Implement secure RBAC for resource classes

This commit updates the policies for the resource classes in placement to
support read-only roles.

This is part of a broader community effort to support read-only roles
and implement secure, consistent default policies.

Change-Id: Ie56fac6e0714f418b26c875735caf8867a1a1d9f
This commit is contained in:
Lance Bragstad 2020-10-28 21:05:14 +00:00
parent d0e49b794b
commit e0c9a5a94d
3 changed files with 331 additions and 25 deletions

View File

@ -11,6 +11,7 @@
# under the License.
from oslo_log import versionutils
from oslo_policy import policy
from placement.policies import base
@ -23,62 +24,103 @@ SHOW = PREFIX % 'show'
UPDATE = PREFIX % 'update'
DELETE = PREFIX % 'delete'
DEPRECATED_REASON = """
The resource classes API now supports a read-only role by default.
"""
deprecated_list_resource_classes = policy.DeprecatedRule(
name=LIST,
check_str=base.RULE_ADMIN_API
)
deprecated_show_resource_class = policy.DeprecatedRule(
name=SHOW,
check_str=base.RULE_ADMIN_API
)
deprecated_create_resource_class = policy.DeprecatedRule(
name=CREATE,
check_str=base.RULE_ADMIN_API
)
deprecated_update_resource_class = policy.DeprecatedRule(
name=UPDATE,
check_str=base.RULE_ADMIN_API
)
deprecated_delete_resource_class = policy.DeprecatedRule(
name=DELETE,
check_str=base.RULE_ADMIN_API
)
rules = [
policy.DocumentedRuleDefault(
LIST,
base.RULE_ADMIN_API,
"List resource classes.",
[
name=LIST,
check_str=base.SYSTEM_READER,
description="List resource classes.",
operations=[
{
'method': 'GET',
'path': '/resource_classes'
}
],
scope_types=['system']),
scope_types=['system'],
deprecated_rule=deprecated_list_resource_classes,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY),
policy.DocumentedRuleDefault(
CREATE,
base.RULE_ADMIN_API,
"Create resource class.",
[
name=CREATE,
check_str=base.SYSTEM_ADMIN,
description="Create resource class.",
operations=[
{
'method': 'POST',
'path': '/resource_classes'
}
],
scope_types=['system']),
scope_types=['system'],
deprecated_rule=deprecated_create_resource_class,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY),
policy.DocumentedRuleDefault(
SHOW,
base.RULE_ADMIN_API,
"Show resource class.",
[
name=SHOW,
check_str=base.SYSTEM_READER,
description="Show resource class.",
operations=[
{
'method': 'GET',
'path': '/resource_classes/{name}'
}
],
scope_types=['system']),
scope_types=['system'],
deprecated_rule=deprecated_show_resource_class,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY),
policy.DocumentedRuleDefault(
UPDATE,
base.RULE_ADMIN_API,
"Update resource class.",
[
name=UPDATE,
check_str=base.SYSTEM_ADMIN,
description="Update resource class.",
operations=[
{
'method': 'PUT',
'path': '/resource_classes/{name}'
}
],
scope_types=['system']),
scope_types=['system'],
deprecated_rule=deprecated_update_resource_class,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY),
policy.DocumentedRuleDefault(
DELETE,
base.RULE_ADMIN_API,
"Delete resource class.",
[
name=DELETE,
check_str=base.SYSTEM_ADMIN,
description="Delete resource class.",
operations=[
{
'method': 'DELETE',
'path': '/resource_classes/{name}'
}
],
scope_types=['system']),
scope_types=['system'],
deprecated_rule=deprecated_delete_resource_class,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY),
]

View File

@ -0,0 +1,80 @@
---
fixtures:
- LegacyRBACPolicyFixture
vars:
- &project_id $ENVIRON['PROJECT_ID']
- &project_admin_headers
x-auth-token: user
x-roles: admin,member,reader
x-project-id: *project_id
accept: application/json
content-type: application/json
openstack-api-version: placement latest
- &project_member_headers
x-auth-token: user
x-roles: member,reader
x-project-id: *project_id
accept: application/json
content-type: application/json
openstack-api-version: placement latest
tests:
- name: project member cannot list resource classes
GET: /resource_classes
request_headers: *project_member_headers
status: 403
- name: project admin can list resource classes
GET: /resource_classes
request_headers: *project_admin_headers
response_json_paths:
$.resource_classes.`len`: 18 # Number of standard resource classes
- name: project member cannot create resource classes
POST: /resource_classes
request_headers: *project_member_headers
data:
name: CUSTOM_RES_CLASS_POLICY
status: 403
- name: project admin can create resource classes
POST: /resource_classes
request_headers: *project_admin_headers
data:
name: CUSTOM_RES_CLASS_POLICY
status: 201
response_headers:
location: //resource_classes/CUSTOM_RES_CLASS_POLICY/
- name: project member cannot show resource class
GET: /resource_classes/CUSTOM_RES_CLASS_POLICY
request_headers: *project_member_headers
status: 403
- name: project admin can show resource class
GET: /resource_classes/CUSTOM_RES_CLASS_POLICY
request_headers: *project_admin_headers
response_json_paths:
$.name: CUSTOM_RES_CLASS_POLICY
- name: project member cannot update resource class
PUT: /resource_classes/CUSTOM_NEW_CLASS_POLICY
request_headers: *project_member_headers
status: 403
- name: project admin cannot update resource class
PUT: /resource_classes/CUSTOM_NEW_CLASS_POLICY
request_headers: *project_admin_headers
status: 201
- name: project member cannot delete resource class
DELETE: /resource_classes/CUSTOM_NEW_CLASS_POLICY
request_headers: *project_member_headers
status: 403
- name: project admin cannot delete resource class
DELETE: /resource_classes/CUSTOM_NEW_CLASS_POLICY
request_headers: *project_admin_headers
status: 204

