Merge "Implement secure RBAC for traits"
This commit is contained in:
commit
1e9e0921a1
|
@ -11,6 +11,7 @@
|
|||
# under the License.
|
||||
|
||||
|
||||
from oslo_log import versionutils
|
||||
from oslo_policy import policy
|
||||
|
||||
from placement.policies import base
|
||||
|
@ -27,91 +28,145 @@ TRAITS_SHOW = TRAITS_PREFIX % 'show'
|
|||
TRAITS_UPDATE = TRAITS_PREFIX % 'update'
|
||||
TRAITS_DELETE = TRAITS_PREFIX % 'delete'
|
||||
|
||||
DEPRECATED_REASON = """
|
||||
The traits API now supports a read-only role by default.
|
||||
"""
|
||||
|
||||
deprecated_list_traits = policy.DeprecatedRule(
|
||||
name=TRAITS_LIST,
|
||||
check_str=base.RULE_ADMIN_API
|
||||
)
|
||||
deprecated_show_trait = policy.DeprecatedRule(
|
||||
name=TRAITS_SHOW,
|
||||
check_str=base.RULE_ADMIN_API
|
||||
)
|
||||
deprecated_rp_traits_list = policy.DeprecatedRule(
|
||||
name=RP_TRAIT_LIST,
|
||||
check_str=base.RULE_ADMIN_API
|
||||
)
|
||||
deprecated_traits_update = policy.DeprecatedRule(
|
||||
name=TRAITS_UPDATE,
|
||||
check_str=base.RULE_ADMIN_API
|
||||
)
|
||||
deprecated_traits_delete = policy.DeprecatedRule(
|
||||
name=TRAITS_DELETE,
|
||||
check_str=base.RULE_ADMIN_API
|
||||
)
|
||||
deprecated_rp_trait_update = policy.DeprecatedRule(
|
||||
name=RP_TRAIT_UPDATE,
|
||||
check_str=base.RULE_ADMIN_API
|
||||
)
|
||||
deprecated_rp_trait_delete = policy.DeprecatedRule(
|
||||
name=RP_TRAIT_DELETE,
|
||||
check_str=base.RULE_ADMIN_API
|
||||
)
|
||||
|
||||
|
||||
rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
TRAITS_LIST,
|
||||
base.RULE_ADMIN_API,
|
||||
"List traits.",
|
||||
[
|
||||
name=TRAITS_LIST,
|
||||
check_str=base.SYSTEM_READER,
|
||||
description="List traits.",
|
||||
operations=[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/traits'
|
||||
}
|
||||
],
|
||||
scope_types=['system']
|
||||
scope_types=['system'],
|
||||
deprecated_rule=deprecated_list_traits,
|
||||
deprecated_reason=DEPRECATED_REASON,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
TRAITS_SHOW,
|
||||
base.RULE_ADMIN_API,
|
||||
"Show trait.",
|
||||
[
|
||||
name=TRAITS_SHOW,
|
||||
check_str=base.SYSTEM_READER,
|
||||
description="Show trait.",
|
||||
operations=[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/traits/{name}'
|
||||
}
|
||||
],
|
||||
scope_types=['system'],
|
||||
deprecated_rule=deprecated_show_trait,
|
||||
deprecated_reason=DEPRECATED_REASON,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
TRAITS_UPDATE,
|
||||
base.RULE_ADMIN_API,
|
||||
"Update trait.",
|
||||
[
|
||||
name=TRAITS_UPDATE,
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
description="Update trait.",
|
||||
operations=[
|
||||
{
|
||||
'method': 'PUT',
|
||||
'path': '/traits/{name}'
|
||||
}
|
||||
],
|
||||
scope_types=['system'],
|
||||
deprecated_rule=deprecated_traits_update,
|
||||
deprecated_reason=DEPRECATED_REASON,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
TRAITS_DELETE,
|
||||
base.RULE_ADMIN_API,
|
||||
"Delete trait.",
|
||||
[
|
||||
name=TRAITS_DELETE,
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
description="Delete trait.",
|
||||
operations=[
|
||||
{
|
||||
'method': 'DELETE',
|
||||
'path': '/traits/{name}'
|
||||
}
|
||||
],
|
||||
scope_types=['system'],
|
||||
deprecated_rule=deprecated_traits_delete,
|
||||
