Merge "Implement secure RBAC for traits"

placement/policies/trait.py

@@ -11,6 +11,7 @@
 #    under the License.
 
 
+from oslo_log import versionutils
 from oslo_policy import policy
 
 from placement.policies import base
@@ -27,91 +28,145 @@ TRAITS_SHOW = TRAITS_PREFIX % 'show'
 TRAITS_UPDATE = TRAITS_PREFIX % 'update'
 TRAITS_DELETE = TRAITS_PREFIX % 'delete'
 
+DEPRECATED_REASON = """
+The traits API now supports a read-only role by default.
+"""
+
+deprecated_list_traits = policy.DeprecatedRule(
+    name=TRAITS_LIST,
+    check_str=base.RULE_ADMIN_API
+)
+deprecated_show_trait = policy.DeprecatedRule(
+    name=TRAITS_SHOW,
+    check_str=base.RULE_ADMIN_API
+)
+deprecated_rp_traits_list = policy.DeprecatedRule(
+    name=RP_TRAIT_LIST,
+    check_str=base.RULE_ADMIN_API
+)
+deprecated_traits_update = policy.DeprecatedRule(
+    name=TRAITS_UPDATE,
+    check_str=base.RULE_ADMIN_API
+)
+deprecated_traits_delete = policy.DeprecatedRule(
+    name=TRAITS_DELETE,
+    check_str=base.RULE_ADMIN_API
+)
+deprecated_rp_trait_update = policy.DeprecatedRule(
+    name=RP_TRAIT_UPDATE,
+    check_str=base.RULE_ADMIN_API
+)
+deprecated_rp_trait_delete = policy.DeprecatedRule(
+    name=RP_TRAIT_DELETE,
+    check_str=base.RULE_ADMIN_API
+)
+
 
 rules = [
     policy.DocumentedRuleDefault(
-        TRAITS_LIST,
-        base.RULE_ADMIN_API,
-        "List traits.",
-        [
+        name=TRAITS_LIST,
+        check_str=base.SYSTEM_READER,
+        description="List traits.",
+        operations=[
             {
                 'method': 'GET',
                 'path': '/traits'
             }
         ],
-        scope_types=['system']
+        scope_types=['system'],
+        deprecated_rule=deprecated_list_traits,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since=versionutils.deprecated.WALLABY
     ),
     policy.DocumentedRuleDefault(
-        TRAITS_SHOW,
-        base.RULE_ADMIN_API,
-        "Show trait.",
-        [
+        name=TRAITS_SHOW,
+        check_str=base.SYSTEM_READER,
+        description="Show trait.",
+        operations=[
             {
                 'method': 'GET',
                 'path': '/traits/{name}'
             }
         ],
         scope_types=['system'],
+        deprecated_rule=deprecated_show_trait,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since=versionutils.deprecated.WALLABY
     ),
     policy.DocumentedRuleDefault(
-        TRAITS_UPDATE,
-        base.RULE_ADMIN_API,
-        "Update trait.",
-        [
+        name=TRAITS_UPDATE,
+        check_str=base.SYSTEM_ADMIN,
+        description="Update trait.",
+        operations=[
             {
                 'method': 'PUT',
                 'path': '/traits/{name}'
             }
         ],
         scope_types=['system'],
+        deprecated_rule=deprecated_traits_update,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since=versionutils.deprecated.WALLABY
     ),
     policy.DocumentedRuleDefault(
-        TRAITS_DELETE,
-        base.RULE_ADMIN_API,
-        "Delete trait.",
-        [
+        name=TRAITS_DELETE,
+        check_str=base.SYSTEM_ADMIN,
+        description="Delete trait.",
+        operations=[
             {
                 'method': 'DELETE',
                 'path': '/traits/{name}'
             }
         ],
         scope_types=['system'],
+        deprecated_rule=deprecated_traits_delete,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since=versionutils.deprecated.WALLABY
     ),
     policy.DocumentedRuleDefault(
-        RP_TRAIT_LIST,
-        base.RULE_ADMIN_API,
-        "List resource provider traits.",
-        [
+        name=RP_TRAIT_LIST,
+        check_str=base.SYSTEM_READER,
+        description="List resource provider traits.",
+        operations=[
             {
                 'method': 'GET',
                 'path': '/resource_providers/{uuid}/traits'
             }
         ],
         scope_types=['system'],
+        deprecated_rule=deprecated_rp_traits_list,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since=versionutils.deprecated.WALLABY
     ),
     policy.DocumentedRuleDefault(
-        RP_TRAIT_UPDATE,
-        base.RULE_ADMIN_API,
-        "Update resource provider traits.",
-        [
+        name=RP_TRAIT_UPDATE,
+        check_str=base.SYSTEM_ADMIN,
+        description="Update resource provider traits.",
+        operations=[
             {
                 'method': 'PUT',
                 'path': '/resource_providers/{uuid}/traits'
             }
         ],
         scope_types=['system'],
+        deprecated_rule=deprecated_rp_trait_update,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since=versionutils.deprecated.WALLABY
     ),
     policy.DocumentedRuleDefault(
-        RP_TRAIT_DELETE,
-        base.RULE_ADMIN_API,
-        "Delete resource provider traits.",
-        [
+        name=RP_TRAIT_DELETE,
+        check_str=base.SYSTEM_ADMIN,
+        description="Delete resource provider traits.",
+        operations=[
             {
                 'method': 'DELETE',
                 'path': '/resource_providers/{uuid}/traits'
             }
         ],
         scope_types=['system'],
+        deprecated_rule=deprecated_rp_trait_delete,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since=versionutils.deprecated.WALLABY
     ),
 ]
 

