Implement secure RBAC for reshaper
This commit updates the policies for the resource classes in placement to support read-only roles. This is part of a broader community effort to support read-only roles and implement secure, consistent default policies. Change-Id: Ifeb5ae29d9d637708cd5c0bc62a2abfcbac3ca6e Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
This commit is contained in:
parent
6805790dda
commit
94279af1e1
|
@ -11,6 +11,7 @@
|
|||
# under the License.
|
||||
|
||||
|
||||
from oslo_log import versionutils
|
||||
from oslo_policy import policy
|
||||
|
||||
from placement.policies import base
|
||||
|
@ -19,10 +20,19 @@ from placement.policies import base
|
|||
PREFIX = 'placement:reshaper:%s'
|
||||
RESHAPE = PREFIX % 'reshape'
|
||||
|
||||
deprecated_reshape = policy.DeprecatedRule(
|
||||
name=RESHAPE,
|
||||
check_str=base.RULE_ADMIN_API,
|
||||
)
|
||||
|
||||
DEPRECATED_REASON = """
|
||||
The reshape API now supports scoped rule by default.
|
||||
"""
|
||||
|
||||
rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
RESHAPE,
|
||||
base.RULE_ADMIN_API,
|
||||
base.SYSTEM_ADMIN,
|
||||
"Reshape Inventory and Allocations.",
|
||||
[
|
||||
{
|
||||
|
@ -30,7 +40,11 @@ rules = [
|
|||
'path': '/reshaper'
|
||||
}
|
||||
],
|
||||
scope_types=['system']),
|
||||
scope_types=['system'],
|
||||
deprecated_rule=deprecated_reshape,
|
||||
deprecated_reason=DEPRECATED_REASON,
|
||||
deprecated_since=versionutils.deprecated.WALLABY,
|
||||
),
|
||||
]
|
||||
|
||||
|
||||
|
|
|
@ -0,0 +1,90 @@
|
|||
---
|
||||
fixtures:
|
||||
- LegacyRBACPolicyFixture
|
||||
|
||||
vars:
|
||||
- &project_id $ENVIRON['PROJECT_ID']
|
||||
- &project_admin_headers
|
||||
x-auth-token: user
|
||||
x-roles: admin,member,reader
|
||||
x-project-id: *project_id
|
||||
accept: application/json
|
||||
content-type: application/json
|
||||
openstack-api-version: placement latest
|
||||
- &project_member_headers
|
||||
x-auth-token: user
|
||||
x-roles: member,reader
|
||||
x-project-id: *project_id
|
||||
accept: application/json
|
||||
content-type: application/json
|
||||
openstack-api-version: placement latest
|
||||
|
||||
tests:
|
||||
|
||||
- name: create parent resource provider
|
||||
POST: /resource_providers
|
||||
request_headers: *project_admin_headers
|
||||
data:
|
||||
name: $ENVIRON['RP_NAME']
|
||||
uuid: $ENVIRON['RP_UUID']
|
||||
status: 200
|
||||
|
||||
- name: create inventory for the parent resource provider
|
||||
POST: /resource_providers/$ENVIRON['RP_UUID']/inventories
|
||||
request_headers: *project_admin_headers
|
||||
data:
|
||||
resource_class: DISK_GB
|
||||
total: 2048
|
||||
reserved: 512
|
||||
min_unit: 10
|
||||
max_unit: 1024
|
||||
step_size: 10
|
||||
allocation_ratio: 1.0
|
||||
status: 201
|
||||
|
||||
- name: create a child provider
|
||||
POST: /resource_providers
|
||||
request_headers: *project_admin_headers
|
||||
data:
|
||||
uuid: 04914444-41ae-4ff3-ab56-ded01552cd1e
|
||||
name: 636f2798-9599-4371-a3ed-e7b2128aef97
|
||||
parent_provider_uuid: $ENVIRON['RP_UUID']
|
||||
status: 200
|
||||
|
||||
- name: project member cannot reshape
|
||||
POST: /reshaper
|
||||
request_headers: *project_member_headers
|
||||
data:
|
||||
inventories:
|
||||
$ENVIRON['RP_UUID']:
|
||||
resource_provider_generation: 1
|
||||
inventories: []
|
||||
04914444-41ae-4ff3-ab56-ded01552cd1e:
|
||||
resource_provider_generation: 0
|
||||
inventories:
|
||||
DISK_GB:
|
||||
total: 2048
|
||||
step_size: 10
|
||||
min_unit: 10
|
||||
max_unit: 1200
|
||||
allocations: {}
|
||||
status: 403
|
||||
|
||||
- name: project admin can reshape
|
||||
POST: /reshaper
|
||||
request_headers: *project_admin_headers
|
||||
data:
|
||||
inventories:
|
||||
$ENVIRON['RP_UUID']:
|
||||
resource_provider_generation: 1
|
||||
inventories: {}
|
||||
04914444-41ae-4ff3-ab56-ded01552cd1e:
|
||||
resource_provider_generation: 0
|
||||
inventories:
|
||||
DISK_GB:
|
||||
total: 2048
|
||||
step_size: 10
|
||||
min_unit: 10
|
||||
max_unit: 1200
|
||||
allocations: {}
|
||||
status: 204
|
|
@ -0,0 +1,168 @@
|
|||
---
|
||||
fixtures:
|
||||
- SecureRBACPolicyFixture
|
||||
|
||||
vars:
|
||||
- &project_id $ENVIRON['PROJECT_ID']
|
||||
- &system_admin_headers
|
||||
x-auth-token: user
|
||||
x-roles: admin,member,reader
|
||||
accept: application/json
|
||||
content-type: application/json
|
||||
openstack-api-version: placement latest
