openstack/octavia
Code Issues Proposed changes

Fix Octavia policies

Browse Source 
* switch system scope policies to project scope
* the legacy admin is still an admin

Based on the governance goal document [0]

[0] https://governance.openstack.org/tc/goals/selected/\
        consistent-and-secure-rbac.html

Change-Id: I43529ef6cba7febe44e11afb644d312b8ca26c81
This commit is contained in:
Gregory Thiemonge 2023-02-28 02:54:52 -05:00
parent b4b6e07fe0
commit 710e9105e1
2 changed files with 21 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
octavia/policies/base.py
View File

@ -46,14 +46,14 @@ rules = [
name='system-admin', name='system-admin',
check_str='role:admin and ' check_str='role:admin and '
'system_scope:all', 'system_scope:all',
scope_types=[constants.RBAC_SCOPE_SYSTEM]), scope_types=[constants.RBAC_SCOPE_PROJECT]),
# System scoped Reader # System scoped Reader
policy.RuleDefault( policy.RuleDefault(
name='system-reader', name='system-reader',
check_str='role:reader and ' check_str='role:reader and '
'system_scope:all', 'system_scope:all',
scope_types=[constants.RBAC_SCOPE_SYSTEM]), scope_types=[constants.RBAC_SCOPE_PROJECT]),
# Project scoped Member # Project scoped Member
policy.RuleDefault( policy.RuleDefault(
@ -91,9 +91,10 @@ rules = [
policy.RuleDefault( policy.RuleDefault(
name='context_is_admin', name='context_is_admin',
check_str='role:load-balancer_admin or ' check_str='role:load-balancer_admin or '
'rule:system-admin', 'rule:system-admin or '
'role:admin',
deprecated_rule=deprecated_context_is_admin, deprecated_rule=deprecated_context_is_admin,
scope_types=[constants.RBAC_SCOPE_SYSTEM]), scope_types=[constants.RBAC_SCOPE_PROJECT]),
# Note: 'is_admin:True' is a policy rule that takes into account the # Note: 'is_admin:True' is a policy rule that takes into account the
# auth_strategy == noauth configuration setting. # auth_strategy == noauth configuration setting.
@ -116,7 +117,7 @@ rules = [
name='load-balancer:global_observer', name='load-balancer:global_observer',
check_str='role:load-balancer_global_observer or ' check_str='role:load-balancer_global_observer or '
'rule:system-reader', 'rule:system-reader',
scope_types=[constants.RBAC_SCOPE_SYSTEM]), scope_types=[constants.RBAC_SCOPE_PROJECT]),
policy.RuleDefault( policy.RuleDefault(
name='load-balancer:member_and_owner', name='load-balancer:member_and_owner',
@ -131,8 +132,9 @@ rules = [
name='load-balancer:admin', name='load-balancer:admin',
check_str='is_admin:True or ' check_str='is_admin:True or '
'role:load-balancer_admin or ' 'role:load-balancer_admin or '
'rule:system-admin', 'rule:system-admin or '
scope_types=[constants.RBAC_SCOPE_SYSTEM]), 'role:admin',
scope_types=[constants.RBAC_SCOPE_PROJECT]),
policy.RuleDefault( policy.RuleDefault(
name='load-balancer:read', name='load-balancer:read',
@ -140,21 +142,19 @@ rules = [
'rule:load-balancer:global_observer or ' 'rule:load-balancer:global_observer or '
'rule:load-balancer:member_and_owner or ' 'rule:load-balancer:member_and_owner or '
'rule:load-balancer:admin', 'rule:load-balancer:admin',
scope_types=[constants.RBAC_SCOPE_PROJECT, scope_types=[constants.RBAC_SCOPE_PROJECT]),
constants.RBAC_SCOPE_SYSTEM]),
policy.RuleDefault( policy.RuleDefault(
name='load-balancer:read-global', name='load-balancer:read-global',
check_str='rule:load-balancer:global_observer or ' check_str='rule:load-balancer:global_observer or '
'rule:load-balancer:admin', 'rule:load-balancer:admin',
scope_types=[constants.RBAC_SCOPE_SYSTEM]), scope_types=[constants.RBAC_SCOPE_PROJECT]),
policy.RuleDefault( policy.RuleDefault(
name='load-balancer:write', name='load-balancer:write',
check_str='rule:load-balancer:member_and_owner or ' check_str='rule:load-balancer:member_and_owner or '
'rule:load-balancer:admin', 'rule:load-balancer:admin',
scope_types=[constants.RBAC_SCOPE_PROJECT, scope_types=[constants.RBAC_SCOPE_PROJECT]),
constants.RBAC_SCOPE_SYSTEM]),
policy.RuleDefault( policy.RuleDefault(
name='load-balancer:read-quota', name='load-balancer:read-quota',
@ -163,21 +163,20 @@ rules = [
'rule:load-balancer:member_and_owner or ' 'rule:load-balancer:member_and_owner or '
'role:load-balancer_quota_admin or ' 'role:load-balancer_quota_admin or '
'rule:load-balancer:admin', 'rule:load-balancer:admin',
scope_types=[constants.RBAC_SCOPE_PROJECT, scope_types=[constants.RBAC_SCOPE_PROJECT]),
constants.RBAC_SCOPE_SYSTEM]),
policy.RuleDefault( policy.RuleDefault(
name='load-balancer:read-quota-global', name='load-balancer:read-quota-global',
check_str='rule:load-balancer:global_observer or ' check_str='rule:load-balancer:global_observer or '
'role:load-balancer_quota_admin or ' 'role:load-balancer_quota_admin or '
'rule:load-balancer:admin', 'rule:load-balancer:admin',
scope_types=[constants.RBAC_SCOPE_SYSTEM]), scope_types=[constants.RBAC_SCOPE_PROJECT]),
policy.RuleDefault( policy.RuleDefault(
name='load-balancer:write-quota', name='load-balancer:write-quota',
check_str='role:load-balancer_quota_admin or ' check_str='role:load-balancer_quota_admin or '
'rule:load-balancer:admin', 'rule:load-balancer:admin',
scope_types=[constants.RBAC_SCOPE_SYSTEM]), scope_types=[constants.RBAC_SCOPE_PROJECT]),
] ]

6
releasenotes/notes/fix-octavia-policies-8f3cb690f1fa4556.yaml Normal file
View File

@ -0,0 +1,6 @@
---
fixes:
- |
Fixed the policy of the legacy `admin` role, it is still an admin with sRBAC.
- |
Removed system scope policies, all the policies are now project scoped.