placement/tests/functional/gabbits/traits-legacy-rbac.yaml

@@ -0,0 +1,108 @@
+---
+fixtures:
+  - LegacyRBACPolicyFixture
+
+vars:
+  - &project_id $ENVIRON['PROJECT_ID']
+  - &project_admin_headers
+    x-auth-token: user
+    x-roles: admin,member,reader
+    x-project-id: *project_id
+    accept: application/json
+    content-type: application/json
+    openstack-api-version: placement latest
+  - &project_member_headers
+    x-auth-token: user
+    x-roles: member,reader
+    x-project-id: *project_id
+    accept: application/json
+    content-type: application/json
+    openstack-api-version: placement latest
+
+tests:
+
+- name: project member cannot list traits
+  GET: /traits
+  request_headers: *project_member_headers
+  status: 403
+
+- name: project admin can list traits
+  GET: /traits
+  request_headers: *project_admin_headers
+  status: 200
+
+- name: project member cannot create trait
+  PUT: /traits/CUSTOM_TRAIT_X
+  request_headers: *project_member_headers
+  status: 403
+
+- name: project admin can create trait
+  PUT: /traits/CUSTOM_TRAIT_X
+  request_headers: *project_admin_headers
+  status: 201
+
+- name: project member cannot show trait
+  GET: /traits/CUSTOM_TRAIT_X
+  request_headers: *project_member_headers
+  status: 403
+
+- name: project admin can show trait
+  GET: /traits/CUSTOM_TRAIT_X
+  request_headers: *project_admin_headers
+  status: 204
+
+- name: project admin can create resource provider
+  POST: /resource_providers
+  request_headers: *project_admin_headers
+  data:
+    name: $ENVIRON['RP_NAME']
+    uuid: $ENVIRON['RP_UUID']
+  status: 200
+
+- name: project member cannot list resource provider traits
+  GET: /resource_providers/$ENVIRON['RP_UUID']/traits
+  request_headers: *project_member_headers
+  status: 403
+
+- name: project admin can list resource provider traits
+  GET: /resource_providers/$ENVIRON['RP_UUID']/traits
+  request_headers: *project_admin_headers
+  status: 200
+
+- name: project member cannot update resource provider traits
+  PUT: /resource_providers/$ENVIRON['RP_UUID']/traits
+  request_headers: *project_member_headers
+  status: 403
+  data:
+    traits:
+      - CUSTOM_TRAIT_X
+    resource_provider_generation: 0
+
+- name: project admin can update resource provider traits
+  PUT: /resource_providers/$ENVIRON['RP_UUID']/traits
+  request_headers: *project_admin_headers
+  status: 200
+  data:
+    traits:
+      - CUSTOM_TRAIT_X
+    resource_provider_generation: 0
+
+- name: project member cannot delete resource provider traits
+  DELETE: /resource_providers/$ENVIRON['RP_UUID']/traits
+  request_headers: *project_member_headers
+  status: 403
+
+- name: project admin can delete resource provider traits
+  DELETE: /resource_providers/$ENVIRON['RP_UUID']/traits
+  request_headers: *project_admin_headers
+  status: 204
+
+- name: project member cannot delete trait
+  DELETE: /traits/CUSTOM_TRAIT_X
+  request_headers: *project_member_headers
+  status: 403
+
+- name: project admin cannot delete trait
+  DELETE: /traits/CUSTOM_TRAIT_X
+  request_headers: *project_admin_headers
+  status: 204

