From 0ff50c542eab2aeeb3951d1f12dab11374f17dee Mon Sep 17 00:00:00 2001 From: ricolin Date: Tue, 29 Aug 2023 16:21:45 +0800 Subject: [PATCH] Remove unused policy rule for Certificate APIs Cluster user is no longer used for drivers in Magnum since [1]. Remove unused policy rule to reflect that fix. [1] https://review.opendev.org/c/openstack/magnum/+/889144 Change-Id: Ic7ef89a61835a7045d81dbf5af77714a3270cd7c --- magnum/common/policies/base.py | 20 +++++++++++++------ magnum/common/policies/certificate.py | 4 ++-- ...ate-api-policy-rules-027c80f2c9ff4598.yaml | 6 ++++++ 3 files changed, 22 insertions(+), 8 deletions(-) create mode 100644 releasenotes/notes/update-certificate-api-policy-rules-027c80f2c9ff4598.yaml diff --git a/magnum/common/policies/base.py b/magnum/common/policies/base.py index 05ac11728b..d53b94993e 100644 --- a/magnum/common/policies/base.py +++ b/magnum/common/policies/base.py @@ -47,8 +47,8 @@ RULE_PROJECT_READER_DENY_CLUSTER_USER = ( 'rule:project_reader_deny_cluster_user') RULE_ADMIN_OR_PROJECT_READER_DENY_CLUSTER_USER = ( 'rule:admin_or_project_reader_deny_cluster_user') -RULE_ADMIN_OR_PROJECT_READER_USER_OR_CLUSTER_USER = ( - 'rule:admin_or_project_reader_user_or_cluster_user') +RULE_ADMIN_OR_PROJECT_READER_USER = ( + 'rule:admin_or_project_reader_user') # ========================================================== # Deprecated Since OpenStack 2023.2(Magnum 17.0.0) and should be removed in @@ -85,6 +85,13 @@ DEPRECATED_RULE_ADMIN_OR_USER_OR_CLUSTER_USER = policy.DeprecatedRule( deprecated_reason=DEPRECATED_REASON, deprecated_since=DEPRECATED_SINCE ) + +DEPRECATED_RULE_ADMIN_OR_USER = policy.DeprecatedRule( + name=RULE_ADMIN_OR_USER, + check_str=f"(({RULE_ADMIN_API}) or ({RULE_USER}))", + deprecated_reason=DEPRECATED_REASON, + deprecated_since=DEPRECATED_SINCE +) # ========================================================== rules = [ @@ -135,7 +142,8 @@ rules = [ check_str=( f"({RULE_ADMIN_API}) or (({RULE_PROJECT_MEMBER}) and " f"({RULE_USER}))" - ) + ), + deprecated_rule=DEPRECATED_RULE_ADMIN_OR_USER ), policy.RuleDefault( name='user_or_cluster_user', @@ -193,12 +201,12 @@ rules = [ deprecated_rule=DEPRECATED_DENY_CLUSTER_USER ), policy.RuleDefault( - name='admin_or_project_reader_user_or_cluster_user', + name='admin_or_project_reader_user', check_str=( f"({RULE_ADMIN_API}) or (({RULE_PROJECT_READER}) and " - f"({RULE_USER_OR_CLUSTER_USER}))" + f"({RULE_USER}))" ), - deprecated_rule=DEPRECATED_RULE_ADMIN_OR_USER_OR_CLUSTER_USER + deprecated_rule=DEPRECATED_RULE_ADMIN_OR_USER ), ] diff --git a/magnum/common/policies/certificate.py b/magnum/common/policies/certificate.py index 97ac4cc737..33f72efae2 100644 --- a/magnum/common/policies/certificate.py +++ b/magnum/common/policies/certificate.py @@ -20,7 +20,7 @@ CERTIFICATE = 'certificate:%s' rules = [ policy.DocumentedRuleDefault( name=CERTIFICATE % 'create', - check_str=base.RULE_ADMIN_OR_PROJECT_MEMBER_USER_OR_CLUSTER_USER, + check_str=base.RULE_ADMIN_OR_PROJECT_MEMBER_USER, scope_types=["project"], description='Sign a new certificate by the CA.', operations=[ @@ -32,7 +32,7 @@ rules = [ ), policy.DocumentedRuleDefault( name=CERTIFICATE % 'get', - check_str=base.RULE_ADMIN_OR_PROJECT_READER_USER_OR_CLUSTER_USER, + check_str=base.RULE_ADMIN_OR_PROJECT_READER_USER, scope_types=["project"], description='Retrieve CA information about the given cluster.', operations=[ diff --git a/releasenotes/notes/update-certificate-api-policy-rules-027c80f2c9ff4598.yaml b/releasenotes/notes/update-certificate-api-policy-rules-027c80f2c9ff4598.yaml new file mode 100644 index 0000000000..8b9e62c3e8 --- /dev/null +++ b/releasenotes/notes/update-certificate-api-policy-rules-027c80f2c9ff4598.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - | + Remove checking cluster user from rules in default policy for + Certificate APIs to reflect recent fixes + (https://review.opendev.org/c/openstack/magnum/+/889144).