From b8e648f13a6c8ab93ae777e2879dc0da6f58329a Mon Sep 17 00:00:00 2001 From: Lance Bragstad Date: Wed, 28 Oct 2020 21:03:01 +0000 Subject: [PATCH] Implement secure RBAC for allocations This commit updates the policies for the allocations resource in placement to support read-only roles. This is part of a broader community effort to support read-only roles and implement secure, consistent default policies. Change-Id: I1f47f1a96e32d3bc9526c14e5541af7992fd1f72 --- placement/policies/allocation.py | 84 ++++-- .../gabbits/allocations-legacy-rbac.yaml | 283 +++++++++++++++++ .../gabbits/allocations-secure-rbac.yaml | 285 ++++++++++++++++++ 3 files changed, 631 insertions(+), 21 deletions(-) create mode 100644 placement/tests/functional/gabbits/allocations-legacy-rbac.yaml create mode 100644 placement/tests/functional/gabbits/allocations-secure-rbac.yaml diff --git a/placement/policies/allocation.py b/placement/policies/allocation.py index b4a544769..9cb863e4c 100644 --- a/placement/policies/allocation.py +++ b/placement/policies/allocation.py @@ -11,6 +11,7 @@ # under the License. +from oslo_log import versionutils from oslo_policy import policy from placement.policies import base @@ -24,66 +25,107 @@ ALLOC_MANAGE = ALLOC_PREFIX % 'manage' ALLOC_UPDATE = ALLOC_PREFIX % 'update' ALLOC_DELETE = ALLOC_PREFIX % 'delete' +DEPRECATED_REASON = """ +The allocation API now supports read-only roles by default. +""" + +deprecated_manage_allocations = policy.DeprecatedRule( + name=ALLOC_MANAGE, + check_str=base.RULE_ADMIN_API +) +deprecated_list_allocation = policy.DeprecatedRule( + name=ALLOC_LIST, + check_str=base.RULE_ADMIN_API +) +deprecated_update_allocation = policy.DeprecatedRule( + name=ALLOC_UPDATE, + check_str=base.RULE_ADMIN_API +) +deprecated_delete_allocation = policy.DeprecatedRule( + name=ALLOC_DELETE, + check_str=base.RULE_ADMIN_API +) +deprecated_list_resource_provider_allocations = policy.DeprecatedRule( + name=RP_ALLOC_LIST, + check_str=base.RULE_ADMIN_API, +) + + rules = [ policy.DocumentedRuleDefault( - ALLOC_MANAGE, - base.RULE_ADMIN_API, - "Manage allocations.", - [ + name=ALLOC_MANAGE, + check_str=base.SYSTEM_ADMIN, + description="Manage allocations.", + operations=[ { 'method': 'POST', 'path': '/allocations' } ], scope_types=['system'], + deprecated_rule=deprecated_manage_allocations, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.WALLABY ), policy.DocumentedRuleDefault( - ALLOC_LIST, - base.RULE_ADMIN_API, - "List allocations.", - [ + name=ALLOC_LIST, + check_str=base.SYSTEM_READER, + description="List allocations.", + operations=[ { 'method': 'GET', 'path': '/allocations/{consumer_uuid}' } ], - scope_types=['system'] + scope_types=['system'], + deprecated_rule=deprecated_list_allocation, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.WALLABY ), policy.DocumentedRuleDefault( - ALLOC_UPDATE, - base.RULE_ADMIN_API, - "Update allocations.", - [ + name=ALLOC_UPDATE, + check_str=base.SYSTEM_ADMIN, + description="Update allocations.", + operations=[ { 'method': 'PUT', 'path': '/allocations/{consumer_uuid}' } ], scope_types=['system'], + deprecated_rule=deprecated_update_allocation, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.WALLABY ), policy.DocumentedRuleDefault( - ALLOC_DELETE, - base.RULE_ADMIN_API, - "Delete allocations.", - [ + name=ALLOC_DELETE, + check_str=base.SYSTEM_ADMIN, + description="Delete allocations.", + operations=[ { 'method': 'DELETE', 'path': '/allocations/{consumer_uuid}' } ], scope_types=['system'], + deprecated_rule=deprecated_delete_allocation, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.WALLABY ), policy.DocumentedRuleDefault( - RP_ALLOC_LIST, - base.RULE_ADMIN_API, - "List resource provider allocations.", - [ + name=RP_ALLOC_LIST, + check_str=base.SYSTEM_READER, + description="List resource provider allocations.", + operations=[ { 'method': 'GET', 'path': '/resource_providers/{uuid}/allocations' } ], scope_types=['system'], + deprecated_rule=deprecated_list_resource_provider_allocations, + deprecated_reason=DEPRECATED_REASON, + deprecated_since=versionutils.deprecated.WALLABY ), ] diff --git a/placement/tests/functional/gabbits/allocations-legacy-rbac.yaml