Commit Graph

28 Commits

Author SHA1 Message Date
Kiran Pawar 8eb38ac41a onlyHostFilter: Fix follow-up suggestions.
1. Change context as first argument to function.
2. Fix spelling mistake in version history
3. Add new host_admin RBAC policy which is applied in onlyHostFilter
since non-admin user as well needs to create share on specific host.

Change-Id: Id2c09ebab874ec983da7f26370932d46a0447801
2023-05-23 07:08:11 +00:00
Zuul 4c7d4ba726 Merge "Set "context_is_admin" to system scope admin roles" 2021-03-26 18:01:33 +00:00
Goutham Pacha Ravi 02cc5c6760 Set "context_is_admin" to system scope admin roles
This policy governs manila APIs that are meant to
be cross tenant - so it should default to system
scope in the new secure rbac system.

Also reformat the policy.py file so that we are
consistent with using "rules" as we were doing in
the older releases. Rules abstract keystone
concepts such as roles and scopes.

Change-Id: I31b8eb5232a5cd286db18c2b14833c0682574958
Signed-off-by: Goutham Pacha Ravi <gouthampravi@gmail.com>
2021-03-26 06:57:37 -07:00
Goutham Pacha Ravi 163bda5fbe Disable some policy warnings
Recently, we updated the default check strings
for all API RBAC policies in manila. These policy
changes cause a lot of deprecation warnings in
the logs. In case a deployer never modified their
defaults and accepted service defaults, these
warnings aren't really helpful. If the deployer
did modify the default, these warnings are not
emitted. So we're in a bit of a pickle whether
these are helpful.

Other services [1][2][3] have made the decision
that these deprecated default check string
warnings aren't really helpful and actionable.

Further, any kind of oslo_policy deprecation
warnings aren't helpful during unit tests.
They fill up the logs and cause unnecessary
noise.

[1] openstack/nova: Iaa6baf6877890babb6205bdb3ee2e1a2b28ebd9c
[2] openstack/neutron: Iab3966bad81b469eccf1050f0e0e48b9e2573750
[3] openstack/placement: I2853c7bd7c0afdeeed89ef412fc8830f04381d7b

Change-Id: I08de69312016389f2b4c88f2adbd749dbe4d3261
Signed-off-by: Goutham Pacha Ravi <gouthampravi@gmail.com>
2021-03-19 17:53:49 -07:00
Goutham Pacha Ravi 8553962997 Clean up some policy code
oslo policy handles the mapping of
credentials from a context object to values
that oslo policy cares about. This mapping
includes some deprecations and compatibility
handling code that we must take advantage of [1].
So, stop mapping context to policy values
on our end, and rely on oslo.policy handling
this for us.

enforce and authorize methods in policy.py
do the same thing, but with a subtle
difference. The "enforce" method doesn't
raise errors when unregistered policies are
invoked - this shouldn't ever be the case
for any policies written/maintained within
manila - however, we support API extensions
and don't dictate what must be done there. So
add docstrings to clarify that we shouldn't
invoke enforce, ever.

Also handle InvalidPolicyScope exceptions
and raise the oslo.policy library version
since some test enhancements have been
committed in the latest version.

[1] d3185debdb/oslo_policy/policy.py (L1077-L1096)

Change-Id: I069bf7143d6ff66b3dcdc34c9b52d48f5808481b
Signed-off-by: Goutham Pacha Ravi <gouthampravi@gmail.com>
2021-02-25 23:41:57 -08:00
Goutham Pacha Ravi c97f89f6e5 Catch up to changes in RequestContext
RequestContext has a helpful "from_environ"
method that can handle all possible combinations
of auth information users can send our way
when manila is deployed with its Keystone auth
middleware. We could switch to that, so that
we don't have to maintain support for the
full list of current and deprecated auth
configuration options in our auth
middleware.

While we're there, we can also update the
"to_dict" and "from_dict" methods in manila's
context class to match the information we need.

Change-Id: I5d554caf82a1fc4f1dcfede3ea61159ddaeb342e
Closes-Bug: #1602081
Signed-off-by: Goutham Pacha Ravi <gouthampravi@gmail.com>
2021-02-15 17:01:13 -08:00
Ghanshyam Mann 0cc7cbc36d [goal] Deprecate the JSON formatted policy file
As per the community goal of migrating the policy file
the format from JSON to YAML[1], we need to do two things:

1. Change the default value of '[oslo_policy] policy_file''
config option from 'policy.json' to 'policy.yaml' with
upgrade checks.

