Remove System scope from policy
As specified in Phase 1 of the Consistent and Secure Default RBAC
goal [1] policies have been updated to remove "system" scope and
only use "project" scope in all policies.
APIs with policies that previously required "system" scope have been
updated to accept "project" scoped tokens with the "admin" role instead.
[1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#phase-1
Change-Id: I3b781112fc6ced7b73196f973cefd6a30ef99dd3
(cherry picked from commit 116a9045eb)
This commit is contained in:
Douglas Mendizábal
parent
b38b21392a
commit
2f3df02622
|
|
@ -111,7 +111,8 @@
|
|||
- barbican-grenade:
|
||||
voting: false
|
||||
- barbican-tempest-plugin-simple-crypto
|
||||
- barbican-tempest-plugin-simple-crypto-secure-rbac
|
||||
- barbican-tempest-plugin-simple-crypto-secure-rbac:
|
||||
voting: false
|
||||
- barbican-tempest-plugin-simple-crypto-ipv6-only
|
||||
- barbican-tox-functional-fips
|
||||
- octavia-v2-dsvm-tls-barbican
|
||||
|
|
|
|||
|
|
@ -19,13 +19,6 @@ LEGACY_POLICY_DEPRECATION = (
|
|||
)
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault(
|
||||
name='system_reader',
|
||||
check_str='role:reader and system_scope:all'),
|
||||
policy.RuleDefault(
|
||||
name='system_admin',
|
||||
check_str='role:admin and system_scope:all'),
|
||||
|
||||
policy.RuleDefault(
|
||||
name='secret_project_match',
|
||||
check_str='project_id:%(target.secret.project_id)s'),
|
||||
|
|
|
|||
|
|
@ -82,12 +82,12 @@ rules = [
|
|||
name='consumer:get',
|
||||
check_str=(
|
||||
'True:%(enforce_new_defaults)s and '
|
||||
'(rule:system_admin or rule:container_project_admin or '
|
||||
'(role:admin or '
|
||||
'(rule:container_project_member and rule:container_owner) or '
|
||||
'(rule:container_project_member and '
|
||||
' rule:container_is_not_private) or '
|
||||
'rule:container_acl_read)'),
|
||||
scope_types=['project', 'system'],
|
||||
scope_types=['project'],
|
||||
# This API is unusable. There is no way for a user to get
|
||||
# the consumer-id they would need to send a request.
|
||||
description='DEPRECATED: show information for a specific consumer',
|
||||
|
|
@ -101,12 +101,12 @@ rules = [
|
|||
name='container_consumers:get',
|
||||
check_str=(
|
||||
'True:%(enforce_new_defaults)s and '
|
||||
'(rule:system_admin or rule:container_project_admin or '
|
||||
'(rule:container_project_admin or '
|
||||
'(rule:container_project_member and rule:container_owner) or '
|
||||
'(rule:container_project_member and '
|
||||
' rule:container_is_not_private) or '
|
||||
'rule:container_acl_read)'),
|
||||
scope_types=['project', 'system'],
|
||||
scope_types=['project'],
|
||||
description='List a containers consumers.',
|
||||
operations=[
|
||||
{
|
||||
|
|
@ -120,12 +120,12 @@ rules = [
|
|||
name='container_consumers:post',
|
||||
check_str=(
|
||||
'True:%(enforce_new_defaults)s and '
|
||||
'(rule:system_admin or rule:container_project_admin or '
|
||||
'(rule:container_project_admin or '
|
||||
'(rule:container_project_member and rule:container_owner) or '
|
||||
'(rule:container_project_member and '
|
||||
' rule:container_is_not_private) or '
|
||||
'rule:container_acl_read)'),
|
||||
scope_types=['project', 'system'],
|
||||
scope_types=['project'],
|
||||
description='Creates a consumer.',
|
||||
operations=[
|
||||
{
|
||||
|
|
@ -139,12 +139,12 @@ rules = [
|
|||
name='container_consumers:delete',
|
||||
check_str=(
|
||||
