Introduce project scope_types in VNF Package policy
oslo.policy introduced the scope_type feature which can control the access level at system-level and project-level. - https://docs.openstack.org/oslo.policy/latest/user/usage.html#setting-scope As per the SRBAC design, OpenStack does not support system scope so we need to make scope type of each policy rule to project. - https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#phase-1 The policy with 'project' scope means user with 'project-scoped' token have permission to access which is nothing but the current case so no change in permission level. By adding the scope_type to project explicitly gives benefit of better error message. For example, if any user with system scope token try to access tacker APIs then oslo policy will fail early (instead of failing in lower layer at DB or VIM level) and give clear error message of invalid scope. This commit adds project scope in VNF Package policies and its tests also. Partial implement blueprint implement-project-personas Change-Id: I835817a87b6274662a9d612d9004eca1463bc586
This commit is contained in:
parent
2de67c771b
commit
204def5d54
|
@ -31,7 +31,8 @@ rules = [
|
|||
'method': 'POST',
|
||||
'path': '/vnf_packages'
|
||||
}
|
||||
]),
|
||||
],
|
||||
scope_types=['project']),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=VNFPKGM % 'show',
|
||||
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||
|
@ -41,7 +42,8 @@ rules = [
|
|||
'method': 'GET',
|
||||
'path': '/vnf_packages/{vnf_package_id}'
|
||||
}
|
||||
]),
|
||||
],
|
||||
scope_types=['project']),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=VNFPKGM % 'index',
|
||||
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||
|
@ -51,7 +53,8 @@ rules = [
|
|||
'method': 'GET',
|
||||
'path': '/vnf_packages/'
|
||||
}
|
||||
]),
|
||||
],
|
||||
scope_types=['project']),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=VNFPKGM % 'delete',
|
||||
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||
|
@ -61,7 +64,8 @@ rules = [
|
|||
'method': 'DELETE',
|
||||
'path': '/vnf_packages/{vnf_package_id}'
|
||||
}
|
||||
]),
|
||||
],
|
||||
scope_types=['project']),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=VNFPKGM % 'fetch_package_content',
|
||||
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||
|
@ -72,7 +76,8 @@ rules = [
|
|||
'path': '/vnf_packages/{vnf_package_id}/'
|
||||
'package_content'
|
||||
}
|
||||
]),
|
||||
],
|
||||
scope_types=['project']),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=VNFPKGM % 'upload_package_content',
|
||||
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||
|
@ -83,7 +88,8 @@ rules = [
|
|||
'path': '/vnf_packages/{vnf_package_id}/'
|
||||
'package_content'
|
||||
}
|
||||
]),
|
||||
],
|
||||
scope_types=['project']),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=VNFPKGM % 'upload_from_uri',
|
||||
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||
|
@ -94,7 +100,8 @@ rules = [
|
|||
'path': '/vnf_packages/{vnf_package_id}/package_content/'
|
||||
'upload_from_uri'
|
||||
}
|
||||
]),
|
||||
],
|
||||
scope_types=['project']),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=VNFPKGM % 'patch',
|
||||
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||
|
@ -104,7 +111,8 @@ rules = [
|
|||
'method': 'PATCH',
|
||||
'path': '/vnf_packages/{vnf_package_id}'
|
||||
}
|
||||
]),
|
||||
],
|
||||
scope_types=['project']),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=VNFPKGM % 'get_vnf_package_vnfd',
|
||||
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||
|
@ -114,7 +122,8 @@ rules = [
|
|||
'method': 'GET',
|
||||
'path': '/vnf_packages/{vnf_package_id}/vnfd'
|
||||
}
|
||||
]),
|
||||
],
|
||||
scope_types=['project']),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=VNFPKGM % 'fetch_artifact',
|
||||
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||
|
@ -124,7 +133,8 @@ rules = [
|
|||
'method': 'GET',
|
||||
'path': '/vnf_packages/{vnfPkgId}/artifacts/{artifactPath}'
|
||||
}
|
||||
]),
|
||||
],
|
||||
scope_types=['project']),
|
||||
]
|
||||
|
||||
|
||||
|
|
|
@ -17,6 +17,8 @@ import os
|
|||
from unittest import mock
|
||||
import urllib
|
||||
|
||||
from oslo_config import cfg
|
||||
|
||||
from tacker.api.vnfpkgm.v1 import controller
|
||||
from tacker.common import csar_utils
|
||||
from tacker.common import exceptions
|
||||
|
@ -305,3 +307,45 @@ class VNFPackagePolicyTest(base_test.BasePolicyTest):
|
|||
rule_name,
|
||||
self.controller.fetch_vnf_package_artifacts,
|
||||
req, constants.UUID, absolute_artifact_path)
|
||||
|
||||
|
||||
class VNFPackageScopeTypePolicyTest(VNFPackagePolicyTest):
|
||||
"""Test VNF Package APIs policies with scope enabled.
|
||||
|
||||
This class set the tacker.conf [oslo_policy] enforce_scope to True
|
||||
so that we can switch on the scope checking on oslo policy side.
|
||||
This check that system scope users are not allowed to access the
|
||||
Tacker VNF Package APIs.
|
||||
"""
|
||||
|
||||
def setUp(self):
|
||||
super(VNFPackageScopeTypePolicyTest, self).setUp()
|
||||
cfg.CONF.set_override('enforce_scope', True,
|
||||
group='oslo_policy')
|
||||
|
||||
self.project_authorized_contexts = [
|
||||
self.legacy_admin_context, self.project_admin_context,
|
||||
self.project_member_context, self.project_reader_context,
|
||||
self.project_foo_context, self.other_project_member_context,
|
||||
self.other_project_reader_context
|
||||
]
|
||||
# With scope enabled, system scoped users will not be
|
||||
# allowed to create VNF Package or a few of the VNF Package
|
||||
# operations in their project.
|
||||
self.project_unauthorized_contexts = [
|
||||
self.system_admin_context, self.system_member_context,
|
||||
self.system_reader_context, self.system_foo_context
|
||||
]
|
||||
|
||||
self.project_member_authorized_contexts = [
|
||||
self.legacy_admin_context, self.project_admin_context,
|
||||
self.project_member_context, self.project_reader_context,
|
||||
self.project_foo_context
|
||||
]
|
||||
# With scope enabled, system scoped users will not be allowed
|
||||
# to get, detele etc operations of VNF Package.
|
||||
self.project_member_unauthorized_contexts = [
|
||||
self.system_admin_context, self.system_member_context,
|
||||
self.system_reader_context, self.system_foo_context,
|
||||
self.other_project_member_context,
|
||||
self.other_project_reader_context]
|
||||
|
|
Loading…
Reference in New Issue