2. Deprecate the JSON formatted policy file on the project side
via warning in doc and releasenotes.

Also convert manila/tests/policy.json to manila/tests/policy.yaml
using oslopolicy-convert-json-to-yaml tool and replace
policy.json to policy.yaml ref from doc and tests.

[1]https://governance.openstack.org/tc/goals/selected/wallaby/migrate-policy-format-from-json-to-yaml.html

Change-Id: I3748313912b2527c43c9b16a6ba3e3ccd4cf5221
2020-12-13 00:05:00 +00:00
Goutham Pacha Ravi 2289cdd9e7 Add policy to create/update public shares
Public shares are visible across all keystone
projects and are "accessible" by all projects
within a multi-tenant cloud. More often than not,
only privileged users can create and manage shares
that EVERYONE on the cloud can really mount and use.

Manila deployers want a way to disable
unprivileged users from create public shares. Feedback
from deployers has been that public shares created on one
private tenant network (DHSS=True scenario) cannot
be used within another private tenant network belonging
to a different project. So, if users unintentionally create
public shares, they end up pollute the dashboards of users
in other projects. So, we need to make public share
creation a "privileged" feature. This can be achieved by
introducing a manila API policy that defaults to
only allowing the "admin" role. So, this commit will:
- Introduce two new policies:
    - share:create_public_share and
    - share:set_public_share
- Set the default check string for these policies
  to rule:admin_api. They will accept the default
  rule temporarily, and log a deprecation warning
  message.
- Remove some redundant policy checks in code
  and move the policy check up in the API so we
  can fail unauthorized requests faster.

When making an API change that potentially changes
the return code from being "successful" (HTTP 2xx)
to returning failure (in this case: HTTP 403,
NotAuthorized), we typically maintain API backwards
compatibility by failing the requests ONLY with newer
API microversions. Following this pattern for API
policy changes will introduce a security hole, i.e.,
users can always create public shares with previous
versions even when an administrator explicitly
sets up policy to disable the action. This is why
this change will not maintain API backwards
compatibility.

APIImpact
Closes-Bug: #1801763
Change-Id: Ib4fc9a82b6a3e5f8e50f0bc8a89d0445eecab028
2019-02-18 12:56:12 -08:00
zhongjun 64eaeae6bd [policy in code] Add support for AZ, scheduler and message resource [9/10]
This patch adds policy in code support for availability_zone,
scheduler_stats and message resources.

Change-Id: I9a79b5ececc583e85149cc920321e461e832b245
Partial-Implements: blueprint policy-in-code
2017-12-20 06:22:02 +00:00
zhongjun 5ac4310e0e [policy in code] Add support for share and type extra resource [8/10]
This patch adds policy in code support for share instance,
share export location and share type extra specs resources.

Change-Id: I9a89b4ececc583e85249cc925950e462e805b215
Partial-Implements: blueprint policy-in-code
2017-12-20 01:34:28 +00:00
zhongjun a23d09eb01 [policy in code] Add support for replicas, networks and security services [7/10]
This patch adds policy in code support for replica, network
and security service resources.

Change-Id: I9a79b5ececc583e85149cc920950e462e805b245
Partial-Implements: blueprint policy-in-code
2017-12-19 12:22:18 +00:00
zhongjun 4f959eeaf7 [policy in code] Add support for group resource [6/10]
This patch adds policy in code support for group
resources.

Change-Id: I9a79b5ececc583e80149cc920950e462e805b142
Partial-Implements: blueprint policy-in-code
2017-12-19 11:59:59 +00:00
zhongjun 9a201768ae [policy in code] Add support for service and quota resource [5/10]
This patch adds policy in code support for service and quota
resources.

Change-Id: I9a79b5ececc583e80149cc980930e162e805b143
Partial-Implements: blueprint policy-in-code
2017-12-14 01:37:19 +00:00
zhongjun dd160df611 [policy in code] Add support for snapshot resource [4/10]
This patch adds policy in code support for snapshot
resources.

Change-Id: I8a29b5ececc583e80129cc981930e162e805b246
Partial-Implements: blueprint policy-in-code
2017-12-13 06:56:11 +00:00
zhongjun 6184063a4c [policy in code] Add support for share resource [3/10]
This patch adds policy in code support for share
resources.

Change-Id: I9a79b5ececc583e80129cc980930e162e805b246
Partial-Implements: blueprint policy-in-code
2017-12-11 06:33:17 +00:00
zhongjun d7161e38bb [policy in code] Add support for share type resource [2/10]
This patch adds policy in code support for share type
resources and depends on the basic patch [1].

