Merge "Implement secure RBAC for resource classes"
This commit is contained in:
commit
838df65757
|
@ -11,6 +11,7 @@
|
||||||
# under the License.
|
# under the License.
|
||||||
|
|
||||||
|
|
||||||
|
from oslo_log import versionutils
|
||||||
from oslo_policy import policy
|
from oslo_policy import policy
|
||||||
|
|
||||||
from placement.policies import base
|
from placement.policies import base
|
||||||
|
@ -23,62 +24,103 @@ SHOW = PREFIX % 'show'
|
||||||
UPDATE = PREFIX % 'update'
|
UPDATE = PREFIX % 'update'
|
||||||
DELETE = PREFIX % 'delete'
|
DELETE = PREFIX % 'delete'
|
||||||
|
|
||||||
|
DEPRECATED_REASON = """
|
||||||
|
The resource classes API now supports a read-only role by default.
|
||||||
|
"""
|
||||||
|
|
||||||
|
deprecated_list_resource_classes = policy.DeprecatedRule(
|
||||||
|
name=LIST,
|
||||||
|
check_str=base.RULE_ADMIN_API
|
||||||
|
)
|
||||||
|
deprecated_show_resource_class = policy.DeprecatedRule(
|
||||||
|
name=SHOW,
|
||||||
|
check_str=base.RULE_ADMIN_API
|
||||||
|
)
|
||||||
|
deprecated_create_resource_class = policy.DeprecatedRule(
|
||||||
|
name=CREATE,
|
||||||
|
check_str=base.RULE_ADMIN_API
|
||||||
|
)
|
||||||
|
deprecated_update_resource_class = policy.DeprecatedRule(
|
||||||
|
name=UPDATE,
|
||||||
|
check_str=base.RULE_ADMIN_API
|
||||||
|
)
|
||||||
|
deprecated_delete_resource_class = policy.DeprecatedRule(
|
||||||
|
name=DELETE,
|
||||||
|
check_str=base.RULE_ADMIN_API
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
rules = [
|
rules = [
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
LIST,
|
name=LIST,
|
||||||
base.RULE_ADMIN_API,
|
check_str=base.SYSTEM_READER,
|
||||||
"List resource classes.",
|
description="List resource classes.",
|
||||||
[
|
operations=[
|
||||||
{
|
{
|
||||||
'method': 'GET',
|
'method': 'GET',
|
||||||
'path': '/resource_classes'
|
'path': '/resource_classes'
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
scope_types=['system']),
|
scope_types=['system'],
|
||||||
|
deprecated_rule=deprecated_list_resource_classes,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.WALLABY),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
CREATE,
|
name=CREATE,
|
||||||
base.RULE_ADMIN_API,
|
check_str=base.SYSTEM_ADMIN,
|
||||||
"Create resource class.",
|
description="Create resource class.",
|
||||||
[
|
operations=[
|
||||||
{
|
{
|
||||||
'method': 'POST',
|
'method': 'POST',
|
||||||
'path': '/resource_classes'
|
'path': '/resource_classes'
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
scope_types=['system']),
|
scope_types=['system'],
|
||||||
|
deprecated_rule=deprecated_create_resource_class,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.WALLABY),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
SHOW,
|
name=SHOW,
|
||||||
base.RULE_ADMIN_API,
|
check_str=base.SYSTEM_READER,
|
||||||
"Show resource class.",
|
description="Show resource class.",
|
||||||
[
|
operations=[
|
||||||
{
|
{
|
||||||
'method': 'GET',
|
'method': 'GET',
|
||||||
'path': '/resource_classes/{name}'
|
'path': '/resource_classes/{name}'
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
scope_types=['system']),
|
scope_types=['system'],
|
||||||
|
deprecated_rule=deprecated_show_resource_class,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.WALLABY),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
UPDATE,
|
name=UPDATE,
|
||||||
base.RULE_ADMIN_API,
|
check_str=base.SYSTEM_ADMIN,
|
||||||
"Update resource class.",
|
description="Update resource class.",
|
||||||
[
|
operations=[
|
||||||
{
|
{
|
||||||
'method': 'PUT',
|
'method': 'PUT',
|
||||||
'path': '/resource_classes/{name}'
|
'path': '/resource_classes/{name}'
