openstack/neutron
Code Issues Proposed changes

Add new RBAC policies only for "target_project"

Browse Source 
These new policies won't support "target_tenant" in the target
definition, only "target_project". The first rules will be removed
in the next SLURP release.

Blueprint: https://blueprints.launchpad.net/neutron/+spec/keystone-v3
Change-Id: I5b3d226684f28138e3dac9645336e058ce2ff3cb
This commit is contained in:
Rodolfo Alonso Hernandez
2024-11-13 11:21:38 +00:00
committed by Rodolfo Alonso
parent 09633b7008
commit 7272bb0e4b
2 changed files with 162 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

82
neutron/conf/policies/rbac.py
View File

@ -24,6 +24,56 @@ The RBAC API now supports system scope and default roles.
COLLECTION_PATH = '/rbac-policies'
RESOURCE_PATH = '/rbac-policies/{id}'
# TODO(ralonsoh): remove "_create_rbac_target_tenant" and
# "_update_rbac_target_tenant" in E+2=G (next SLURP).
_create_rbac_target_tenant = policy.DocumentedRuleDefault(
name='create_rbac_policy:target_tenant',
check_str=neutron_policy.policy_or(
base.ADMIN,
'(not field:rbac_policy:target_tenant=* and '
'not field:rbac_policy:target_project=*)'),
description='Specify ``target_tenant`` when creating an RBAC policy',
operations=[
{
'method': 'POST',
'path': COLLECTION_PATH,
},
],
scope_types=['project'],
deprecated_rule=policy.DeprecatedRule(
name='create_rbac_policy:target_tenant',
check_str='rule:restrict_wildcard',
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY),
deprecated_for_removal=True,
deprecated_reason='Replaced by "create_rbac_policy:target_project',
deprecated_since='2025.1',
)
_update_rbac_target_tenant = policy.DocumentedRuleDefault(
name='update_rbac_policy:target_tenant',
check_str=neutron_policy.policy_or(
base.ADMIN,
'(not field:rbac_policy:target_tenant=* and '
'not field:rbac_policy:target_project=*)'),
description='Update ``target_tenant`` attribute of an RBAC policy',
operations=[
{
'method': 'PUT',
'path': RESOURCE_PATH,
},
],
scope_types=['project'],
deprecated_rule=policy.DeprecatedRule(
name='update_rbac_policy:target_tenant',
check_str=neutron_policy.policy_and(
'rule:restrict_wildcard',
neutron_policy.RULE_ADMIN_OR_OWNER),
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY),
deprecated_for_removal=True,
deprecated_reason='Replaced by "update_rbac_policy:target_project',
deprecated_since='2025.1',
)
rules = [
# TODO(ralonsoh): remove 'target_tenant=*' reference.
@ -52,15 +102,13 @@ rules = [
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY)
),
# TODO(ralonsoh): change name to 'create_rbac_policy:target_project'
# and remove 'target_tenant=*' reference.
_create_rbac_target_tenant,
policy.DocumentedRuleDefault(
name='create_rbac_policy:target_tenant',
name='create_rbac_policy:target_project',
check_str=neutron_policy.policy_or(
base.ADMIN,
'(not field:rbac_policy:target_tenant=* and '
'not field:rbac_policy:target_project=*)'),
description='Specify ``target_tenant`` when creating an RBAC policy',
'not field:rbac_policy:target_project=*'),
description='Specify ``target_project`` when creating an RBAC policy',
operations=[
{
'method': 'POST',
@ -68,11 +116,6 @@ rules = [
},
],
scope_types=['project'],
deprecated_rule=policy.DeprecatedRule(
name='create_rbac_policy:target_tenant',
check_str='rule:restrict_wildcard',
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY)
),
policy.DocumentedRuleDefault(
name='update_rbac_policy',
@ -91,28 +134,19 @@ rules = [
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY)
),
# TODO(ralonsoh): change name to 'create_rbac_policy:target_project'
# and remove 'target_tenant=*' reference.
_update_rbac_target_tenant,
policy.DocumentedRuleDefault(
name='update_rbac_policy:target_tenant',
name='update_rbac_policy:target_project',
check_str=neutron_policy.policy_or(
base.ADMIN,
'(not field:rbac_policy:target_tenant=* and '
'not field:rbac_policy:target_project=*)'),
description='Update ``target_tenant`` attribute of an RBAC policy',
'not field:rbac_policy:target_project=*'),
description='Update ``target_project`` attribute of an RBAC policy',
operations=[
{
'method': 'PUT',
'path': RESOURCE_PATH,
},
],
deprecated_rule=policy.DeprecatedRule(
name='update_rbac_policy:target_tenant',
check_str=neutron_policy.policy_and(
'rule:restrict_wildcard',
neutron_policy.RULE_ADMIN_OR_OWNER),
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY),
scope_types=['project'],
),
policy.DocumentedRuleDefault(

