Merge "Implement secure RBAC for resource classes"

placement/policies/resource_class.py

@@ -11,6 +11,7 @@
 #    under the License.
 
 
+from oslo_log import versionutils
 from oslo_policy import policy
 
 from placement.policies import base
@@ -23,62 +24,103 @@ SHOW = PREFIX % 'show'
 UPDATE = PREFIX % 'update'
 DELETE = PREFIX % 'delete'
 
+DEPRECATED_REASON = """
+The resource classes API now supports a read-only role by default.
+"""
+
+deprecated_list_resource_classes = policy.DeprecatedRule(
+    name=LIST,
+    check_str=base.RULE_ADMIN_API
+)
+deprecated_show_resource_class = policy.DeprecatedRule(
+    name=SHOW,
+    check_str=base.RULE_ADMIN_API
+)
+deprecated_create_resource_class = policy.DeprecatedRule(
+    name=CREATE,
+    check_str=base.RULE_ADMIN_API
+)
+deprecated_update_resource_class = policy.DeprecatedRule(
+    name=UPDATE,
+    check_str=base.RULE_ADMIN_API
+)
+deprecated_delete_resource_class = policy.DeprecatedRule(
+    name=DELETE,
+    check_str=base.RULE_ADMIN_API
+)
+
+
 rules = [
     policy.DocumentedRuleDefault(
-        LIST,
+        name=LIST,
-        base.RULE_ADMIN_API,
+        check_str=base.SYSTEM_READER,
-        "List resource classes.",
+        description="List resource classes.",
-        [
+        operations=[
             {
                 'method': 'GET',
                 'path': '/resource_classes'
             }
         ],
-        scope_types=['system']),
+        scope_types=['system'],
+        deprecated_rule=deprecated_list_resource_classes,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since=versionutils.deprecated.WALLABY),
     policy.DocumentedRuleDefault(
-        CREATE,
+        name=CREATE,
-        base.RULE_ADMIN_API,
+        check_str=base.SYSTEM_ADMIN,
-        "Create resource class.",
+        description="Create resource class.",
-        [
+        operations=[
             {
                 'method': 'POST',
                 'path': '/resource_classes'
             }
         ],
-        scope_types=['system']),
+        scope_types=['system'],
+        deprecated_rule=deprecated_create_resource_class,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since=versionutils.deprecated.WALLABY),
     policy.DocumentedRuleDefault(
-        SHOW,
+        name=SHOW,
-        base.RULE_ADMIN_API,
+        check_str=base.SYSTEM_READER,
-        "Show resource class.",
+        description="Show resource class.",
-        [
+        operations=[
             {
                 'method': 'GET',
                 'path': '/resource_classes/{name}'
             }
         ],
-        scope_types=['system']),
+        scope_types=['system'],
+        deprecated_rule=deprecated_show_resource_class,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since=versionutils.deprecated.WALLABY),
     policy.DocumentedRuleDefault(
-        UPDATE,
+        name=UPDATE,
-        base.RULE_ADMIN_API,
+        check_str=base.SYSTEM_ADMIN,
-        "Update resource class.",
+        description="Update resource class.",
-        [
+        operations=[
             {
                 'method': 'PUT',
                 'path': '/resource_classes/{name}'
             }
         ],
-        scope_types=['system']),
+        scope_types=['system'],
+        deprecated_rule=deprecated_update_resource_class,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since=versionutils.deprecated.WALLABY),
     policy.DocumentedRuleDefault(
-        DELETE,
+        name=DELETE,
-        base.RULE_ADMIN_API,
+        check_str=base.SYSTEM_ADMIN,
-        "Delete resource class.",
+        description="Delete resource class.",
-        [
+        operations=[
             {
                 'method': 'DELETE',
                 'path': '/resource_classes/{name}'
             }
         ],
-        scope_types=['system']),
+        scope_types=['system'],
+        deprecated_rule=deprecated_delete_resource_class,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since=versionutils.deprecated.WALLABY),
 ]
 