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
scope_types=['system']),
|
scope_types=['system'],
|
||||||
|
deprecated_rule=deprecated_update_resource_class,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.WALLABY),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
DELETE,
|
name=DELETE,
|
||||||
base.RULE_ADMIN_API,
|
check_str=base.SYSTEM_ADMIN,
|
||||||
"Delete resource class.",
|
description="Delete resource class.",
|
||||||
[
|
operations=[
|
||||||
{
|
{
|
||||||
'method': 'DELETE',
|
'method': 'DELETE',
|
||||||
'path': '/resource_classes/{name}'
|
'path': '/resource_classes/{name}'
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
scope_types=['system']),
|
scope_types=['system'],
|
||||||
|
deprecated_rule=deprecated_delete_resource_class,
|
||||||
|
deprecated_reason=DEPRECATED_REASON,
|
||||||
|
deprecated_since=versionutils.deprecated.WALLABY),
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,80 @@
|
||||||
|
---
|
||||||
|
fixtures:
|
||||||
|
- LegacyRBACPolicyFixture
|
||||||
|
|
||||||
|
vars:
|
||||||
|
- &project_id $ENVIRON['PROJECT_ID']
|
||||||
|
- &project_admin_headers
|
||||||
|
x-auth-token: user
|
||||||
|
x-roles: admin,member,reader
|
||||||
|
x-project-id: *project_id
|
||||||
|
accept: application/json
|
||||||
|
content-type: application/json
|
||||||
|
openstack-api-version: placement latest
|
||||||
|
- &project_member_headers
|
||||||
|
x-auth-token: user
|
||||||
|
x-roles: member,reader
|
||||||
|
x-project-id: *project_id
|
||||||
|
accept: application/json
|
||||||
|
content-type: application/json
|
||||||
|
openstack-api-version: placement latest
|
||||||
|
|
||||||
|
tests:
|
||||||
|
|
||||||
|
- name: project member cannot list resource classes
|
||||||
|
GET: /resource_classes
|
||||||
|
request_headers: *project_member_headers
|
||||||
|
status: 403
|
||||||
|
|
||||||
|
- name: project admin can list resource classes
|
||||||
|
GET: /resource_classes
|
||||||
|
request_headers: *project_admin_headers
|
||||||
|
response_json_paths:
|
||||||
|
$.resource_classes.`len`: 18 # Number of standard resource classes
|
||||||
|
|
||||||
|
- name: project member cannot create resource classes
|
||||||
|
POST: /resource_classes
|
||||||
|
request_headers: *project_member_headers
|
||||||
|
data:
|
||||||
|
name: CUSTOM_RES_CLASS_POLICY
|
||||||
|
status: 403
|
||||||
|
|
||||||
|
- name: project admin can create resource classes
|
||||||
|
POST: /resource_classes
|
||||||
|
request_headers: *project_admin_headers
|
||||||
|
data:
|
||||||
|
name: CUSTOM_RES_CLASS_POLICY
|
||||||
|
status: 201
|
||||||
|
response_headers:
|
||||||
|
location: //resource_classes/CUSTOM_RES_CLASS_POLICY/
|
||||||
|
|
||||||
|
- name: project member cannot show resource class
|
||||||
|
GET: /resource_classes/CUSTOM_RES_CLASS_POLICY
|
||||||
|
request_headers: *project_member_headers
|
||||||
|
status: 403
|
||||||
|
|
||||||
|
- name: project admin can show resource class
|
||||||
|
GET: /resource_classes/CUSTOM_RES_CLASS_POLICY
|
||||||
|
request_headers: *project_admin_headers
|
||||||
|
response_json_paths:
|
||||||
|
$.name: CUSTOM_RES_CLASS_POLICY
|
||||||
|
|
||||||
|
- name: project member cannot update resource class
|
||||||
|
PUT: /resource_classes/CUSTOM_NEW_CLASS_POLICY
|
||||||
|
request_headers: *project_member_headers
|
||||||
|
status: 403
|
||||||
|
|
||||||
|
- name: project admin cannot update resource class
|
||||||
|
PUT: /resource_classes/CUSTOM_NEW_CLASS_POLICY
|
||||||
|
request_headers: *project_admin_headers
|
||||||
|
status: 201
|
||||||
|
|
||||||
|
- name: project member cannot delete resource class
|
||||||
|
DELETE: /resource_classes/CUSTOM_NEW_CLASS_POLICY
|
||||||
