openstack
/
tacker
Code Issues Proposed changes

Introduce project scope_types in VNF Package policy 

oslo.policy introduced the scope_type feature which can
control the access level at system-level and project-level.
 - https://docs.openstack.org/oslo.policy/latest/user/usage.html#setting-scope

As per the SRBAC design, OpenStack does not support system scope so
we need to make scope type of each policy rule to project.

- https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#phase-1

The policy with 'project' scope means user with 'project-scoped'
token have permission to access which is nothing but the current
case so no change in permission level. By adding the scope_type
to project explicitly gives benefit of better error message. For
example, if any user with system scope token try to access tacker
APIs then oslo policy will fail early (instead of failing in lower
layer at DB or VIM level) and give clear error message of invalid
scope.

This commit adds project scope in VNF Package policies and its tests
also.

Partial implement blueprint implement-project-personas

Change-Id: I835817a87b6274662a9d612d9004eca1463bc586
This commit is contained in:
Ghanshyam Mann 2024-02-11 12:03:10 -08:00 committed by Ghanshyam
parent 2de67c771b
commit 204def5d54
2 changed files with 64 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
tacker/policies/vnf_package.py
View File

@ -31,7 +31,8 @@ rules = [
'method': 'POST',
'path': '/vnf_packages'
}
]),
],
scope_types=['project']),
policy.DocumentedRuleDefault(
name=VNFPKGM % 'show',
check_str=base.RULE_ADMIN_OR_OWNER,
@ -41,7 +42,8 @@ rules = [
'method': 'GET',
'path': '/vnf_packages/{vnf_package_id}'
}
]),
],
scope_types=['project']),
policy.DocumentedRuleDefault(
name=VNFPKGM % 'index',
check_str=base.RULE_ADMIN_OR_OWNER,
@ -51,7 +53,8 @@ rules = [
'method': 'GET',
'path': '/vnf_packages/'
}
]),
],
scope_types=['project']),
policy.DocumentedRuleDefault(
name=VNFPKGM % 'delete',
check_str=base.RULE_ADMIN_OR_OWNER,
@ -61,7 +64,8 @@ rules = [
'method': 'DELETE',
'path': '/vnf_packages/{vnf_package_id}'
}
]),
],
scope_types=['project']),
policy.DocumentedRuleDefault(
name=VNFPKGM % 'fetch_package_content',
check_str=base.RULE_ADMIN_OR_OWNER,
@ -72,7 +76,8 @@ rules = [
'path': '/vnf_packages/{vnf_package_id}/'
'package_content'
}
]),
],
scope_types=['project']),
policy.DocumentedRuleDefault(
name=VNFPKGM % 'upload_package_content',
check_str=base.RULE_ADMIN_OR_OWNER,
@ -83,7 +88,8 @@ rules = [
'path': '/vnf_packages/{vnf_package_id}/'
'package_content'
}
]),
],
scope_types=['project']),
policy.DocumentedRuleDefault(
name=VNFPKGM % 'upload_from_uri',
check_str=base.RULE_ADMIN_OR_OWNER,
@ -94,7 +100,8 @@ rules = [
'path': '/vnf_packages/{vnf_package_id}/package_content/'
'upload_from_uri'
}
]),
],
scope_types=['project']),
policy.DocumentedRuleDefault(
name=VNFPKGM % 'patch',
check_str=base.RULE_ADMIN_OR_OWNER,
@ -104,7 +111,8 @@ rules = [
'method': 'PATCH',
'path': '/vnf_packages/{vnf_package_id}'
}
]),
],
scope_types=['project']),
policy.DocumentedRuleDefault(
name=VNFPKGM % 'get_vnf_package_vnfd',
check_str=base.RULE_ADMIN_OR_OWNER,
@ -114,7 +122,8 @@ rules = [
'method': 'GET',
'path': '/vnf_packages/{vnf_package_id}/vnfd'
}
]),
],
scope_types=['project']),
policy.DocumentedRuleDefault(
name=VNFPKGM % 'fetch_artifact',
check_str=base.RULE_ADMIN_OR_OWNER,
@ -124,7 +133,8 @@ rules = [
'method': 'GET',
'path': '/vnf_packages/{vnfPkgId}/artifacts/{artifactPath}'
}
]),
],
scope_types=['project']),
]

44
tacker/tests/unit/policies/test_vnf_package.py
View File

@ -17,6 +17,8 @@ import os
from unittest import mock
import urllib
from oslo_config import cfg
from tacker.api.vnfpkgm.v1 import controller
from tacker.common import csar_utils
from tacker.common import exceptions
@ -305,3 +307,45 @@ class VNFPackagePolicyTest(base_test.BasePolicyTest):
rule_name,
self.controller.fetch_vnf_package_artifacts,
req, constants.UUID, absolute_artifact_path)
class VNFPackageScopeTypePolicyTest(VNFPackagePolicyTest):
"""Test VNF Package APIs policies with scope enabled.
This class set the tacker.conf [oslo_policy] enforce_scope to True
so that we can switch on the scope checking on oslo policy side.
This check that system scope users are not allowed to access the
Tacker VNF Package APIs.
"""
def setUp(self):
super(VNFPackageScopeTypePolicyTest, self).setUp()
cfg.CONF.set_override('enforce_scope', True,
group='oslo_policy')
self.project_authorized_contexts = [
self.legacy_admin_context, self.project_admin_context,
self.project_member_context, self.project_reader_context,
self.project_foo_context, self.other_project_member_context,
self.other_project_reader_context
]
# With scope enabled, system scoped users will not be
# allowed to create VNF Package or a few of the VNF Package
# operations in their project.
self.project_unauthorized_contexts = [
self.system_admin_context, self.system_member_context,
self.system_reader_context, self.system_foo_context
]
self.project_member_authorized_contexts = [
self.legacy_admin_context, self.project_admin_context,
self.project_member_context, self.project_reader_context,
self.project_foo_context
]
# With scope enabled, system scoped users will not be allowed
# to get, detele etc operations of VNF Package.
self.project_member_unauthorized_contexts = [
self.system_admin_context, self.system_member_context,
self.system_reader_context, self.system_foo_context,
self.other_project_member_context,
self.other_project_reader_context]