b/placement/tests/functional/gabbits/allocations-legacy-rbac.yaml new file mode 100644 index 000000000..95dfe84fb --- /dev/null +++ b/placement/tests/functional/gabbits/allocations-legacy-rbac.yaml @@ -0,0 +1,283 @@ +--- +# Test the CRUD operations on /resource_providers/{uuid}/aggregates* using a +# system administrator context. +fixtures: + - LegacyRBACPolicyFixture + +vars: + - &project_id $ENVIRON['PROJECT_ID'] + - &system_admin_headers + x-auth-token: user + x-roles: admin,member,reader + accept: application/json + content-type: application/json + openstack-api-version: placement latest + openstack-system-scope: all + - &system_reader_headers + x-auth-token: user + x-roles: reader + accept: application/json + content-type: application/json + openstack-api-version: placement latest + openstack-system-scope: all + - &project_admin_headers + x-auth-token: user + x-roles: admin,member,reader + x-project-id: *project_id + accept: application/json + content-type: application/json + openstack-api-version: placement latest + - &project_member_headers + x-auth-token: user + x-roles: member,reader + x-project-id: *project_id + accept: application/json + content-type: application/json + openstack-api-version: placement latest + - &project_reader_headers + x-auth-token: user + x-roles: reader + x-project-id: *project_id + accept: application/json + content-type: application/json + openstack-api-version: placement latest + - &agg_1 f918801a-5e54-4bee-9095-09a9d0c786b8 + - &agg_2 a893eb5c-e2a0-4251-ab26-f71d3b0cfc0b + +tests: + +- name: system admin can create resource provider + POST: /resource_providers + request_headers: *system_admin_headers + data: + name: $ENVIRON['RP_NAME'] + uuid: $ENVIRON['RP_UUID'] + status: 200 + +- name: system admin can set inventories + PUT: /resource_providers/$ENVIRON['RP_UUID']/inventories + request_headers: *system_admin_headers + data: + resource_provider_generation: 0 + inventories: + DISK_GB: + total: 2048 + min_unit: 10 + max_unit: 1024 + VCPU: + total: 96 + status: 200 + +- name: project admin can update allocation + PUT: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9 + request_headers: *project_admin_headers + data: + allocations: + $ENVIRON['RP_UUID']: + resources: + VCPU: 1 + DISK_GB: 20 + consumer_generation: null + project_id: 42a32c07-3eeb-4401-9373-68a8cdca6784 + user_id: 66cb2f29-c86d-47c3-8af5-69ae7b778c70 + status: 204 + +- name: project admin can delete allocations + DELETE: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9 + request_headers: *project_admin_headers + status: 204 + +- name: project member cannot update allocation + PUT: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9 + request_headers: *project_member_headers + data: + allocations: + $ENVIRON['RP_UUID']: + resources: + VCPU: 1 + DISK_GB: 20 + consumer_generation: null + project_id: 42a32c07-3eeb-4401-9373-68a8cdca6784 + user_id: 66cb2f29-c86d-47c3-8af5-69ae7b778c70 + status: 403 + +- name: project reader cannot update allocation + PUT: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9 + request_headers: *project_reader_headers + data: + allocations: + $ENVIRON['RP_UUID']: + resources: + VCPU: 1 + DISK_GB: 20 + consumer_generation: null + project_id: 42a32c07-3eeb-4401-9373-68a8cdca6784 + user_id: 66cb2f29-c86d-47c3-8af5-69ae7b778c70 + status: 403 + +- name: system reader cannot update allocation + PUT: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9 + request_headers: *system_reader_headers + data: + allocations: + $ENVIRON['RP_UUID']: + resources: + VCPU: 1 + DISK_GB: 20 + consumer_generation: null + project_id: 42a32c07-3eeb-4401-9373-68a8cdca6784 + user_id: 66cb2f29-c86d-47c3-8af5-69ae7b778c70 + status: 403 + +- name: system admin can update allocation + PUT: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9 + request_headers: *system_admin_headers + data: + allocations: + $ENVIRON['RP_UUID']: + resources: + VCPU: 1 + DISK_GB: 20 + consumer_generation: null + project_id: 42a32c07-3eeb-4401-9373-68a8cdca6784 + user_id: 66cb2f29-c86d-47c3-8af5-69ae7b778c70 + status: 204 + +- name: system admin can list allocation + GET: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9 + request_headers: *system_admin_headers + +- name: system reader can list allocation + GET: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9 + request_headers: *system_reader_headers + +- name: project admin can list allocation + GET: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9 + request_headers: *project_admin_headers + +- name: project member cannot list allocation + GET: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9 + request_headers: *project_member_headers + status: 403 + +- name: project reader cannot list allocation + GET: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9 + request_headers: *project_reader_headers + status: 403 + +- name: system admin can list allocations for resource provider + GET: /resource_providers/$ENVIRON['RP_UUID']/allocations + request_headers: *system_admin_headers + +- name: system reader can list allocations for resource provider + GET: /resource_providers/$ENVIRON['RP_UUID']/allocations + request_headers: *system_reader_headers + +- name: project admin can list allocations for resource provider + GET: /resource_providers/$ENVIRON['RP_UUID']/allocations + request_headers: *project_admin_headers + +- name: project member cannot list allocations for resource provider + GET: /resource_providers/$ENVIRON['RP_UUID']/allocations + request_headers: *project_member_headers + status: 403 + +- name: project reader cannot list allocations for resource provider + GET: /resource_providers/$ENVIRON['RP_UUID']/allocations + request_headers: *project_reader_headers + status: 403 + +- name: system reader cannot manage allocations + POST: /allocations + request_headers: *system_reader_headers + data: + a0b15655-273a-4b3d-9792-2e579b7d5ad9: + consumer_generation: 1 + project_id: 42a32c07-3eeb-4401-9373-68a8cdca6784 + user_id: 66cb2f29-c86d-47c3-8af5-69ae7b778c70 + allocations: + $ENVIRON['RP_UUID']: + resources: + VCPU: 8 + DISK_GB: 40 + status: 403 + +- name: project member cannot manage allocations + POST: /allocations + request_headers: *project_member_headers + data: + a0b15655-273a-4b3d-9792-2e579b7d5ad9: + consumer_generation: 1 + project_id: 42a32c07-3eeb-4401-9373-68a8cdca6784 + user_id: 66cb2f29-c86d-47c3-8af5-69ae7b778c70 + allocations: + $ENVIRON['RP_UUID']: + resources: + VCPU: 8 + DISK_GB: 40 + status: 403 + +- name: project reader cannot manage allocations + POST: /allocations + request_headers: *project_reader_headers + data: + a0b15655-273a-4b3d-9792-2e579b7d5ad9: + consumer_generation: 1 + project_id: 42a32c07-3eeb-4401-9373-68a8cdca6784 + user_id: 66cb2f29-c86d-47c3-8af5-69ae7b778c70 + allocations: + $ENVIRON['RP_UUID']: + resources: + VCPU: 8 + DISK_GB: 40 + status: 403 + +- name: project admin can manage allocations + POST: /allocations + request_headers: *project_admin_headers + data: + a0b15655-273a-4b3d-9792-2e579b7d5ad9: + consumer_generation: 1 + project_id: 42a32c07-3eeb-4401-9373-68a8cdca6784 + user_id: 66cb2f29-c86d-47c3-8af5-69ae7b778c70 + allocations: + $ENVIRON['RP_UUID']: + resources: + VCPU: 4 + DISK_GB: 20 + status: 204 + +- name: system admin can manage allocations + POST: /allocations + request_headers: *system_admin_headers + data: + a0b15655-273a-4b3d-9792-2e579b7d5ad9: + consumer_generation: 2 + project_id: 42a32c07-3eeb-4401-9373-68a8cdca6784 + user_id: 66cb2f29-c86d-47c3-8af5-69ae7b778c70 + allocations: + $ENVIRON['RP_UUID']: + resources: + VCPU: 8 + DISK_GB: 40 + status: 204 + +- name: project member cannot delete allocations + DELETE: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9 + request_headers: *project_member_headers + status: 403 + +- name: project reader cannot delete allocations + DELETE: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9 + request_headers: *project_reader_headers + status: 403 + +- name: system reader cannot delete allocations + DELETE: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9 + request_headers: *system_reader_headers + status: 403 + +- name: system admin can delete allocations + DELETE: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9 + request_headers: *system_admin_headers + status: 204 diff --git a/placement/tests/functional/gabbits/allocations-secure-rbac.yaml