deprecated_reason=DEPRECATED_REASON,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
RP_TRAIT_LIST,
|
||||
base.RULE_ADMIN_API,
|
||||
"List resource provider traits.",
|
||||
[
|
||||
name=RP_TRAIT_LIST,
|
||||
check_str=base.SYSTEM_READER,
|
||||
description="List resource provider traits.",
|
||||
operations=[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/resource_providers/{uuid}/traits'
|
||||
}
|
||||
],
|
||||
scope_types=['system'],
|
||||
deprecated_rule=deprecated_rp_traits_list,
|
||||
deprecated_reason=DEPRECATED_REASON,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
RP_TRAIT_UPDATE,
|
||||
base.RULE_ADMIN_API,
|
||||
"Update resource provider traits.",
|
||||
[
|
||||
name=RP_TRAIT_UPDATE,
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
description="Update resource provider traits.",
|
||||
operations=[
|
||||
{
|
||||
'method': 'PUT',
|
||||
'path': '/resource_providers/{uuid}/traits'
|
||||
}
|
||||
],
|
||||
scope_types=['system'],
|
||||
deprecated_rule=deprecated_rp_trait_update,
|
||||
deprecated_reason=DEPRECATED_REASON,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
RP_TRAIT_DELETE,
|
||||
base.RULE_ADMIN_API,
|
||||
"Delete resource provider traits.",
|
||||
[
|
||||
name=RP_TRAIT_DELETE,
|
||||
check_str=base.SYSTEM_ADMIN,
|
||||
description="Delete resource provider traits.",
|
||||
operations=[
|
||||
{
|
||||
'method': 'DELETE',
|
||||
'path': '/resource_providers/{uuid}/traits'
|
||||
}
|
||||
],
|
||||
scope_types=['system'],
|
||||
deprecated_rule=deprecated_rp_trait_delete,
|
||||
deprecated_reason=DEPRECATED_REASON,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
),
|
||||
]
|
||||
|
||||
|
|
|
@ -0,0 +1,108 @@
|
|||
---
|
||||
fixtures:
|
||||
- LegacyRBACPolicyFixture
|
||||
|
||||
vars:
|
||||
- &project_id $ENVIRON['PROJECT_ID']
|
||||
- &project_admin_headers
|
||||
x-auth-token: user
|
||||
x-roles: admin,member,reader
|
||||
x-project-id: *project_id
|
||||
accept: application/json
|
||||
content-type: application/json
|
||||
openstack-api-version: placement latest
|
||||
- &project_member_headers
|
||||
x-auth-token: user
|
||||
x-roles: member,reader
|
||||
x-project-id: *project_id
|
||||
accept: application/json
|
||||
content-type: application/json
|
||||
openstack-api-version: placement latest
|
||||
|
||||
tests:
|
||||
|
||||
- name: project member cannot list traits
|
||||
GET: /traits
|
||||
request_headers: *project_member_headers
|
||||
status: 403
|
||||
|
||||
- name: project admin can list traits
|
||||
GET: /traits
|
||||
request_headers: *project_admin_headers
|
||||
status: 200
|
||||
|
||||
- name: project member cannot create trait
|
||||
PUT: /traits/CUSTOM_TRAIT_X
|
||||
request_headers: *project_member_headers
|
||||
status: 403
|
||||
|
||||
- name: project admin can create trait
|
||||
PUT: /traits/CUSTOM_TRAIT_X
|
||||
request_headers: *project_admin_headers
|
||||
status: 201
|
||||
|
||||
- name: project member cannot show trait
|
||||
GET: /traits/CUSTOM_TRAIT_X
|
||||
request_headers: *project_member_headers
|
||||
status: 403
|
||||
|
||||
- name: project admin can show trait
|
||||
GET: /traits/CUSTOM_TRAIT_X
|
||||
request_headers: *project_admin_headers
|
||||
status: 204
|
||||
|
||||
- name: project admin can create resource provider
|
||||
POST: /resource_providers
|
||||