 

placement/tests/functional/gabbits/resource-classes-legacy-rbac.yaml

@@ -0,0 +1,80 @@
+---
+fixtures:
+  - LegacyRBACPolicyFixture
+
+vars:
+  - &project_id $ENVIRON['PROJECT_ID']
+  - &project_admin_headers
+    x-auth-token: user
+    x-roles: admin,member,reader
+    x-project-id: *project_id
+    accept: application/json
+    content-type: application/json
+    openstack-api-version: placement latest
+  - &project_member_headers
+    x-auth-token: user
+    x-roles: member,reader
+    x-project-id: *project_id
+    accept: application/json
+    content-type: application/json
+    openstack-api-version: placement latest
+
+tests:
+
+- name: project member cannot list resource classes
+  GET: /resource_classes
+  request_headers: *project_member_headers
+  status: 403
+
+- name: project admin can list resource classes
+  GET: /resource_classes
+  request_headers: *project_admin_headers
+  response_json_paths:
+    $.resource_classes.`len`: 18  #  Number of standard resource classes
+
+- name: project member cannot create resource classes
+  POST: /resource_classes
+  request_headers: *project_member_headers
+  data:
+    name: CUSTOM_RES_CLASS_POLICY
+  status: 403
+
+- name: project admin can create resource classes
+  POST: /resource_classes
+  request_headers: *project_admin_headers
+  data:
+    name: CUSTOM_RES_CLASS_POLICY
+  status: 201
+  response_headers:
+    location: //resource_classes/CUSTOM_RES_CLASS_POLICY/
+
+- name: project member cannot show resource class
+  GET: /resource_classes/CUSTOM_RES_CLASS_POLICY
+  request_headers: *project_member_headers
+  status: 403
+
+- name: project admin can show resource class
+  GET: /resource_classes/CUSTOM_RES_CLASS_POLICY
+  request_headers: *project_admin_headers
+  response_json_paths:
+    $.name: CUSTOM_RES_CLASS_POLICY
+
+- name: project member cannot update resource class
+  PUT: /resource_classes/CUSTOM_NEW_CLASS_POLICY
+  request_headers: *project_member_headers
+  status: 403
+
+- name: project admin cannot update resource class
+  PUT: /resource_classes/CUSTOM_NEW_CLASS_POLICY
+  request_headers: *project_admin_headers
+  status: 201
+
+- name: project member cannot delete resource class
+  DELETE: /resource_classes/CUSTOM_NEW_CLASS_POLICY
+  request_headers: *project_member_headers
+  status: 403
+
+- name: project admin cannot delete resource class
+  DELETE: /resource_classes/CUSTOM_NEW_CLASS_POLICY
+  request_headers: *project_admin_headers
+  status: 204