b/placement/tests/functional/gabbits/allocations-secure-rbac.yaml new file mode 100644 index 000000000..5d6908d23 --- /dev/null +++ b/placement/tests/functional/gabbits/allocations-secure-rbac.yaml @@ -0,0 +1,285 @@ +--- +# Test the CRUD operations on /resource_providers/{uuid}/aggregates* using a +# system administrator context. +fixtures: + - SecureRBACPolicyFixture + +vars: + - &project_id $ENVIRON['PROJECT_ID'] + - &system_admin_headers + x-auth-token: user + x-roles: admin,member,reader + accept: application/json + content-type: application/json + openstack-api-version: placement latest + openstack-system-scope: all + - &system_reader_headers + x-auth-token: user + x-roles: reader + accept: application/json + content-type: application/json + openstack-api-version: placement latest + openstack-system-scope: all + - &project_admin_headers + x-auth-token: user + x-roles: admin,member,reader + x-project-id: *project_id + accept: application/json + content-type: application/json + openstack-api-version: placement latest + - &project_member_headers + x-auth-token: user + x-roles: member,reader + x-project-id: *project_id + accept: application/json + content-type: application/json + openstack-api-version: placement latest + - &project_reader_headers + x-auth-token: user + x-roles: reader + x-project-id: *project_id + accept: application/json + content-type: application/json + openstack-api-version: placement latest + - &agg_1 f918801a-5e54-4bee-9095-09a9d0c786b8 + - &agg_2 a893eb5c-e2a0-4251-ab26-f71d3b0cfc0b + +tests: + +- name: system admin can create resource provider + POST: /resource_providers + request_headers: *system_admin_headers + data: + name: $ENVIRON['RP_NAME'] + uuid: $ENVIRON['RP_UUID'] + status: 200 + +- name: system admin can set inventories + PUT: /resource_providers/$ENVIRON['RP_UUID']/inventories + request_headers: *system_admin_headers + data: + resource_provider_generation: 0 + inventories: + DISK_GB: + total: 2048 + min_unit: 10 + max_unit: 1024 + VCPU: + total: 96 + status: 200 + +- name: project admin cannot update allocation + PUT: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9 + request_headers: *project_admin_headers + data: + allocations: + $ENVIRON['RP_UUID']: + resources: + VCPU: 1 + DISK_GB: 20 + consumer_generation: null + project_id: 42a32c07-3eeb-4401-9373-68a8cdca6784 + user_id: 66cb2f29-c86d-47c3-8af5-69ae7b778c70 + status: 403 + +- name: project member cannot update allocation + PUT: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9 + request_headers: *project_member_headers + data: + allocations: + $ENVIRON['RP_UUID']: + resources: + VCPU: 1 + DISK_GB: 20 + consumer_generation: null + project_id: 42a32c07-3eeb-4401-9373-68a8cdca6784 + user_id: 66cb2f29-c86d-47c3-8af5-69ae7b778c70 + status: 403 + +- name: project reader cannot update allocation + PUT: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9 + request_headers: *project_reader_headers + data: + allocations: + $ENVIRON['RP_UUID']: + resources: + VCPU: 1 + DISK_GB: 20 + consumer_generation: null + project_id: 42a32c07-3eeb-4401-9373-68a8cdca6784 + user_id: 66cb2f29-c86d-47c3-8af5-69ae7b778c70 + status: 403 + +- name: system reader cannot update allocation + PUT: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9 + request_headers: *system_reader_headers + data: + allocations: + $ENVIRON['RP_UUID']: + resources: + VCPU: 1 + DISK_GB: 20 + consumer_generation: null + project_id: 42a32c07-3eeb-4401-9373-68a8cdca6784 + user_id: 66cb2f29-c86d-47c3-8af5-69ae7b778c70 + status: 403 + +- name: system admin can update allocation + PUT: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9 + request_headers: *system_admin_headers + data: + allocations: + $ENVIRON['RP_UUID']: + resources: + VCPU: 1 + DISK_GB: 20 + consumer_generation: null + project_id: 42a32c07-3eeb-4401-9373-68a8cdca6784 + user_id: 66cb2f29-c86d-47c3-8af5-69ae7b778c70 + status: 204 + +- name: system admin can list allocation + GET: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9 + request_headers: *system_admin_headers + +- name: system reader can list allocation + GET: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9 + request_headers: *system_reader_headers + +- name: project admin cannot list allocation + GET: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9 + request_headers: *project_admin_headers + status: 403 + +- name: project member cannot list allocation + GET: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9 + request_headers: *project_member_headers + status: 403 + +- name: project reader cannot list allocation + GET: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9 + request_headers: *project_reader_headers + status: 403 + +- name: system admin can list allocations for resource provider + GET: /resource_providers/$ENVIRON['RP_UUID']/allocations + request_headers: *system_admin_headers + +- name: system reader can list allocations for resource provider + GET: /resource_providers/$ENVIRON['RP_UUID']/allocations + request_headers: *system_reader_headers + +- name: project admin cannot list allocations for resource provider + GET: /resource_providers/$ENVIRON['RP_UUID']/allocations + request_headers: *project_admin_headers + status: 403 + +- name: project member cannot list allocations for resource provider + GET: /resource_providers/$ENVIRON['RP_UUID']/allocations + request_headers: *project_member_headers + status: 403 + +- name: project reader cannot list allocations for resource provider + GET: /resource_providers/$ENVIRON['RP_UUID']/allocations + request_headers: *project_reader_headers + status: 403 + +- name: system reader cannot manage allocations + POST: /allocations + request_headers: *system_reader_headers + data: + a0b15655-273a-4b3d-9792-2e579b7d5ad9: + consumer_generation: 1 + project_id: 42a32c07-3eeb-4401-9373-68a8cdca6784 + user_id: 66cb2f29-c86d-47c3-8af5-69ae7b778c70 + allocations: + $ENVIRON['RP_UUID']: + resources: + VCPU: 8 + DISK_GB: 40 + status: 403 + +- name: project admin cannot manage allocations + POST: /allocations + request_headers: *project_admin_headers + data: + a0b15655-273a-4b3d-9792-2e579b7d5ad9: + consumer_generation: 1 + project_id: 42a32c07-3eeb-4401-9373-68a8cdca6784 + user_id: 66cb2f29-c86d-47c3-8af5-69ae7b778c70 + allocations: + $ENVIRON['RP_UUID']: + resources: + VCPU: 8 + DISK_GB: 40 + status: 403 + +- name: project member cannot manage allocations + POST: /allocations + request_headers: *project_member_headers + data: + a0b15655-273a-4b3d-9792-2e579b7d5ad9: + consumer_generation: 1 + project_id: 42a32c07-3eeb-4401-9373-68a8cdca6784 + user_id: 66cb2f29-c86d-47c3-8af5-69ae7b778c70 + allocations: + $ENVIRON['RP_UUID']: + resources: + VCPU: 8 + DISK_GB: 40 + status: 403 + +- name: project reader cannot manage allocations + POST: /allocations + request_headers: *project_reader_headers + data: + a0b15655-273a-4b3d-9792-2e579b7d5ad9: + consumer_generation: 1 + project_id: 42a32c07-3eeb-4401-9373-68a8cdca6784 + user_id: 66cb2f29-c86d-47c3-8af5-69ae7b778c70 + allocations: + $ENVIRON['RP_UUID']: + resources: + VCPU: 8 + DISK_GB: 40 + status: 403 + +- name: system admin can manage allocations + POST: /allocations + request_headers: *system_admin_headers + data: + a0b15655-273a-4b3d-9792-2e579b7d5ad9: + consumer_generation: 1 + project_id: 42a32c07-3eeb-4401-9373-68a8cdca6784 + user_id: 66cb2f29-c86d-47c3-8af5-69ae7b778c70 + allocations: + $ENVIRON['RP_UUID']: + resources: + VCPU: 8 + DISK_GB: 40 + status: 204 + +- name: project admin cannot delete allocations + DELETE: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9 + request_headers: *project_admin_headers + status: 403 + +- name: project member cannot delete allocations + DELETE: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9 + request_headers: *project_member_headers + status: 403 + +- name: project reader cannot delete allocations + DELETE: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9 + request_headers: *project_reader_headers + status: 403 + +- name: system reader cannot delete allocations + DELETE: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9 + request_headers: *system_reader_headers + status: 403 + +- name: system admin can delete allocations + DELETE: /allocations/a0b15655-273a-4b3d-9792-2e579b7d5ad9 + request_headers: *system_admin_headers + status: 204