'True:%(enforce_new_defaults)s and '
|
||||
'(rule:system_admin or rule:container_project_admin or '
|
||||
'(rule:container_project_admin or '
|
||||
'(rule:container_project_member and rule:container_owner) or '
|
||||
'(rule:container_project_member and '
|
||||
' rule:container_is_not_private) or '
|
||||
'rule:container_acl_read)'),
|
||||
scope_types=['project', 'system'],
|
||||
scope_types=['project'],
|
||||
description='Deletes a consumer.',
|
||||
operations=[
|
||||
{
|
||||
|
|
@ -158,11 +158,11 @@ rules = [
|
|||
name='secret_consumers:get',
|
||||
check_str=(
|
||||
'True:%(enforce_new_defaults)s and '
|
||||
'(rule:system_admin or rule:secret_project_admin or '
|
||||
'(rule:secret_project_admin or '
|
||||
'(rule:secret_project_member and rule:secret_owner) or '
|
||||
'(rule:secret_project_member and rule:secret_is_not_private) or '
|
||||
'rule:secret_acl_read)'),
|
||||
scope_types=['project', 'system'],
|
||||
scope_types=['project'],
|
||||
description='List consumers for a secret.',
|
||||
operations=[
|
||||
{
|
||||
|
|
@ -176,11 +176,11 @@ rules = [
|
|||
name='secret_consumers:post',
|
||||
check_str=(
|
||||
'True:%(enforce_new_defaults)s and '
|
||||
'(rule:system_admin or rule:secret_project_admin or '
|
||||
'(rule:secret_project_admin or '
|
||||
'(rule:secret_project_member and rule:secret_owner) or '
|
||||
'(rule:secret_project_member and rule:secret_is_not_private) or '
|
||||
'rule:secret_acl_read)'),
|
||||
scope_types=['project', 'system'],
|
||||
scope_types=['project'],
|
||||
description='Creates a consumer.',
|
||||
operations=[
|
||||
{
|
||||
|
|
@ -194,11 +194,11 @@ rules = [
|
|||
name='secret_consumers:delete',
|
||||
check_str=(
|
||||
'True:%(enforce_new_defaults)s and '
|
||||
'(rule:system_admin or rule:secret_project_admin or '
|
||||
'(rule:secret_project_admin or '
|
||||
'(rule:secret_project_member and rule:secret_owner) or '
|
||||
'(rule:secret_project_member and rule:secret_is_not_private) or '
|
||||
'rule:secret_acl_read)'),
|
||||
scope_types=['project', 'system'],
|
||||
scope_types=['project'],
|
||||
description='Deletes a consumer.',
|
||||
operations=[
|
||||
{
|
||||
|
|
|
|||
|
|
@ -57,8 +57,8 @@ rules = [
|
|||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='project_quotas:get',
|
||||
check_str='True:%(enforce_new_defaults)s and rule:system_reader',
|
||||
scope_types=['system'],
|
||||
check_str='True:%(enforce_new_defaults)s and role:admin',
|
||||
scope_types=['project'],
|
||||
description='List quotas for the specified project.',
|
||||
operations=[
|
||||
{
|
||||
|
|
@ -74,8 +74,8 @@ rules = [
|
|||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='project_quotas:put',
|
||||
check_str='True:%(enforce_new_defaults)s and rule:system_admin',
|
||||
scope_types=['system'],
|
||||
check_str='True:%(enforce_new_defaults)s and role:admin',
|
||||
scope_types=['project'],
|
||||
description='Create or update the configured project quotas for '
|
||||
'the project with the specified UUID.',
|
||||
operations=[
|
||||
|
|
@ -88,8 +88,8 @@ rules = [
|
|||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='project_quotas:delete',
|
||||
check_str='True:%(enforce_new_defaults)s and rule:system_admin',
|
||||
scope_types=['system'],
|
||||
check_str='True:%(enforce_new_defaults)s and role:admin',
|
||||
scope_types=['project'],
|
||||
description='Delete the project quotas configuration for the '
|
||||
'project with the requested UUID.',
