From 8ca921b9eb26ed4ba2b9921ec275ac246e14164a Mon Sep 17 00:00:00 2001 From: Slawek Kaplonski Date: Fri, 27 Nov 2020 11:25:26 +0100 Subject: [PATCH] Add common system and project policy check strings to constants These are common policy check strings that we're going to use to implement a few basic personas across OpenStack APIs. This is going to help move OpenStack towards a more secure and consistent authorization experience. Partially-Implements blueprint: secure-bac-roles Change-Id: Ic48c8c39b156ddc58f3fb632a6aa37d6fec40c41 --- neutron/conf/policies/base.py | 45 +++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) diff --git a/neutron/conf/policies/base.py b/neutron/conf/policies/base.py index 0d2d647c1c7..44f6520973e 100644 --- a/neutron/conf/policies/base.py +++ b/neutron/conf/policies/base.py @@ -33,6 +33,51 @@ RULE_ADMIN_OR_NET_OWNER_OR_ADVSVC = policy_or(RULE_ADMIN_OR_NET_OWNER, RULE_ADVSVC) RULE_ADMIN_OR_PARENT_OWNER = 'rule:admin_or_ext_parent_owner' +# Generic policy check string for system administrators. These are the people +# who need the highest level of authorization to operate the deployment. +# They're allowed to create, read, update, or delete any system-specific +# resource. They can also operate on project-specific resources where +# applicable (e.g., removing networks or routers) +SYSTEM_ADMIN = 'role:admin and system_scope:all' + +# Generic policy check string for system users who don't require all the +# authorization that system administrators typically have. This persona, or +# check string, typically isn't used by default, but it's existence it useful +# in the event a deployment wants to offload some administrative action from +# system administrator to system members +SYSTEM_MEMBER = 'role:member and system_scope:all' + +# Generic policy check string for read-only access to system-level resources. +# This persona is useful for someone who needs access for auditing or even +# support. These users are also able to view project-specific resources where +# applicable (e.g., listing all networks in the deployment, regardless of the +# project they belong to). +SYSTEM_READER = 'role:reader and system_scope:all' + +# This check string is reserved for actions that require the highest level of +# authorization on a project or resources within the project (e.g., setting the +# creating QoS policies) +PROJECT_ADMIN = 'role:admin and project_id:%(project_id)s' + +# This check string is the primary use case for typical end-users, who are +# working with resources that belong to a project (e.g., creating ports and +# routers). +PROJECT_MEMBER = 'role:member and project_id:%(project_id)s' + +# This check string should only be used to protect read-only project-specific +# resources. It should not be used to protect APIs that make writable changes +# (e.g., updating a router or deleting a port). +PROJECT_READER = 'role:reader and project_id:%(project_id)s' + +# The following are common composite check strings that are useful for +# protecting APIs designed to operate with multiple scopes (e.g., a system +# administrator should be able to delete any router in the deployment, a +# project member should only be able to delete routers in their project). +SYSTEM_ADMIN_OR_PROJECT_MEMBER = ( + '(' + SYSTEM_ADMIN + ') or (' + PROJECT_MEMBER + ')') +SYSTEM_OR_PROJECT_READER = ( + '(' + SYSTEM_READER + ') or (' + PROJECT_READER + ')') + rules = [ policy.RuleDefault(