request_headers: *project_admin_headers
|
||||
data:
|
||||
name: $ENVIRON['RP_NAME']
|
||||
uuid: $ENVIRON['RP_UUID']
|
||||
status: 200
|
||||
|
||||
- name: project member cannot list resource provider traits
|
||||
GET: /resource_providers/$ENVIRON['RP_UUID']/traits
|
||||
request_headers: *project_member_headers
|
||||
status: 403
|
||||
|
||||
- name: project admin can list resource provider traits
|
||||
GET: /resource_providers/$ENVIRON['RP_UUID']/traits
|
||||
request_headers: *project_admin_headers
|
||||
status: 200
|
||||
|
||||
- name: project member cannot update resource provider traits
|
||||
PUT: /resource_providers/$ENVIRON['RP_UUID']/traits
|
||||
request_headers: *project_member_headers
|
||||
status: 403
|
||||
data:
|
||||
traits:
|
||||
- CUSTOM_TRAIT_X
|
||||
resource_provider_generation: 0
|
||||
|
||||
- name: project admin can update resource provider traits
|
||||
PUT: /resource_providers/$ENVIRON['RP_UUID']/traits
|
||||
request_headers: *project_admin_headers
|
||||
status: 200
|
||||
data:
|
||||
traits:
|
||||
- CUSTOM_TRAIT_X
|
||||
resource_provider_generation: 0
|
||||
|
||||
- name: project member cannot delete resource provider traits
|
||||
DELETE: /resource_providers/$ENVIRON['RP_UUID']/traits
|
||||
request_headers: *project_member_headers
|
||||
status: 403
|
||||
|
||||
- name: project admin can delete resource provider traits
|
||||
DELETE: /resource_providers/$ENVIRON['RP_UUID']/traits
|
||||
request_headers: *project_admin_headers
|
||||
status: 204
|
||||
|
||||
- name: project member cannot delete trait
|
||||
DELETE: /traits/CUSTOM_TRAIT_X
|
||||
request_headers: *project_member_headers
|
||||
status: 403
|
||||
|
||||
- name: project admin cannot delete trait
|
||||
DELETE: /traits/CUSTOM_TRAIT_X
|
||||
request_headers: *project_admin_headers
|
||||
status: 204
|
|
@ -0,0 +1,246 @@
|
|||
---
|
||||
fixtures:
|
||||
- SecureRBACPolicyFixture
|
||||
|
||||
vars:
|
||||
- &project_id $ENVIRON['PROJECT_ID']
|
||||
- &system_admin_headers
|
||||
x-auth-token: user
|
||||
x-roles: admin,member,reader
|
||||
accept: application/json
|
||||
content-type: application/json
|
||||
openstack-api-version: placement latest
|
||||
openstack-system-scope: all
|
||||
- &system_reader_headers
|
||||
x-auth-token: user
|
||||
x-roles: reader
|
||||
accept: application/json
|
||||
content-type: application/json
|
||||
openstack-api-version: placement latest
|
||||
openstack-system-scope: all
|
||||
- &project_admin_headers
|
||||
x-auth-token: user
|
||||
x-roles: admin,member,reader
|
||||
x-project-id: *project_id
|
||||
accept: application/json
|
||||
content-type: application/json
|
||||
openstack-api-version: placement latest
|
||||
- &project_member_headers
|
||||
x-auth-token: user
|
||||
x-roles: member,reader
|
||||
x-project-id: *project_id
|
||||
accept: application/json
|
||||
content-type: application/json
|
||||
openstack-api-version: placement latest
|
||||
- &project_reader_headers
|
||||
x-auth-token: user
|
||||
x-roles: reader
|
||||
x-project-id: *project_id
|
||||
accept: application/json
|
||||
content-type: application/json
|
||||
openstack-api-version: placement latest
|
||||
|
||||
tests:
|
||||
|
||||
- name: project admin cannot list traits
|
||||
GET: /traits
|
||||
request_headers: *project_admin_headers
|
||||
