Implement secure RBAC for segregation and telemetry policies
This commit updates the policies for all policies in panko to support enhanced token scope checking and default roles, but implementing support for a reader role for read-only APIs. This is part of a broader change to provide a more consistent and secure authorization experience for operators and users across OpenStack. Change-Id: Ia0daee7d909f31e7f8f9e75fa52dca9254441559
This commit is contained in:
parent
12c41a0a73
commit
6195c9a06d
@ -10,12 +10,26 @@
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from oslo_log import versionutils
|
||||
from oslo_policy import policy
|
||||
|
||||
from panko.policies import base
|
||||
|
||||
DEPRECATED_REASON = """
|
||||
The events API now supports system scope and default roles.
|
||||
"""
|
||||
|
||||
deprecated_segregation = policy.DeprecatedRule(
|
||||
name='segregation',
|
||||
check_str='rule:context_is_admin'
|
||||
)
|
||||
|
||||
|
||||
rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name='segregation',
|
||||
check_str='rule:context_is_admin',
|
||||
check_str=base.SYSTEM_READER,
|
||||
scope_types=['system'],
|
||||
description='Return the user and project the request'
|
||||
'should be limited to',
|
||||
operations=[
|
||||
@ -27,7 +41,10 @@ rules = [
|
||||
'path': '/v2/events/{message_id}',
|
||||
'method': 'GET'
|
||||
}
|
||||
]
|
||||
],
|
||||
deprecated_rule=deprecated_segregation,
|
||||
deprecated_reason=DEPRECATED_REASON,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
)
|
||||
]
|
||||
|
||||
|
@ -19,6 +19,7 @@ rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name=TELEMETRY_EVENTS % 'index',
|
||||
check_str=base.UNPROTECTED,
|
||||
scope_types=['system', 'project'],
|
||||
description='Return all events matching the query filters.',
|
||||
operations=[
|
||||
{
|
||||
@ -30,6 +31,7 @@ rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name=TELEMETRY_EVENTS % 'show',
|
||||
check_str=base.UNPROTECTED,
|
||||
scope_types=['system', 'project'],
|
||||
description='Return a single event with the given message id.',
|
||||
operations=[
|
||||
{
|
||||
|
Loading…
Reference in New Issue
Block a user