[1]: https://review.openstack.org/#/c/507054/

Change-Id: I9a79b5ececc587e80129cc980930e168e805b246
Partial-Implements: blueprint policy-in-code
2017-12-11 01:07:39 +00:00
zhongjun b21c3d68a4 [policy in code] Add support for share instance export location resource
This is the basic patch which consits of the framework
code for default policy in code feature as well as
share instance export location resource.

Partial-Implements: blueprint policy-in-code
Change-Id: Iedde7a4a674a60e760b47d5eb2973f42d79226d8
2017-11-16 04:39:00 +00:00
yuhui_inspur 430557f4e9 Fix some typos
Fix the word 'fils' -> 'fails', and others.

Change-Id: I676ac0b0d348da46ba0244bae2a8970677d3a284
2017-02-19 22:44:27 -08:00
Liyankun aac93592a9 Fix docstring for policy.enforce method
This patch corrects the name of the 'target' parameter and
adds the 'do_raise' parameter in the doc string for the
policy.enforce method.

TrivialFix

Change-Id: Ib6000ae868bc91a1aa8504b377408a829f1c9951
2016-05-02 08:28:13 -04:00
Julia Varlamova a4a60b1328 Use oslo_policy lib instead of oslo-incubator code
Code from manila/openstack/common/policy.py duplicates code
from oslo_policy, so we remove this module and use oslo_policy instead.

Implements bp use-oslo-policy-lib

Change-Id: I289221a1e96f6c705deef4070be113d69c57f6e0
2015-04-21 13:05:42 +03:00
Andreas Jaeger 8203c51081 Flake8: Fix and enable H404
Fix and enable flake8 test H404:
H404  multi line docstring should start without a leading new line

Change-Id: I13dc13bb5e81d65300680df094cde538c7a6f6df
Partial-Bug: #1333290
2014-08-27 10:47:45 +00:00
Valeriy Ponomaryov 284936f43b Use common code within manila.policy module
Rewrote 'init' and 'reset' functions for using same
functionality from common code of policy enforcer.
Changed path to test policy file, because policy enforcer
uses method of oslo.config 'find_file', that was not used before,
and does not know about test policy file.

Partially-implements blueprint use-common-code
Change-Id: I26ed170d39ed183899ee4420dc04d512cf3172e2
2014-08-13 21:29:51 +00:00
vponomaryov 139c3609de Sync common modules from Oslo
Oslo version:
commit  c8b3dc04de9e9946afab1a18617026e35cfa88fb
Merge:  b9d6589 d78b633
Author: Jenkins <jenkins@review.openstack.org>
Date:   Fri May 30 23:37:27 2014 +0000
Name:   Merge "Fixes a simple spelling mistake"

Change-Id: Ib40f7e4784174dfa848b45e577f8ba4a99334bf3
Implements: blueprint update-oslo-code
2014-06-04 22:33:18 +03:00
Aleks Chirko 826b15692e Fix policy.py
Because inside check_policy() there is hardcoded
'share' target prepended to all policies, any
policy we check will be checked against 'share'
policy. Change check_policy() to use explicit
target and action instead of just action.
Change wrap_check_policy decorator to be a
decorator maker which accepts resource name
as an argument.
Closes-Bug: #1274951
Partial-Bug: #1271943

Change-Id: I85c184035619d78107d56ea94918f608d8d7c282
2014-02-05 15:46:04 +02:00
Yulia Portnova d68efa454c Security service API
Added security service controller to
Manila v1 API.

Partially implements bp: join-tenant-network
Change-Id: Ic11feb44547bf438d925261b587edc828eac31c1
2014-01-13 15:34:48 +00:00
Andrei V. Ostapenko 3f24fee218 Removing deprecated using of flags module from project
Moving file flags.py to manila/common/config.py,
replacing FLAGS by CONF. Rename modules fake_flags to conf_fixture,
test_flags to test_conf, declare_flags to declare_conf,
runtime_flags to runtime_conf like it was done in cinder, nova, glance etc.

Implement bp: use-oslo-conf

Change-Id: I38d869123e5e706d3b06f1844b97ead05e22668f
2013-10-07 13:17:27 +03:00
Yulia Portnova 4e2f27c11a Replaced cinder with manila 2013-09-04 15:45:32 +03:00
Yulia Portnova dc4ce932ed Renamed cinder to manila.
Fixed setup.py, fixed bin scripts.
2013-09-02 09:59:07 +03:00