status: 403
|
||||
|
||||
- name: project member cannot list traits
|
||||
GET: /traits
|
||||
request_headers: *project_member_headers
|
||||
status: 403
|
||||
|
||||
- name: project reader cannot list traits
|
||||
GET: /traits
|
||||
request_headers: *project_reader_headers
|
||||
status: 403
|
||||
|
||||
- name: system reader can list traits
|
||||
GET: /traits
|
||||
request_headers: *system_reader_headers
|
||||
status: 200
|
||||
|
||||
- name: system admin can list traits
|
||||
GET: /traits
|
||||
request_headers: *system_admin_headers
|
||||
status: 200
|
||||
|
||||
- name: project admin cannot create trait
|
||||
PUT: /traits/CUSTOM_TRAIT_X
|
||||
request_headers: *project_admin_headers
|
||||
status: 403
|
||||
|
||||
- name: project member cannot create trait
|
||||
PUT: /traits/CUSTOM_TRAIT_X
|
||||
request_headers: *project_member_headers
|
||||
status: 403
|
||||
|
||||
- name: project reader cannot create trait
|
||||
PUT: /traits/CUSTOM_TRAIT_X
|
||||
request_headers: *project_reader_headers
|
||||
status: 403
|
||||
|
||||
- name: system reader cannot create trait
|
||||
PUT: /traits/CUSTOM_TRAIT_X
|
||||
request_headers: *system_reader_headers
|
||||
status: 403
|
||||
|
||||
- name: system admin can create trait
|
||||
PUT: /traits/CUSTOM_TRAIT_X
|
||||
request_headers: *system_admin_headers
|
||||
status: 201
|
||||
|
||||
- name: project admin cannot show trait
|
||||
GET: /traits/CUSTOM_TRAIT_X
|
||||
request_headers: *project_admin_headers
|
||||
status: 403
|
||||
|
||||
- name: project member cannot show trait
|
||||
GET: /traits/CUSTOM_TRAIT_X
|
||||
request_headers: *project_member_headers
|
||||
status: 403
|
||||
|
||||
- name: project reader cannot show trait
|
||||
GET: /traits/CUSTOM_TRAIT_X
|
||||
request_headers: *project_reader_headers
|
||||
status: 403
|
||||
|
||||
- name: system reader can show trait
|
||||
GET: /traits/CUSTOM_TRAIT_X
|
||||
request_headers: *system_reader_headers
|
||||
status: 204
|
||||
|
||||
- name: system admin can show trait
|
||||
GET: /traits/CUSTOM_TRAIT_X
|
||||
request_headers: *system_admin_headers
|
||||
status: 204
|
||||
|
||||
- name: system admin can create resource provider
|
||||
POST: /resource_providers
|
||||
request_headers: *system_admin_headers
|
||||
data:
|
||||
name: $ENVIRON['RP_NAME']
|
||||
uuid: $ENVIRON['RP_UUID']
|
||||
status: 200
|
||||
|
||||
- name: project admin cannot list resource provider traits
|
||||
GET: /resource_providers/$ENVIRON['RP_UUID']/traits
|
||||
request_headers: *project_admin_headers
|
||||
status: 403
|
||||
|
||||
- name: project member cannot list resource provider traits
|
||||
GET: /resource_providers/$ENVIRON['RP_UUID']/traits
|
||||
request_headers: *project_member_headers
|
||||
status: 403
|
||||
|
||||
- name: project reader cannot list resource provider traits
|
||||
GET: /resource_providers/$ENVIRON['RP_UUID']/traits
|
||||
request_headers: *project_reader_headers
|
||||
status: 403
|
||||
|
||||
- name: system reader can list resource provider traits
|
||||
GET: /resource_providers/$ENVIRON['RP_UUID']/traits
|
||||
request_headers: *system_reader_headers
|
||||
status: 200
|
||||
|
||||
- name: system admin can list resource provider traits
|
||||
GET: /resource_providers/$ENVIRON['RP_UUID']/traits
|
||||
request_headers: *system_admin_headers