|
||||
openstack-system-scope: all
|
||||
- &system_reader_headers
|
||||
x-auth-token: user
|
||||
x-roles: reader
|
||||
accept: application/json
|
||||
content-type: application/json
|
||||
openstack-api-version: placement latest
|
||||
openstack-system-scope: all
|
||||
- &project_admin_headers
|
||||
x-auth-token: user
|
||||
x-roles: admin,member,reader
|
||||
x-project-id: *project_id
|
||||
accept: application/json
|
||||
content-type: application/json
|
||||
openstack-api-version: placement latest
|
||||
- &project_member_headers
|
||||
x-auth-token: user
|
||||
x-roles: member,reader
|
||||
x-project-id: *project_id
|
||||
accept: application/json
|
||||
content-type: application/json
|
||||
openstack-api-version: placement latest
|
||||
- &project_reader_headers
|
||||
x-auth-token: user
|
||||
x-roles: reader
|
||||
x-project-id: *project_id
|
||||
accept: application/json
|
||||
content-type: application/json
|
||||
openstack-api-version: placement latest
|
||||
|
||||
tests:
|
||||
|
||||
- name: create parent resource provider
|
||||
POST: /resource_providers
|
||||
request_headers: *system_admin_headers
|
||||
data:
|
||||
name: $ENVIRON['RP_NAME']
|
||||
uuid: $ENVIRON['RP_UUID']
|
||||
status: 200
|
||||
|
||||
- name: create inventory for the parent resource provider
|
||||
POST: /resource_providers/$ENVIRON['RP_UUID']/inventories
|
||||
request_headers: *system_admin_headers
|
||||
data:
|
||||
resource_class: DISK_GB
|
||||
total: 2048
|
||||
reserved: 512
|
||||
min_unit: 10
|
||||
max_unit: 1024
|
||||
step_size: 10
|
||||
allocation_ratio: 1.0
|
||||
status: 201
|
||||
|
||||
- name: create a child provider
|
||||
POST: /resource_providers
|
||||
request_headers: *system_admin_headers
|
||||
data:
|
||||
uuid: 04914444-41ae-4ff3-ab56-ded01552cd1e
|
||||
name: 636f2798-9599-4371-a3ed-e7b2128aef97
|
||||
parent_provider_uuid: $ENVIRON['RP_UUID']
|
||||
status: 200
|
||||
|
||||
- name: project reader cannot reshape
|
||||
POST: /reshaper
|
||||
request_headers: *project_reader_headers
|
||||
data:
|
||||
inventories:
|
||||
$ENVIRON['RP_UUID']:
|
||||
resource_provider_generation: 1
|
||||
inventories: []
|
||||
04914444-41ae-4ff3-ab56-ded01552cd1e:
|
||||
resource_provider_generation: 0
|
||||
inventories:
|
||||
DISK_GB:
|
||||
total: 2048
|
||||
step_size: 10
|
||||
min_unit: 10
|
||||
max_unit: 1200
|
||||
allocations: {}
|
||||
status: 403
|
||||
|
||||
- name: project member cannot reshape
|
||||
POST: /reshaper
|
||||
request_headers: *project_member_headers
|
||||
data:
|
||||
inventories:
|
||||
$ENVIRON['RP_UUID']:
|
||||
resource_provider_generation: 1
|
||||
inventories: []
|
||||
04914444-41ae-4ff3-ab56-ded01552cd1e:
|
||||
resource_provider_generation: 0
|
||||
inventories:
|
||||
DISK_GB:
|
||||
total: 2048
|
||||
step_size: 10
|
||||
min_unit: 10
|
||||
max_unit: 1200
|
||||
allocations: {}
|
||||
status: 403
|
||||
|
||||
- name: project admin cannot reshape
|
||||
POST: /reshaper
|
||||
request_headers: *project_admin_headers
|
||||
data:
|
||||
inventories:
|
||||
$ENVIRON['RP_UUID']:
|
||||
resource_provider_generation: 1
|
||||
inventories: {}
|
||||
04914444-41ae-4ff3-ab56-ded01552cd1e:
|
||||
resource_provider_generation: 0
|
||||
inventories:
|
||||
DISK_GB:
|
||||
total: 2048
|
||||
step_size: 10
|
||||
min_unit: 10
|
||||
max_unit: 1200
|
||||
allocations: {}
|
||||
status: 403
|
||||
|
||||
- name: system reader cannot reshape
|
||||
POST: /reshaper
|
||||
request_headers: *system_reader_headers
|
||||
data:
|
||||
inventories:
|
||||
$ENVIRON['RP_UUID']:
|
||||
resource_provider_generation: 1
|
||||
inventories: []
|
||||
04914444-41ae-4ff3-ab56-ded01552cd1e:
|
||||
resource_provider_generation: 0
|
||||
inventories:
|
||||
DISK_GB:
|
||||
total: 2048
|
||||
step_size: 10
|
||||
min_unit: 10
|
||||
max_unit: 1200
|
||||
allocations: {}
|
||||
status: 403
|
||||
|
||||
- name: system admin can reshape
|
||||
POST: /reshaper
|
||||
request_headers: *system_admin_headers
|
||||
data:
|
||||
inventories:
|
||||
$ENVIRON['RP_UUID']:
|
||||
resource_provider_generation: 1
|
||||
inventories: {}
|
||||
04914444-41ae-4ff3-ab56-ded01552cd1e:
|
||||
resource_provider_generation: 0
|
||||
inventories:
|
||||
DISK_GB:
|
||||
total: 2048
|
||||
step_size: 10
|
||||
min_unit: 10
|
||||
max_unit: 1200
|
||||
allocations: {}
|
||||
status: 204
|
Loading…
Reference in New Issue