|
request_headers: *project_member_headers
|
||||||
|
status: 403
|
||||||
|
|
||||||
|
- name: project admin cannot delete resource class
|
||||||
|
DELETE: /resource_classes/CUSTOM_NEW_CLASS_POLICY
|
||||||
|
request_headers: *project_admin_headers
|
||||||
|
status: 204
|
|
@ -0,0 +1,184 @@
|
||||||
|
---
|
||||||
|
fixtures:
|
||||||
|
- SecureRBACPolicyFixture
|
||||||
|
|
||||||
|
vars:
|
||||||
|
- &project_id $ENVIRON['PROJECT_ID']
|
||||||
|
- &system_admin_headers
|
||||||
|
x-auth-token: user
|
||||||
|
x-roles: admin,member,reader
|
||||||
|
accept: application/json
|
||||||
|
content-type: application/json
|
||||||
|
openstack-api-version: placement latest
|
||||||
|
openstack-system-scope: all
|
||||||
|
- &system_reader_headers
|
||||||
|
x-auth-token: user
|
||||||
|
x-roles: reader
|
||||||
|
accept: application/json
|
||||||
|
content-type: application/json
|
||||||
|
openstack-api-version: placement latest
|
||||||
|
openstack-system-scope: all
|
||||||
|
- &project_admin_headers
|
||||||
|
x-auth-token: user
|
||||||
|
x-roles: admin,member,reader
|
||||||
|
x-project-id: *project_id
|
||||||
|
accept: application/json
|
||||||
|
content-type: application/json
|
||||||
|
openstack-api-version: placement latest
|
||||||
|
- &project_member_headers
|
||||||
|
x-auth-token: user
|
||||||
|
x-roles: member,reader
|
||||||
|
x-project-id: *project_id
|
||||||
|
accept: application/json
|
||||||
|
content-type: application/json
|
||||||
|
openstack-api-version: placement latest
|
||||||
|
- &project_reader_headers
|
||||||
|
x-auth-token: user
|
||||||
|
x-roles: reader
|
||||||
|
x-project-id: *project_id
|
||||||
|
accept: application/json
|
||||||
|
content-type: application/json
|
||||||
|
openstack-api-version: placement latest
|
||||||
|
|
||||||
|
tests:
|
||||||
|
|
||||||
|
- name: project admin cannot list resource classes
|
||||||
|
GET: /resource_classes
|
||||||
|
request_headers: *project_admin_headers
|
||||||
|
status: 403
|
||||||
|
|
||||||
|
- name: project member cannot list resource classes
|
||||||
|
GET: /resource_classes
|
||||||
|
request_headers: *project_member_headers
|
||||||
|
status: 403
|
||||||
|
|
||||||
|
- name: project reader cannot list resource classes
|
||||||
|
GET: /resource_classes
|
||||||
|
request_headers: *project_reader_headers
|
||||||
|
status: 403
|
||||||
|
|
||||||
|
- name: system reader can list resource classes
|
||||||
|
GET: /resource_classes
|
||||||
|
request_headers: *system_reader_headers
|
||||||
|
response_json_paths:
|
||||||
|
$.resource_classes.`len`: 18 # Number of standard resource classes
|
||||||
|
|
||||||
|
- name: system admin can list resource classes
|
||||||
|
GET: /resource_classes
|
||||||
|
request_headers: *system_admin_headers
|
||||||
|
response_json_paths:
|
||||||
|
$.resource_classes.`len`: 18 # Number of standard resource classes
|
||||||
|
|
||||||
|
- name: project admin cannot create resource classes
|
||||||
|
POST: /resource_classes
|
||||||
|
request_headers: *project_admin_headers
|
||||||
|
data:
|
||||||
|
name: CUSTOM_RES_CLASS_POLICY
|
||||||
|
status: 403
|
||||||
|
|
||||||
|
- name: project member cannot create resource classes
|
||||||
|
POST: /resource_classes
|
||||||
|
request_headers: *project_member_headers
|
||||||
|
data:
|
||||||
|
name: CUSTOM_RES_CLASS_POLICY
|
||||||
|
status: 403
|
||||||
|
|
||||||
|
- name: project reader cannot create resource classes
|
||||||
|
POST: /resource_classes
|
||||||
|
request_headers: *project_reader_headers
|
||||||
|
data:
|
||||||
|
name: CUSTOM_RES_CLASS_POLICY
|
||||||
|
status: 403
|
||||||
|
|
||||||
|
- name: system reader cannot create resource classes
|
||||||
|