View File

@ -0,0 +1,184 @@
---
fixtures:
- SecureRBACPolicyFixture
vars:
- &project_id $ENVIRON['PROJECT_ID']
- &system_admin_headers
x-auth-token: user
x-roles: admin,member,reader
accept: application/json
content-type: application/json
openstack-api-version: placement latest
openstack-system-scope: all
- &system_reader_headers
x-auth-token: user
x-roles: reader
accept: application/json
content-type: application/json
openstack-api-version: placement latest
openstack-system-scope: all
- &project_admin_headers
x-auth-token: user
x-roles: admin,member,reader
x-project-id: *project_id
accept: application/json
content-type: application/json
openstack-api-version: placement latest
- &project_member_headers
x-auth-token: user
x-roles: member,reader
x-project-id: *project_id
accept: application/json
content-type: application/json
openstack-api-version: placement latest
- &project_reader_headers
x-auth-token: user
x-roles: reader
x-project-id: *project_id
accept: application/json
content-type: application/json
openstack-api-version: placement latest
tests:
- name: project admin cannot list resource classes
GET: /resource_classes
request_headers: *project_admin_headers
status: 403
- name: project member cannot list resource classes
GET: /resource_classes
request_headers: *project_member_headers
status: 403
- name: project reader cannot list resource classes
GET: /resource_classes
request_headers: *project_reader_headers
status: 403
- name: system reader can list resource classes
GET: /resource_classes
request_headers: *system_reader_headers
response_json_paths:
$.resource_classes.`len`: 18 # Number of standard resource classes
- name: system admin can list resource classes
GET: /resource_classes
request_headers: *system_admin_headers
response_json_paths:
$.resource_classes.`len`: 18 # Number of standard resource classes
- name: project admin cannot create resource classes
POST: /resource_classes
request_headers: *project_admin_headers
data:
name: CUSTOM_RES_CLASS_POLICY
status: 403
- name: project member cannot create resource classes
POST: /resource_classes
request_headers: *project_member_headers
data:
name: CUSTOM_RES_CLASS_POLICY
status: 403
- name: project reader cannot create resource classes
POST: /resource_classes
request_headers: *project_reader_headers
data:
name: CUSTOM_RES_CLASS_POLICY
status: 403
- name: system reader cannot create resource classes
POST: /resource_classes
request_headers: *system_reader_headers
data:
name: CUSTOM_RES_CLASS_POLICY
status: 403
- name: system admin can create resource classes
POST: /resource_classes
request_headers: *system_admin_headers
data:
name: CUSTOM_RES_CLASS_POLICY
status: 201
response_headers:
location: //resource_classes/CUSTOM_RES_CLASS_POLICY/
- name: project admin cannot show resource class
GET: /resource_classes/CUSTOM_RES_CLASS_POLICY
request_headers: *project_admin_headers
status: 403
- name: project member cannot show resource class
GET: /resource_classes/CUSTOM_RES_CLASS_POLICY
request_headers: *project_member_headers
status: 403
- name: project reader cannot show resource class
GET: /resource_classes/CUSTOM_RES_CLASS_POLICY
request_headers: *project_reader_headers
status: 403
- name: system reader can show resource class
GET: /resource_classes/CUSTOM_RES_CLASS_POLICY
request_headers: *system_reader_headers
response_json_paths:
$.name: CUSTOM_RES_CLASS_POLICY
- name: system admin can show resource class
GET: /resource_classes/CUSTOM_RES_CLASS_POLICY
request_headers: *system_admin_headers
response_json_paths:
$.name: CUSTOM_RES_CLASS_POLICY
- name: project admin cannot update resource class
PUT: /resource_classes/CUSTOM_NEW_CLASS_POLICY
request_headers: *project_admin_headers
status: 403
- name: project member cannot update resource class
PUT: /resource_classes/CUSTOM_NEW_CLASS_POLICY
request_headers: *project_member_headers
status: 403
- name: project reader cannot update resource class
PUT: /resource_classes/CUSTOM_NEW_CLASS_POLICY
request_headers: *project_reader_headers
status: 403
- name: system reader cannot update resource class
PUT: /resource_classes/CUSTOM_NEW_CLASS_POLICY
request_headers: *system_reader_headers
status: 403
- name: system admin cannot update resource class
PUT: /resource_classes/CUSTOM_NEW_CLASS_POLICY
request_headers: *system_admin_headers
status: 201
- name: project admin cannot delete resource class
DELETE: /resource_classes/CUSTOM_NEW_CLASS_POLICY
request_headers: *project_admin_headers
status: 403
- name: project member cannot delete resource class
DELETE: /resource_classes/CUSTOM_NEW_CLASS_POLICY
request_headers: *project_member_headers
status: 403
- name: project reader cannot delete resource class
DELETE: /resource_classes/CUSTOM_NEW_CLASS_POLICY
request_headers: *project_reader_headers
status: 403
- name: system reader cannot delete resource class
DELETE: /resource_classes/CUSTOM_NEW_CLASS_POLICY
request_headers: *system_reader_headers
status: 403
- name: system admin cannot delete resource class
DELETE: /resource_classes/CUSTOM_NEW_CLASS_POLICY
request_headers: *system_admin_headers
status: 204