placement/tests/functional/gabbits/traits-secure-rbac.yaml

@@ -0,0 +1,246 @@
+---
+fixtures:
+  - SecureRBACPolicyFixture
+
+vars:
+  - &project_id $ENVIRON['PROJECT_ID']
+  - &system_admin_headers
+    x-auth-token: user
+    x-roles: admin,member,reader
+    accept: application/json
+    content-type: application/json
+    openstack-api-version: placement latest
+    openstack-system-scope: all
+  - &system_reader_headers
+    x-auth-token: user
+    x-roles: reader
+    accept: application/json
+    content-type: application/json
+    openstack-api-version: placement latest
+    openstack-system-scope: all
+  - &project_admin_headers
+    x-auth-token: user
+    x-roles: admin,member,reader
+    x-project-id: *project_id
+    accept: application/json
+    content-type: application/json
+    openstack-api-version: placement latest
+  - &project_member_headers
+    x-auth-token: user
+    x-roles: member,reader
+    x-project-id: *project_id
+    accept: application/json
+    content-type: application/json
+    openstack-api-version: placement latest
+  - &project_reader_headers
+    x-auth-token: user
+    x-roles: reader
+    x-project-id: *project_id
+    accept: application/json
+    content-type: application/json
+    openstack-api-version: placement latest
+
+tests:
+
+- name: project admin cannot list traits
+  GET: /traits
+  request_headers: *project_admin_headers
+  status: 403
+
+- name: project member cannot list traits
+  GET: /traits
+  request_headers: *project_member_headers
+  status: 403
+
+- name: project reader cannot list traits
+  GET: /traits
+  request_headers: *project_reader_headers
+  status: 403
+
+- name: system reader can list traits
+  GET: /traits
+  request_headers: *system_reader_headers
+  status: 200
+
+- name: system admin can list traits
+  GET: /traits
+  request_headers: *system_admin_headers
+  status: 200
+
+- name: project admin cannot create trait
+  PUT: /traits/CUSTOM_TRAIT_X
+  request_headers: *project_admin_headers
+  status: 403
+
+- name: project member cannot create trait
+  PUT: /traits/CUSTOM_TRAIT_X
+  request_headers: *project_member_headers
+  status: 403
+
+- name: project reader cannot create trait
+  PUT: /traits/CUSTOM_TRAIT_X
+  request_headers: *project_reader_headers
+  status: 403
+
+- name: system reader cannot create trait
+  PUT: /traits/CUSTOM_TRAIT_X
+  request_headers: *system_reader_headers
+  status: 403
+
+- name: system admin can create trait
+  PUT: /traits/CUSTOM_TRAIT_X
+  request_headers: *system_admin_headers
+  status: 201
+
+- name: project admin cannot show trait
+  GET: /traits/CUSTOM_TRAIT_X
+  request_headers: *project_admin_headers
+  status: 403
+
+- name: project member cannot show trait
+  GET: /traits/CUSTOM_TRAIT_X
+  request_headers: *project_member_headers
+  status: 403
+
+- name: project reader cannot show trait
+  GET: /traits/CUSTOM_TRAIT_X
+  request_headers: *project_reader_headers
+  status: 403
+
+- name: system reader can show trait
+  GET: /traits/CUSTOM_TRAIT_X
+  request_headers: *system_reader_headers
+  status: 204
+
+- name: system admin can show trait
+  GET: /traits/CUSTOM_TRAIT_X
+  request_headers: *system_admin_headers
+  status: 204
+
+- name: system admin can create resource provider
+  POST: /resource_providers
+  request_headers: *system_admin_headers
+  data:
+    name: $ENVIRON['RP_NAME']
+    uuid: $ENVIRON['RP_UUID']
+  status: 200
+
+- name: project admin cannot list resource provider traits
+  GET: /resource_providers/$ENVIRON['RP_UUID']/traits
+  request_headers: *project_admin_headers
+  status: 403