placement/tests/functional/gabbits/resource-classes-secure-rbac.yaml

@@ -0,0 +1,184 @@
+---
+fixtures:
+  - SecureRBACPolicyFixture
+
+vars:
+  - &project_id $ENVIRON['PROJECT_ID']
+  - &system_admin_headers
+    x-auth-token: user
+    x-roles: admin,member,reader
+    accept: application/json
+    content-type: application/json
+    openstack-api-version: placement latest
+    openstack-system-scope: all
+  - &system_reader_headers
+    x-auth-token: user
+    x-roles: reader
+    accept: application/json
+    content-type: application/json
+    openstack-api-version: placement latest
+    openstack-system-scope: all
+  - &project_admin_headers
+    x-auth-token: user
+    x-roles: admin,member,reader
+    x-project-id: *project_id
+    accept: application/json
+    content-type: application/json
+    openstack-api-version: placement latest
+  - &project_member_headers
+    x-auth-token: user
+    x-roles: member,reader
+    x-project-id: *project_id
+    accept: application/json
+    content-type: application/json
+    openstack-api-version: placement latest
+  - &project_reader_headers
+    x-auth-token: user
+    x-roles: reader
+    x-project-id: *project_id
+    accept: application/json
+    content-type: application/json
+    openstack-api-version: placement latest
+
+tests:
+
+- name: project admin cannot list resource classes
+  GET: /resource_classes
+  request_headers: *project_admin_headers
+  status: 403
+
+- name: project member cannot list resource classes
+  GET: /resource_classes
+  request_headers: *project_member_headers
+  status: 403
+
+- name: project reader cannot list resource classes
+  GET: /resource_classes
+  request_headers: *project_reader_headers
+  status: 403
+
+- name: system reader can list resource classes
+  GET: /resource_classes
+  request_headers: *system_reader_headers
+  response_json_paths:
+    $.resource_classes.`len`: 18  #  Number of standard resource classes
+
+- name: system admin can list resource classes
+  GET: /resource_classes
+  request_headers: *system_admin_headers
+  response_json_paths:
+    $.resource_classes.`len`: 18  #  Number of standard resource classes
+
+- name: project admin cannot create resource classes
+  POST: /resource_classes
+  request_headers: *project_admin_headers
+  data:
+    name: CUSTOM_RES_CLASS_POLICY
+  status: 403
+
+- name: project member cannot create resource classes
+  POST: /resource_classes
+  request_headers: *project_member_headers
+  data:
+    name: CUSTOM_RES_CLASS_POLICY
+  status: 403
+
+- name: project reader cannot create resource classes
+  POST: /resource_classes
+  request_headers: *project_reader_headers
+  data:
+    name: CUSTOM_RES_CLASS_POLICY
+  status: 403
+
+- name: system reader cannot create resource classes
+  POST: /resource_classes
+  request_headers: *system_reader_headers
+  data:
+    name: CUSTOM_RES_CLASS_POLICY
+  status: 403
+
+- name: system admin can create resource classes
+  POST: /resource_classes
+  request_headers: *system_admin_headers
+  data:
+    name: CUSTOM_RES_CLASS_POLICY
+  status: 201
+  response_headers:
+    location: //resource_classes/CUSTOM_RES_CLASS_POLICY/
+
+- name: project admin cannot show resource class
+  GET: /resource_classes/CUSTOM_RES_CLASS_POLICY
+  request_headers: *project_admin_headers
+  status: 403
+
+- name: project member cannot show resource class
+  GET: /resource_classes/CUSTOM_RES_CLASS_POLICY
+  request_headers: *project_member_headers
+  status: 403
+
+- name: project reader cannot show resource class
+  GET: /resource_classes/CUSTOM_RES_CLASS_POLICY
+  request_headers: *project_reader_headers
+  status: 403
+
+- name: system reader can show resource class
+  GET: /resource_classes/CUSTOM_RES_CLASS_POLICY
+  request_headers: *system_reader_headers
+  response_json_paths:
+    $.name: CUSTOM_RES_CLASS_POLICY
+
+- name: system admin can show resource class
+  GET: /resource_classes/CUSTOM_RES_CLASS_POLICY
+  request_headers: *system_admin_headers
+  response_json_paths:
+    $.name: CUSTOM_RES_CLASS_POLICY
+
+- name: project admin cannot update resource class
+  PUT: /resource_classes/CUSTOM_NEW_CLASS_POLICY
+  request_headers: *project_admin_headers
+  status: 403
+
+- name: project member cannot update resource class
+  PUT: /resource_classes/CUSTOM_NEW_CLASS_POLICY
+  request_headers: *project_member_headers
+  status: 403
+
+- name: project reader cannot update resource class
+  PUT: /resource_classes/CUSTOM_NEW_CLASS_POLICY
+  request_headers: *project_reader_headers
+  status: 403
+
+- name: system reader cannot update resource class
+  PUT: /resource_classes/CUSTOM_NEW_CLASS_POLICY
+  request_headers: *system_reader_headers
+  status: 403
+
+- name: system admin cannot update resource class
+  PUT: /resource_classes/CUSTOM_NEW_CLASS_POLICY
+  request_headers: *system_admin_headers
+  status: 201
+
+- name: project admin cannot delete resource class
+  DELETE: /resource_classes/CUSTOM_NEW_CLASS_POLICY
+  request_headers: *project_admin_headers
+  status: 403
+
+- name: project member cannot delete resource class
+  DELETE: /resource_classes/CUSTOM_NEW_CLASS_POLICY
+  request_headers: *project_member_headers
+  status: 403
+
+- name: project reader cannot delete resource class
+  DELETE: /resource_classes/CUSTOM_NEW_CLASS_POLICY
+  request_headers: *project_reader_headers
+  status: 403
+
+- name: system reader cannot delete resource class
+  DELETE: /resource_classes/CUSTOM_NEW_CLASS_POLICY
+  request_headers: *system_reader_headers
+  status: 403
+
+- name: system admin cannot delete resource class
+  DELETE: /resource_classes/CUSTOM_NEW_CLASS_POLICY
+  request_headers: *system_admin_headers
+  status: 204