|
||||
status: 200
|
||||
|
||||
- name: project admin cannot update resource provider traits
|
||||
PUT: /resource_providers/$ENVIRON['RP_UUID']/traits
|
||||
request_headers: *project_admin_headers
|
||||
status: 403
|
||||
data:
|
||||
traits:
|
||||
- CUSTOM_TRAIT_X
|
||||
resource_provider_generation: 0
|
||||
|
||||
- name: project member cannot update resource provider traits
|
||||
PUT: /resource_providers/$ENVIRON['RP_UUID']/traits
|
||||
request_headers: *project_member_headers
|
||||
status: 403
|
||||
data:
|
||||
traits:
|
||||
- CUSTOM_TRAIT_X
|
||||
resource_provider_generation: 0
|
||||
|
||||
- name: project reader cannot update resource provider traits
|
||||
PUT: /resource_providers/$ENVIRON['RP_UUID']/traits
|
||||
request_headers: *project_reader_headers
|
||||
status: 403
|
||||
data:
|
||||
traits:
|
||||
- CUSTOM_TRAIT_X
|
||||
resource_provider_generation: 0
|
||||
|
||||
- name: system reader cannot update resource provider traits
|
||||
PUT: /resource_providers/$ENVIRON['RP_UUID']/traits
|
||||
request_headers: *system_reader_headers
|
||||
status: 403
|
||||
data:
|
||||
traits:
|
||||
- CUSTOM_TRAIT_X
|
||||
resource_provider_generation: 0
|
||||
|
||||
- name: system admin can update resource provider traits
|
||||
PUT: /resource_providers/$ENVIRON['RP_UUID']/traits
|
||||
request_headers: *system_admin_headers
|
||||
status: 200
|
||||
data:
|
||||
traits:
|
||||
- CUSTOM_TRAIT_X
|
||||
resource_provider_generation: 0
|
||||
|
||||
- name: project admin cannot delete resource provider traits
|
||||
DELETE: /resource_providers/$ENVIRON['RP_UUID']/traits
|
||||
request_headers: *project_admin_headers
|
||||
status: 403
|
||||
|
||||
- name: project member cannot delete resource provider traits
|
||||
DELETE: /resource_providers/$ENVIRON['RP_UUID']/traits
|
||||
request_headers: *project_member_headers
|
||||
status: 403
|
||||
|
||||
- name: project reader cannot delete resource provider traits
|
||||
DELETE: /resource_providers/$ENVIRON['RP_UUID']/traits
|
||||
request_headers: *project_reader_headers
|
||||
status: 403
|
||||
|
||||
- name: system reader cannot delete resource provider traits
|
||||
DELETE: /resource_providers/$ENVIRON['RP_UUID']/traits
|
||||
request_headers: *system_reader_headers
|
||||
status: 403
|
||||
|
||||
- name: system admin can delete resource provider traits
|
||||
DELETE: /resource_providers/$ENVIRON['RP_UUID']/traits
|
||||
request_headers: *system_admin_headers
|
||||
status: 204
|
||||
|
||||
- name: project admin cannot delete trait
|
||||
DELETE: /traits/CUSTOM_TRAIT_X
|
||||
request_headers: *project_admin_headers
|
||||
status: 403
|
||||
|
||||
- name: project member cannot delete trait
|
||||
DELETE: /traits/CUSTOM_TRAIT_X
|
||||
request_headers: *project_member_headers
|
||||
status: 403
|
||||
|
||||
- name: project reader cannot delete trait
|
||||
DELETE: /traits/CUSTOM_TRAIT_X
|
||||
request_headers: *project_reader_headers
|
||||
status: 403
|
||||
|
||||
- name: system reader cannot delete trait
|
||||
DELETE: /traits/CUSTOM_TRAIT_X
|
||||
request_headers: *system_reader_headers
|
||||
status: 403
|
||||
|
||||
- name: system admin cannot delete trait
|
||||
DELETE: /traits/CUSTOM_TRAIT_X
|
||||
request_headers: *system_admin_headers
|
||||
status: 204
|
Loading…
Reference in New Issue