Merge "Implement secure RBAC for the metering API"

2021-03-08 16:27:11 +00:00 · 2021-03-08 16:27:11 +00:00 · 3b54c2f9b3
parent 37f245c406 01e289a03c
commit 3b54c2f9b3
1 changed files with 70 additions and 30 deletions
--- a/neutron/conf/policies/metering.py
+++ b/neutron/conf/policies/metering.py
@ -10,10 +10,14 @@
 #  License for the specific language governing permissions and limitations
 #  under the License.

+from oslo_log import versionutils
 from oslo_policy import policy

 from neutron.conf.policies import base

+DEPRECATED_REASON = """
+The metering API now supports system scope and default roles.
+"""

 LABEL_COLLECTION_PATH = '/metering/metering-labels'
 LABEL_RESOURCE_PATH = '/metering/metering-labels/{id}'
@ -24,21 +28,28 @@ RULE_RESOURCE_PATH = '/metering/metering-label-rules/{id}'

 rules = [
    policy.DocumentedRuleDefault(
-        'create_metering_label',
-        base.RULE_ADMIN_ONLY,
-        'Create a metering label',
-        [
+        name='create_metering_label',
+        check_str=base.SYSTEM_ADMIN,
+        scope_types=['system', 'project'],
+        description='Create a metering label',
+        operations=[
            {
                'method': 'POST',
                'path': LABEL_COLLECTION_PATH,
            },
-        ]
+        ],
+        deprecated_rule=policy.DeprecatedRule(
+            name='create_metering_label',
+            check_str=base.RULE_ADMIN_ONLY),
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since=versionutils.deprecated.WALLABY
    ),
    policy.DocumentedRuleDefault(
-        'get_metering_label',
-        base.RULE_ADMIN_ONLY,
-        'Get a metering label',
-        [
+        name='get_metering_label',
+        check_str=base.SYSTEM_READER,
+        scope_types=['system', 'project'],
+        description='Get a metering label',
+        operations=[
            {
                'method': 'GET',
                'path': LABEL_COLLECTION_PATH,
@ -47,35 +58,53 @@ rules = [
                'method': 'GET',
                'path': LABEL_RESOURCE_PATH,
            },
-        ]
+        ],
+        deprecated_rule=policy.DeprecatedRule(
+            name='get_metering_label',
+            check_str=base.RULE_ADMIN_ONLY),
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since=versionutils.deprecated.WALLABY
    ),
    policy.DocumentedRuleDefault(
-        'delete_metering_label',
-        base.RULE_ADMIN_ONLY,
-        'Delete a metering label',
-        [
+        name='delete_metering_label',
+        check_str=base.SYSTEM_ADMIN,
+        scope_types=['system', 'project'],
+        description='Delete a metering label',
+        operations=[
            {
                'method': 'DELETE',
                'path': LABEL_RESOURCE_PATH,
            },
-        ]
+        ],
+        deprecated_rule=policy.DeprecatedRule(
+            name='delete_metering_label',
+            check_str=base.RULE_ADMIN_ONLY),
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since=versionutils.deprecated.WALLABY
    ),
    policy.DocumentedRuleDefault(
-        'create_metering_label_rule',
-        base.RULE_ADMIN_ONLY,
-        'Create a metering label rule',
-        [
+        name='create_metering_label_rule',
+        check_str=base.SYSTEM_ADMIN,
+        scope_types=['system', 'project'],
+        description='Create a metering label rule',
+        operations=[
            {
                'method': 'POST',
                'path': RULE_COLLECTION_PATH,
            },
-        ]
+        ],
+        deprecated_rule=policy.DeprecatedRule(
+            name='create_metering_label_rule',
+            check_str=base.RULE_ADMIN_ONLY),
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since=versionutils.deprecated.WALLABY
    ),
    policy.DocumentedRuleDefault(
-        'get_metering_label_rule',
-        base.RULE_ADMIN_ONLY,
-        'Get a metering label rule',
-        [
+        name='get_metering_label_rule',
+        check_str=base.SYSTEM_READER,
+        scope_types=['system', 'project'],
+        description='Get a metering label rule',
+        operations=[
            {
                'method': 'GET',
                'path': RULE_COLLECTION_PATH,
@ -84,18 +113,29 @@ rules = [
                'method': 'GET',
                'path': RULE_RESOURCE_PATH,
            },
-        ]
+        ],
+        deprecated_rule=policy.DeprecatedRule(
+            name='get_metering_label_rule',
+            check_str=base.RULE_ADMIN_ONLY),
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since=versionutils.deprecated.WALLABY
    ),
    policy.DocumentedRuleDefault(
-        'delete_metering_label_rule',
-        base.RULE_ADMIN_ONLY,
-        'Delete a metering label rule',
-        [
+        name='delete_metering_label_rule',
+        check_str=base.SYSTEM_ADMIN,
+        scope_types=['system', 'project'],
+        description='Delete a metering label rule',
+        operations=[
            {
                'method': 'DELETE',
                'path': RULE_RESOURCE_PATH,
            },
-        ]
+        ],
+        deprecated_rule=policy.DeprecatedRule(
+            name='delete_metering_label_rule',
+            check_str=base.RULE_ADMIN_ONLY),
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since=versionutils.deprecated.WALLABY
    )
 ]