openstack/octavia
Code Issues Proposed changes

Fix Octavia policies

Browse Source 
* switch system scope policies to project scope
* the legacy admin is still an admin

Based on the governance goal document [0]

[0] https://governance.openstack.org/tc/goals/selected/\
        consistent-and-secure-rbac.html

Change-Id: I43529ef6cba7febe44e11afb644d312b8ca26c81
This commit is contained in:
Gregory Thiemonge 2023-02-28 02:54:52 -05:00
parent b4b6e07fe0
commit 710e9105e1
2 changed files with 21 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
octavia/policies/base.py
View File

@ -46,14 +46,14 @@ rules = [
name='system-admin',
check_str='role:admin and '
'system_scope:all',
scope_types=[constants.RBAC_SCOPE_SYSTEM]),
scope_types=[constants.RBAC_SCOPE_PROJECT]),
# System scoped Reader
policy.RuleDefault(
name='system-reader',
check_str='role:reader and '
'system_scope:all',
scope_types=[constants.RBAC_SCOPE_SYSTEM]),
scope_types=[constants.RBAC_SCOPE_PROJECT]),
# Project scoped Member
policy.RuleDefault(
@ -91,9 +91,10 @@ rules = [
policy.RuleDefault(
name='context_is_admin',
check_str='role:load-balancer_admin or '
'rule:system-admin',
'rule:system-admin or '
'role:admin',
deprecated_rule=deprecated_context_is_admin,
scope_types=[constants.RBAC_SCOPE_SYSTEM]),
scope_types=[constants.RBAC_SCOPE_PROJECT]),
# Note: 'is_admin:True' is a policy rule that takes into account the
# auth_strategy == noauth configuration setting.
@ -116,7 +117,7 @@ rules = [
name='load-balancer:global_observer',
check_str='role:load-balancer_global_observer or '
'rule:system-reader',
scope_types=[constants.RBAC_SCOPE_SYSTEM]),
scope_types=[constants.RBAC_SCOPE_PROJECT]),
policy.RuleDefault(
name='load-balancer:member_and_owner',
@ -131,8 +132,9 @@ rules = [
name='load-balancer:admin',
check_str='is_admin:True or '
'role:load-balancer_admin or '
'rule:system-admin',
scope_types=[constants.RBAC_SCOPE_SYSTEM]),
'rule:system-admin or '
'role:admin',
scope_types=[constants.RBAC_SCOPE_PROJECT]),
policy.RuleDefault(
name='load-balancer:read',
@ -140,21 +142,19 @@ rules = [
'rule:load-balancer:global_observer or '
'rule:load-balancer:member_and_owner or '
'rule:load-balancer:admin',
scope_types=[constants.RBAC_SCOPE_PROJECT,
constants.RBAC_SCOPE_SYSTEM]),
scope_types=[constants.RBAC_SCOPE_PROJECT]),
policy.RuleDefault(
name='load-balancer:read-global',
check_str='rule:load-balancer:global_observer or '
'rule:load-balancer:admin',
scope_types=[constants.RBAC_SCOPE_SYSTEM]),
scope_types=[constants.RBAC_SCOPE_PROJECT]),
policy.RuleDefault(
name='load-balancer:write',
check_str='rule:load-balancer:member_and_owner or '
'rule:load-balancer:admin',
scope_types=[constants.RBAC_SCOPE_PROJECT,
constants.RBAC_SCOPE_SYSTEM]),
scope_types=[constants.RBAC_SCOPE_PROJECT]),
policy.RuleDefault(
name='load-balancer:read-quota',
@ -163,21 +163,20 @@ rules = [
'rule:load-balancer:member_and_owner or '
'role:load-balancer_quota_admin or '
'rule:load-balancer:admin',
scope_types=[constants.RBAC_SCOPE_PROJECT,
constants.RBAC_SCOPE_SYSTEM]),
scope_types=[constants.RBAC_SCOPE_PROJECT]),
policy.RuleDefault(
name='load-balancer:read-quota-global',
check_str='rule:load-balancer:global_observer or '
'role:load-balancer_quota_admin or '
'rule:load-balancer:admin',
scope_types=[constants.RBAC_SCOPE_SYSTEM]),
scope_types=[constants.RBAC_SCOPE_PROJECT]),
policy.RuleDefault(
name='load-balancer:write-quota',
check_str='role:load-balancer_quota_admin or '
'rule:load-balancer:admin',
scope_types=[constants.RBAC_SCOPE_SYSTEM]),
scope_types=[constants.RBAC_SCOPE_PROJECT]),
]

6
releasenotes/notes/fix-octavia-policies-8f3cb690f1fa4556.yaml Normal file
View File

@ -0,0 +1,6 @@
---
fixes:
- |
Fixed the policy of the legacy `admin` role, it is still an admin with sRBAC.
- |
Removed system scope policies, all the policies are now project scoped.