Implement secure RBAC for segregation and telemetry policies

This commit updates the policies for all policies in panko to support enhanced token scope checking and default roles, but implementing support for a reader role for read-only APIs. This is part of a broader change to provide a more consistent and secure authorization experience for operators and users across OpenStack. Change-Id: Ia0daee7d909f31e7f8f9e75fa52dca9254441559
2020-12-01 14:37:26 +00:00 · 2020-12-01 14:37:26 +00:00 · 6195c9a06d
parent 12c41a0a73
commit 6195c9a06d
2 changed files with 21 additions and 2 deletions
--- a/panko/policies/segregation.py
+++ b/panko/policies/segregation.py
@ -10,12 +10,26 @@
 # License for the specific language governing permissions and limitations
 # under the License.

+from oslo_log import versionutils
 from oslo_policy import policy

+from panko.policies import base
+
+DEPRECATED_REASON = """
+The events API now supports system scope and default roles.
+"""
+
+deprecated_segregation = policy.DeprecatedRule(
+    name='segregation',
+    check_str='rule:context_is_admin'
+)
+
+
 rules = [
    policy.DocumentedRuleDefault(
        name='segregation',
-        check_str='rule:context_is_admin',
+        check_str=base.SYSTEM_READER,
+        scope_types=['system'],
        description='Return the user and project the request'
                    'should be limited to',
        operations=[
@ -27,7 +41,10 @@ rules = [
                'path': '/v2/events/{message_id}',
                'method': 'GET'
            }
-        ]
+        ],
+        deprecated_rule=deprecated_segregation,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since=versionutils.deprecated.WALLABY
    )
 ]

--- a/panko/policies/telemetry.py
+++ b/panko/policies/telemetry.py
@ -19,6 +19,7 @@ rules = [
    policy.DocumentedRuleDefault(
        name=TELEMETRY_EVENTS % 'index',
        check_str=base.UNPROTECTED,
+        scope_types=['system', 'project'],
        description='Return all events matching the query filters.',
        operations=[
            {
@ -30,6 +31,7 @@ rules = [
    policy.DocumentedRuleDefault(
        name=TELEMETRY_EVENTS % 'show',
        check_str=base.UNPROTECTED,
+        scope_types=['system', 'project'],
        description='Return a single event with the given message id.',
        operations=[
            {