108
neutron/tests/unit/conf/policies/test_rbac.py
View File

@ -71,6 +71,18 @@ class SystemAdminTests(RbacAPITestCase):
self.context, 'create_rbac_policy:target_tenant',
self.wildcard_alt_target)
def test_create_rbac_policy_target_project(self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, 'create_rbac_policy:target_project',
self.wildcard_target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, 'create_rbac_policy:target_project',
self.wildcard_alt_target)
def test_update_rbac_policy(self):
self.assertRaises(
base_policy.InvalidScope,
@ -93,6 +105,18 @@ class SystemAdminTests(RbacAPITestCase):
self.context, 'update_rbac_policy:target_tenant',
self.wildcard_alt_target)
def test_update_rbac_policy_target_project(self):
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, 'update_rbac_policy:target_project',
self.wildcard_target)
self.assertRaises(
base_policy.InvalidScope,
policy.enforce,
self.context, 'update_rbac_policy:target_project',
self.wildcard_alt_target)
def test_get_rbac_policy(self):
self.assertRaises(
base_policy.InvalidScope,
@ -134,11 +158,22 @@ class AdminTests(RbacAPITestCase):
def test_create_rbac_policy_target_tenant(self):
self.assertTrue(
policy.enforce(
self.context, 'create_rbac_policy:target_tenant', self.target))
self.context,
'create_rbac_policy:target_tenant', self.target))
self.assertTrue(
policy.enforce(
self.context,
'create_rbac_policy:alt_target_tenant', self.target))
'create_rbac_policy:target_tenant', self.alt_target))
def test_create_rbac_policy_target_project(self):
self.assertTrue(
policy.enforce(
self.context,
'create_rbac_policy:target_project', self.target))
self.assertTrue(
policy.enforce(
self.context,
'create_rbac_policy:target_project', self.alt_target))
def test_update_rbac_policy(self):
self.assertTrue(
@ -150,11 +185,22 @@ class AdminTests(RbacAPITestCase):
def test_update_rbac_policy_target_tenant(self):
self.assertTrue(
policy.enforce(
self.context, 'update_rbac_policy:target_tenant', self.target))
self.context,
'update_rbac_policy:target_tenant', self.target))
self.assertTrue(
policy.enforce(
self.context,
'update_rbac_policy:alt_target_tenant', self.target))
'update_rbac_policy:target_tenant', self.alt_target))
def test_update_rbac_policy_target_project(self):
self.assertTrue(
policy.enforce(
self.context,
'update_rbac_policy:target_project', self.target))
self.assertTrue(
policy.enforce(
self.context,
'update_rbac_policy:target_project', self.alt_target))
def test_get_rbac_policy(self):
self.assertTrue(
@ -196,6 +242,22 @@ class ProjectManagerTests(AdminTests):
self.context, 'create_rbac_policy:target_tenant',
self.wildcard_alt_target)
def test_create_rbac_policy_target_project(self):
if 'target_tenant' in self.wildcard_target:
self.skipTest('"create_rbac_policy:target_project" does not '
'support "target_tenant"')
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'create_rbac_policy:target_project',
self.wildcard_target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'create_rbac_policy:target_project',
self.wildcard_alt_target)
def test_update_rbac_policy(self):
self.assertTrue(
policy.enforce(self.context, 'update_rbac_policy', self.target))
@ -216,6 +278,22 @@ class ProjectManagerTests(AdminTests):
self.context, 'update_rbac_policy:target_tenant',
self.wildcard_alt_target)
def test_update_rbac_policy_target_project(self):
if 'target_tenant' in self.wildcard_target:
self.skipTest('"update_rbac_policy:target_project" does not '
'support "target_tenant"')
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'update_rbac_policy:target_project',
self.wildcard_target)
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'update_rbac_policy:target_project',
self.wildcard_alt_target)
def test_get_rbac_policy(self):
self.assertTrue(
policy.enforce(self.context, 'get_rbac_policy', self.target))
@ -296,6 +374,17 @@ class ServiceRoleTests(RbacAPITestCase):
self.context, 'create_rbac_policy:target_tenant',
self.wildcard_target)
def test_create_rbac_policy_target_project(self):
if 'target_tenant' in self.wildcard_target:
self.skipTest('"create_rbac_policy:target_project" does not '
'support "target_tenant"')
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'create_rbac_policy:target_project',
self.wildcard_target)
def test_update_rbac_policy(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,
@ -309,6 +398,17 @@ class ServiceRoleTests(RbacAPITestCase):
self.context, 'update_rbac_policy:target_tenant',
self.wildcard_target)
def test_update_rbac_policy_target_project(self):
if 'target_tenant' in self.wildcard_target:
self.skipTest('"update_rbac_policy:target_project" does not '
'support "target_tenant"')
self.assertRaises(
base_policy.PolicyNotAuthorized,
policy.enforce,
self.context, 'update_rbac_policy:target_project',
self.wildcard_target)
def test_get_rbac_policy(self):
self.assertRaises(
base_policy.PolicyNotAuthorized,