Implement secure RBAC for allocation candidates
This commit updates the policies for the allocation candidates resource in placement to support read-only roles. This is part of a broader community effort to support read-only roles and implement secure, consistent default policies. Change-Id: I5197484395fd1f1e665e1882bd5884cba88ad40d
This commit is contained in:
parent
b8e648f13a
commit
8959e3f80c
|
@ -11,6 +11,7 @@
|
|||
# under the License.
|
||||
|
||||
|
||||
from oslo_log import versionutils
|
||||
from oslo_policy import policy
|
||||
|
||||
from placement.policies import base
|
||||
|
@ -18,18 +19,31 @@ from placement.policies import base
|
|||
|
||||
LIST = 'placement:allocation_candidates:list'
|
||||
|
||||
DEPRECATED_REASON = """
|
||||
The allocation candidate API now supports read-only roles by default.
|
||||
"""
|
||||
|
||||
deprecated_list_allocation_candidates = policy.DeprecatedRule(
|
||||
name=LIST,
|
||||
check_str=base.RULE_ADMIN_API
|
||||
)
|
||||
|
||||
|
||||
rules = [
|
||||
policy.DocumentedRuleDefault(
|
||||
LIST,
|
||||
base.RULE_ADMIN_API,
|
||||
"List allocation candidates.",
|
||||
[
|
||||
name=LIST,
|
||||
check_str=base.SYSTEM_READER,
|
||||
description="List allocation candidates.",
|
||||
operations=[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/allocation_candidates'
|
||||
}
|
||||
],
|
||||
scope_types=['system'],
|
||||
deprecated_rule=deprecated_list_allocation_candidates,
|
||||
deprecated_reason=DEPRECATED_REASON,
|
||||
deprecated_since=versionutils.deprecated.WALLABY
|
||||
)
|
||||
]
|
||||
|
||||
|
|
|
@ -0,0 +1,68 @@
|
|||
---
|
||||
fixtures:
|
||||
- LegacyRBACPolicyFixture
|
||||
|
||||
vars:
|
||||
- &project_id $ENVIRON['PROJECT_ID']
|
||||
- &system_admin_headers
|
||||
x-auth-token: user
|
||||
x-roles: admin,member,reader
|
||||
accept: application/json
|
||||
content-type: application/json
|
||||
openstack-api-version: placement latest
|
||||
openstack-system-scope: all
|
||||
- &system_reader_headers
|
||||
x-auth-token: user
|
||||
x-roles: reader
|
||||
accept: application/json
|
||||
content-type: application/json
|
||||
openstack-api-version: placement latest
|
||||
openstack-system-scope: all
|
||||
- &project_admin_headers
|
||||
x-auth-token: user
|
||||
x-roles: admin,member,reader
|
||||
x-project-id: *project_id
|
||||
accept: application/json
|
||||
content-type: application/json
|
||||
openstack-api-version: placement latest
|
||||
- &project_member_headers
|
||||
x-auth-token: user
|
||||
x-roles: member,reader
|
||||
x-project-id: *project_id
|
||||
accept: application/json
|
||||
content-type: application/json
|
||||
openstack-api-version: placement latest
|
||||
- &project_reader_headers
|
||||
x-auth-token: user
|
||||
x-roles: reader
|
||||
x-project-id: *project_id
|
||||
accept: application/json
|
||||
content-type: application/json
|
||||
openstack-api-version: placement latest
|
||||
|
||||
tests:
|
||||
|
||||
- name: system admin can get allocation candidates
|
||||
GET: /allocation_candidates?resources=VCPU:1,MEMORY_MB:1024,DISK_GB:100
|
||||
request_headers: *system_admin_headers
|
||||
status: 200
|
||||
|
||||
- name: system reader can get allocation candidates
|
||||
GET: /allocation_candidates?resources=VCPU:1,MEMORY_MB:1024,DISK_GB:100
|
||||
request_headers: *system_reader_headers
|
||||
status: 200
|
||||
|
||||
- name: project admin can get allocation candidates
|
||||
GET: /allocation_candidates?resources=VCPU:1,MEMORY_MB:1024,DISK_GB:100
|
||||
request_headers: *project_admin_headers
|
||||
status: 200
|
||||
|
||||
- name: project member cannot get allocation candidates
|
||||
GET: /allocation_candidates?resources=VCPU:1,MEMORY_MB:1024,DISK_GB:100
|
||||
request_headers: *project_member_headers
|
||||
status: 403
|
||||
|
||||
- name: project reader cannot allocation candidates
|
||||
GET: /allocation_candidates?resources=VCPU:1,MEMORY_MB:1024,DISK_GB:100
|
||||
request_headers: *project_reader_headers
|
||||
status: 403
|
|
@ -0,0 +1,68 @@
|
|||
---
|
||||
fixtures:
|
||||
- SecureRBACPolicyFixture
|
||||
|
||||
vars:
|
||||
- &project_id $ENVIRON['PROJECT_ID']
|
||||
- &system_admin_headers
|
||||
x-auth-token: user
|
||||
x-roles: admin,member,reader
|
||||
accept: application/json
|
||||
content-type: application/json
|
||||
openstack-api-version: placement latest
|
||||
openstack-system-scope: all
|
||||
- &system_reader_headers
|
||||
x-auth-token: user
|
||||
x-roles: reader
|
||||
accept: application/json
|
||||
content-type: application/json
|
||||
openstack-api-version: placement latest
|
||||
openstack-system-scope: all
|
||||
- &project_admin_headers
|
||||
x-auth-token: user
|
||||
x-roles: admin,member,reader
|
||||
x-project-id: *project_id
|
||||
accept: application/json
|
||||
content-type: application/json
|
||||
openstack-api-version: placement latest
|
||||
- &project_member_headers
|
||||
x-auth-token: user
|
||||
x-roles: member,reader
|
||||
x-project-id: *project_id
|
||||
accept: application/json
|
||||
content-type: application/json
|
||||
openstack-api-version: placement latest
|
||||
- &project_reader_headers
|
||||
x-auth-token: user
|
||||
x-roles: reader
|
||||
x-project-id: *project_id
|
||||
accept: application/json
|
||||
content-type: application/json
|
||||
openstack-api-version: placement latest
|
||||
|
||||
tests:
|
||||
|
||||
- name: system admin can get allocation candidates
|
||||
GET: /allocation_candidates?resources=VCPU:1,MEMORY_MB:1024,DISK_GB:100
|
||||
request_headers: *system_admin_headers
|
||||
status: 200
|
||||
|
||||
- name: system reader can get allocation candidates
|
||||
GET: /allocation_candidates?resources=VCPU:1,MEMORY_MB:1024,DISK_GB:100
|
||||
request_headers: *system_reader_headers
|
||||
status: 200
|
||||
|
||||
- name: project admin cannot get allocation candidates
|
||||
GET: /allocation_candidates?resources=VCPU:1,MEMORY_MB:1024,DISK_GB:100
|
||||
request_headers: *project_admin_headers
|
||||
status: 403
|
||||
|
||||
- name: project member cannot get allocation candidates
|
||||
GET: /allocation_candidates?resources=VCPU:1,MEMORY_MB:1024,DISK_GB:100
|
||||
request_headers: *project_member_headers
|
||||
status: 403
|
||||
|
||||
- name: project reader cannot allocation candidates
|
||||
GET: /allocation_candidates?resources=VCPU:1,MEMORY_MB:1024,DISK_GB:100
|
||||
request_headers: *project_reader_headers
|
||||
status: 403
|
Loading…
Reference in New Issue