+
+- name: project member cannot list resource provider traits
+  GET: /resource_providers/$ENVIRON['RP_UUID']/traits
+  request_headers: *project_member_headers
+  status: 403
+
+- name: project reader cannot list resource provider traits
+  GET: /resource_providers/$ENVIRON['RP_UUID']/traits
+  request_headers: *project_reader_headers
+  status: 403
+
+- name: system reader can list resource provider traits
+  GET: /resource_providers/$ENVIRON['RP_UUID']/traits
+  request_headers: *system_reader_headers
+  status: 200
+
+- name: system admin can list resource provider traits
+  GET: /resource_providers/$ENVIRON['RP_UUID']/traits
+  request_headers: *system_admin_headers
+  status: 200
+
+- name: project admin cannot update resource provider traits
+  PUT: /resource_providers/$ENVIRON['RP_UUID']/traits
+  request_headers: *project_admin_headers
+  status: 403
+  data:
+    traits:
+      - CUSTOM_TRAIT_X
+    resource_provider_generation: 0
+
+- name: project member cannot update resource provider traits
+  PUT: /resource_providers/$ENVIRON['RP_UUID']/traits
+  request_headers: *project_member_headers
+  status: 403
+  data:
+    traits:
+      - CUSTOM_TRAIT_X
+    resource_provider_generation: 0
+
+- name: project reader cannot update resource provider traits
+  PUT: /resource_providers/$ENVIRON['RP_UUID']/traits
+  request_headers: *project_reader_headers
+  status: 403
+  data:
+    traits:
+      - CUSTOM_TRAIT_X
+    resource_provider_generation: 0
+
+- name: system reader cannot update resource provider traits
+  PUT: /resource_providers/$ENVIRON['RP_UUID']/traits
+  request_headers: *system_reader_headers
+  status: 403
+  data:
+    traits:
+      - CUSTOM_TRAIT_X
+    resource_provider_generation: 0
+
+- name: system admin can update resource provider traits
+  PUT: /resource_providers/$ENVIRON['RP_UUID']/traits
+  request_headers: *system_admin_headers
+  status: 200
+  data:
+    traits:
+      - CUSTOM_TRAIT_X
+    resource_provider_generation: 0
+
+- name: project admin cannot delete resource provider traits
+  DELETE: /resource_providers/$ENVIRON['RP_UUID']/traits
+  request_headers: *project_admin_headers
+  status: 403
+
+- name: project member cannot delete resource provider traits
+  DELETE: /resource_providers/$ENVIRON['RP_UUID']/traits
+  request_headers: *project_member_headers
+  status: 403
+
+- name: project reader cannot delete resource provider traits
+  DELETE: /resource_providers/$ENVIRON['RP_UUID']/traits
+  request_headers: *project_reader_headers
+  status: 403
+
+- name: system reader cannot delete resource provider traits
+  DELETE: /resource_providers/$ENVIRON['RP_UUID']/traits
+  request_headers: *system_reader_headers
+  status: 403
+
+- name: system admin can delete resource provider traits
+  DELETE: /resource_providers/$ENVIRON['RP_UUID']/traits
+  request_headers: *system_admin_headers
+  status: 204
+
+- name: project admin cannot delete trait
+  DELETE: /traits/CUSTOM_TRAIT_X
+  request_headers: *project_admin_headers
+  status: 403
+
+- name: project member cannot delete trait
+  DELETE: /traits/CUSTOM_TRAIT_X
+  request_headers: *project_member_headers
+  status: 403
+
+- name: project reader cannot delete trait
+  DELETE: /traits/CUSTOM_TRAIT_X
+  request_headers: *project_reader_headers
+  status: 403
+
+- name: system reader cannot delete trait
+  DELETE: /traits/CUSTOM_TRAIT_X
+  request_headers: *system_reader_headers
+  status: 403
+
+- name: system admin cannot delete trait
+  DELETE: /traits/CUSTOM_TRAIT_X
+  request_headers: *system_admin_headers
+  status: 204