POST: /resource_classes
|
||||||
|
request_headers: *system_reader_headers
|
||||||
|
data:
|
||||||
|
name: CUSTOM_RES_CLASS_POLICY
|
||||||
|
status: 403
|
||||||
|
|
||||||
|
- name: system admin can create resource classes
|
||||||
|
POST: /resource_classes
|
||||||
|
request_headers: *system_admin_headers
|
||||||
|
data:
|
||||||
|
name: CUSTOM_RES_CLASS_POLICY
|
||||||
|
status: 201
|
||||||
|
response_headers:
|
||||||
|
location: //resource_classes/CUSTOM_RES_CLASS_POLICY/
|
||||||
|
|
||||||
|
- name: project admin cannot show resource class
|
||||||
|
GET: /resource_classes/CUSTOM_RES_CLASS_POLICY
|
||||||
|
request_headers: *project_admin_headers
|
||||||
|
status: 403
|
||||||
|
|
||||||
|
- name: project member cannot show resource class
|
||||||
|
GET: /resource_classes/CUSTOM_RES_CLASS_POLICY
|
||||||
|
request_headers: *project_member_headers
|
||||||
|
status: 403
|
||||||
|
|
||||||
|
- name: project reader cannot show resource class
|
||||||
|
GET: /resource_classes/CUSTOM_RES_CLASS_POLICY
|
||||||
|
request_headers: *project_reader_headers
|
||||||
|
status: 403
|
||||||
|
|
||||||
|
- name: system reader can show resource class
|
||||||
|
GET: /resource_classes/CUSTOM_RES_CLASS_POLICY
|
||||||
|
request_headers: *system_reader_headers
|
||||||
|
response_json_paths:
|
||||||
|
$.name: CUSTOM_RES_CLASS_POLICY
|
||||||
|
|
||||||
|
- name: system admin can show resource class
|
||||||
|
GET: /resource_classes/CUSTOM_RES_CLASS_POLICY
|
||||||
|
request_headers: *system_admin_headers
|
||||||
|
response_json_paths:
|
||||||
|
$.name: CUSTOM_RES_CLASS_POLICY
|
||||||
|
|
||||||
|
- name: project admin cannot update resource class
|
||||||
|
PUT: /resource_classes/CUSTOM_NEW_CLASS_POLICY
|
||||||
|
request_headers: *project_admin_headers
|
||||||
|
status: 403
|
||||||
|
|
||||||
|
- name: project member cannot update resource class
|
||||||
|
PUT: /resource_classes/CUSTOM_NEW_CLASS_POLICY
|
||||||
|
request_headers: *project_member_headers
|
||||||
|
status: 403
|
||||||
|
|
||||||
|
- name: project reader cannot update resource class
|
||||||
|
PUT: /resource_classes/CUSTOM_NEW_CLASS_POLICY
|
||||||
|
request_headers: *project_reader_headers
|
||||||
|
status: 403
|
||||||
|
|
||||||
|
- name: system reader cannot update resource class
|
||||||
|
PUT: /resource_classes/CUSTOM_NEW_CLASS_POLICY
|
||||||
|
request_headers: *system_reader_headers
|
||||||
|
status: 403
|
||||||
|
|
||||||
|
- name: system admin cannot update resource class
|
||||||
|
PUT: /resource_classes/CUSTOM_NEW_CLASS_POLICY
|
||||||
|
request_headers: *system_admin_headers
|
||||||
|
status: 201
|
||||||
|
|
||||||
|
- name: project admin cannot delete resource class
|
||||||
|
DELETE: /resource_classes/CUSTOM_NEW_CLASS_POLICY
|
||||||
|
request_headers: *project_admin_headers
|
||||||
|
status: 403
|
||||||
|
|
||||||
|
- name: project member cannot delete resource class
|
||||||
|
DELETE: /resource_classes/CUSTOM_NEW_CLASS_POLICY
|
||||||
|
request_headers: *project_member_headers
|
||||||
|
status: 403
|
||||||
|
|
||||||
|
- name: project reader cannot delete resource class
|
||||||
|
DELETE: /resource_classes/CUSTOM_NEW_CLASS_POLICY
|
||||||
|
request_headers: *project_reader_headers
|
||||||
|
status: 403
|
||||||
|
|
||||||
|
- name: system reader cannot delete resource class
|
||||||
|
DELETE: /resource_classes/CUSTOM_NEW_CLASS_POLICY
|
||||||
|
request_headers: *system_reader_headers
|
||||||
|
status: 403
|
||||||
|
|
||||||
|
- name: system admin cannot delete resource class
|
||||||
|
DELETE: /resource_classes/CUSTOM_NEW_CLASS_POLICY
|
||||||
|
request_headers: *system_admin_headers
|
||||||
|
status: 204
|
Loading…
Reference in New Issue