|
||||
operations=[
|
||||
|
|
|
|||
|
|
@ -57,7 +57,7 @@ rules = [
|
|||
policy.DocumentedRuleDefault(
|
||||
name='secretstores:get',
|
||||
check_str='True:%(enforce_new_defaults)s and role:reader',
|
||||
scope_types=['project', 'system'],
|
||||
scope_types=['project'],
|
||||
description='Get list of available secret store backends.',
|
||||
operations=[
|
||||
{
|
||||
|
|
@ -70,7 +70,7 @@ rules = [
|
|||
policy.DocumentedRuleDefault(
|
||||
name='secretstores:get_global_default',
|
||||
check_str='True:%(enforce_new_defaults)s and role:reader',
|
||||
scope_types=['project', 'system'],
|
||||
scope_types=['project'],
|
||||
description='Get a reference to the secret store that is used as ' +
|
||||
'default secret store backend for the deployment.',
|
||||
operations=[
|
||||
|
|
@ -84,7 +84,7 @@ rules = [
|
|||
policy.DocumentedRuleDefault(
|
||||
name='secretstores:get_preferred',
|
||||
check_str='True:%(enforce_new_defaults)s and role:reader',
|
||||
scope_types=['project', 'system'],
|
||||
scope_types=['project'],
|
||||
description='Get a reference to the preferred secret store if ' +
|
||||
'assigned previously.',
|
||||
operations=[
|
||||
|
|
@ -126,7 +126,7 @@ rules = [
|
|||
policy.DocumentedRuleDefault(
|
||||
name='secretstore:get',
|
||||
check_str='True:%(enforce_new_defaults)s and role:reader',
|
||||
scope_types=['project', 'system'],
|
||||
scope_types=['project'],
|
||||
description='Get details of secret store by its ID.',
|
||||
operations=[
|
||||
{
|
||||
|
|
|
|||
|
|
@ -45,7 +45,7 @@ rules = [
|
|||
policy.DocumentedRuleDefault(
|
||||
name='transport_key:get',
|
||||
check_str='True:%(enforce_new_defaults)s and role:reader',
|
||||
scope_types=['project', 'system'],
|
||||
scope_types=['project'],
|
||||
description='Get a specific transport key.',
|
||||
operations=[
|
||||
{
|
||||
|
|
@ -57,8 +57,8 @@ rules = [
|
|||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='transport_key:delete',
|
||||
check_str='True:%(enforce_new_defaults)s and rule:system_admin',
|
||||
scope_types=['system'],
|
||||
check_str='True:%(enforce_new_defaults)s and role:admin',
|
||||
scope_types=['project'],
|
||||
description='Delete a specific transport key.',
|
||||
operations=[
|
||||
{
|
||||
|
|
@ -71,7 +71,7 @@ rules = [
|
|||
policy.DocumentedRuleDefault(
|
||||
name='transport_keys:get',
|
||||
check_str='True:%(enforce_new_defaults)s and role:reader',
|
||||
scope_types=['project', 'system'],
|
||||
scope_types=['project'],
|
||||
description='Get a list of all transport keys.',
|
||||
operations=[
|
||||
{
|
||||
|
|
@ -83,8 +83,8 @@ rules = [
|
|||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='transport_keys:post',
|
||||
check_str='True:%(enforce_new_defaults)s and rule:system_admin',
|
||||
scope_types=['system'],
|
||||
check_str='True:%(enforce_new_defaults)s and role:admin',
|
||||
scope_types=['project'],
|
||||
description='Create a new transport key.',
|
||||
operations=[
|
||||
{
|
||||
|
|
|
|||
|
|
@ -0,0 +1,8 @@
|
|||
---
|
||||
security:
|
||||
- |
|
||||
System scope has been removed from the RBAC policies as specified in the
|
||||
Consistent and Secure Default RBAC community goal. See:
|
||||
https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html
|
||||
APIs that required system scoped tokens can now be accessed by using a
|
||||
project scoped token with the "admin" role.
|
||||
Loading…
Reference in New Issue