies/floatingip.py index c24f9be72b0..9fb099c1914 100644 --- a/neutron/conf/policies/floatingip.py +++ b/neutron/conf/policies/floatingip.py @@ -18,35 +18,49 @@ from neutron.conf.policies import base COLLECTION_PATH = '/floatingips' RESOURCE_PATH = '/floatingips/{id}' +DEPRECATION_REASON = ( + "The Floating IP API now supports system scope and default roles.") rules = [ policy.DocumentedRuleDefault( - 'create_floatingip', - base.RULE_ANY, - 'Create a floating IP', - [ + name='create_floatingip', + check_str=base.PROJECT_MEMBER, + description='Create a floating IP', + operations=[ { 'method': 'POST', 'path': COLLECTION_PATH, }, - ] + ], + scope_types=['project'], + deprecated_rule=policy.DeprecatedRule( + name='create_floatingip', + check_str=base.RULE_ANY), + deprecated_reason=DEPRECATION_REASON, + deprecated_since='Wallaby' ), policy.DocumentedRuleDefault( - 'create_floatingip:floating_ip_address', - base.RULE_ADMIN_ONLY, - 'Create a floating IP with a specific IP address', - [ + name='create_floatingip:floating_ip_address', + check_str=base.SYSTEM_ADMIN, + description='Create a floating IP with a specific IP address', + operations=[ { 'method': 'POST', 'path': COLLECTION_PATH, }, - ] + ], + scope_types=['system', 'project'], + deprecated_rule=policy.DeprecatedRule( + name='create_floatingip:floating_ip_address', + check_str=base.RULE_ADMIN_ONLY), + deprecated_reason=DEPRECATION_REASON, + deprecated_since='Wallaby' ), policy.DocumentedRuleDefault( - 'get_floatingip', - base.RULE_ADMIN_OR_OWNER, - 'Get a floating IP', - [ + name='get_floatingip', + check_str=base.SYSTEM_OR_PROJECT_READER, + description='Get a floating IP', + operations=[ { 'method': 'GET', 'path': COLLECTION_PATH, @@ -55,29 +69,47 @@ rules = [ 'method': 'GET', 'path': RESOURCE_PATH, }, - ] + ], + scope_types=['system', 'project'], + deprecated_rule=policy.DeprecatedRule( + name='get_floatingip', + check_str=base.RULE_ADMIN_OR_OWNER), + deprecated_reason=DEPRECATION_REASON, + deprecated_since='Wallaby' ), policy.DocumentedRuleDefault( - 'update_floatingip', - base.RULE_ADMIN_OR_OWNER, - 'Update a floating IP', - [ + name='update_floatingip', + check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER, + description='Update a floating IP', + operations=[ { 'method': 'PUT', 'path': RESOURCE_PATH, }, - ] + ], + scope_types=['system', 'project'], + deprecated_rule=policy.DeprecatedRule( + name='create_floatingip', + check_str=base.RULE_ADMIN_OR_OWNER), + deprecated_reason=DEPRECATION_REASON, + deprecated_since='Wallaby' ), policy.DocumentedRuleDefault( - 'delete_floatingip', - base.RULE_ADMIN_OR_OWNER, - 'Delete a floating IP', - [ + name='delete_floatingip', + check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER, + description='Delete a floating IP', + operations=[ { 'method': 'DELETE', 'path': RESOURCE_PATH, }, - ] + ], + scope_types=['system', 'project'], + deprecated_rule=policy.DeprecatedRule( + name='create_floatingip', + check_str=base.RULE_ADMIN_OR_OWNER), + deprecated_reason=DEPRECATION_REASON, + deprecated_since='Wallaby' ), ]