Commit Graph

20 Commits

Author SHA1 Message Date
Radomir Dopieralski f5685ebe46 Specify POLICY_CHECK_FUNCTION as a string
We don't want code in our settings.py and local_settings.py, and in
particular we don't want to have to import Python objects from all over
to set them as setting values -- instead, we can specify those as import
path strings. This also solves problems with importing order and loops.

This change is backwards-compatible, in the sense that you can still
import the objects directly and set them as the setting values.

Partially-Implements: blueprint ini-based-configuration
Change-Id: I8a346e55bb98e4e22e0c14a614c45d493d20feb4
2016-11-25 13:06:14 +01:00
David Lyle d599fdec59 The neutron policy file is out of date. This patch updates it to
match neutron master.

Since the neutron policy was last updated, LBaaS, VPNaaS, and FWaaS,
have all been moved out of the neutron repo. When that was done,
apparently all policy support was removed as well. This patch retains
the related policy checks matching the old policy file rules. If
operators use the new policy file, the policy checks are harmless, as
the definition won't be found which will result in policy.check
returning True.

Additionally, the get_network call for the update network view was
modified to not have the subnet info populated as it's not used in
the form.

Change-Id: I6c40b99e88937d428a8e21fa28cdbc8a4190eb57
2016-08-30 10:59:36 -06:00
daniel-a-nguyen 2b846515f3 Retrieve domain scoped token
This patch supports using domain scoped tokens against keystone v3.

Use Cases:

Cloud Admin - view and manage identity resources across domains
Domain Admin - view and manage identity resources in the domain logged in
User - view identity project in the domain logged in

Regression:

Supports keystone v2 through local_settings.py configuration
Supports keystone v3 with multidomain = False
Supports keystone v3 with mulitdomain = True

Relates to https://review.openstack.org/#/c/141153/

Background on how to test is here
https://wiki.openstack.org/wiki/Horizon/DomainWorkFlow

Co-Authored-By: Brad Pokorny <Brad_Pokorny@symantec.com>
Co-Authored-By: Brian Tully <brian.tully@hp.com>
Co-Authored-By: Michael Hagedorn <mike.hagedorn@hp.com>
Co-Authored-By: woomatt <matt.wood@hp.com>

Partially Implements: blueprint domain-scoped-tokens

Closes-Bug: #1413851
Change-Id: Iaa19bfef9b0c70304ff81d083c62b218b2d02479
2016-03-08 15:17:38 -08:00
David Lyle 39bd444a0c Moving policy engine implementation
This is the first step in moving the policy engine to
django_openstack_auth. It makes the policy check method pluggable
in openstack_dashboard as it is in horizon. To do this, the wrapper
around the policy engine is moved to a new file isolated from the
policy check method. A thin check method is left in policy.py to
allow the code and policy mix-ins to behave as now. The existing
policy test file is also moved for relocation. A new test file has
been added to exercise the simpler check method.

Once the actual engine is moved to django_openstack_auth, we'll be
able to remove policy_backend.py and the test version of
policy_backend.py as well.

Partially Implemenents: blueprint move-policy-engine

Change-Id: I591bcbe69bf255f1aa0346fdf869fac86d2e6d3d
2015-01-22 15:55:19 -07:00
Masco Kaliyamoorthy 193e66792f adopt namespace-less oslo imports
oslo.config is now deprecated, so switching
from oslo.config to right package oslo_config.

similarly oslo.serialization also deprecated, it
is also switched to oslo_serialization from
oslo.serialization.

Change-Id: I52eff48a17a555750379e4ca6bb024fc71a4efeb
Closes-Bug: #1409733
2015-01-21 12:15:07 +05:30
Timur Sufiev dab964d781 Prevent leaking `target` info into subsequent `policy.check()` calls
Due to mutable dictionary being used as the default `target` argument
value the first target calculated from scratch in POLICY_CHECK
function will be used for all subsequent calls to POLICY_CHECK with 2
arguments. The wrong `target` can either lead to a reduced set of
operations on an entity for a given user, or to enlarged one. Due to
independent policy checks at each service's side this doesn't pose a
serious security breach, but can lead to weird UX behaviour.

Change-Id: I744fac28de0fb7060b50c5db689e74631a628c88
Closes-Bug: #1396544
2014-12-01 18:44:24 +03:00
lin-hua-cheng 636a5287e7 Sync oslo-incubator for fileutils, log and policy
Sync from oslo-incubator commit 4504e4f4917d99c4889a8a5b7907d6b23ced2ffc

Additional changes:
- remove excutils since this already moved to oslo-utils
- added _i18n.py workaround from oslo-incubator, required while transitioning
to oslo.i18n
- fix openstack_dashboard/policy.py to work with latest policy code

Change-Id: I904b9af517cc85e0cc041a1467d6fda599d8d3a1
Partially-Implements: blueprint improve-oslo-usage
2014-10-11 15:00:11 -07:00
Jenkins 56eca7ef0e Merge "Updated tenant_id to project_id in policy.py" 2014-10-09 06:12:30 +00:00
Chaitanya Challa 2198a0d1e9 Updated tenant_id to project_id in policy.py
Comments were referring to tenant_id where code says project_id

Closes-Bug: #1371017

Change-Id: I72f6c092f405fe130ca2c7430b7c00b70fb4abc8
2014-10-08 10:46:18 +00:00
Sam Betts 107cf8b328 Add mixin to replace replicated get_policy_target
Fix adds a mixin to replace the replicated get_policy_target
function. Duplicated code is removed from many classes and mixin is
inherited.

project_id, user_id and domain_id are now default in the generated
policy_target dict but are set to None if the data doesn't support it,
this is to provide the most flexibility for operators writing policy.json
as discussed in the bug report.

policy_target_attrs attribute added by the mixin is overwrittable by
sub-classes of the mixin to override the defaults for custom policy_target
information.

Change-Id: I26759f145b8756bd1eef585c8107160277061523
Closes-Bug: 1317238
2014-09-23 17:39:55 +09:00
David Lyle 18e8ea810d Separating Identity Dashboard and using RBAC
Moving identity panels to their own dashboard.

RBAC is now used to determine the data to load in the identity
dashboard. Using the default policy file, a user with role member
will now be able to see their project list.

Also, adding a policy check mechanism at the panel and dashboard
level to determine which panels and dashboards the user can access.

Implements blueprint separate-identity-dash

Change-Id: I7ebfec2bf6e44899bec79d3b23c90d56a976200f
2014-08-18 16:40:56 -06:00
Radomir Dopieralski 0eca7449cc Fix Flake8 style warnings in openstack_dashboard/
Warnings H904, H307 and H405 are new or considerably changed, and will
be fixed in a separate patch.

Closes-bug: #1349820
Partial-bug: #1347472

Change-Id: I4fd28990dacf16f03a4eaa6074ef59c37f1a2c14
2014-07-30 14:13:24 +02:00
He Yongli e790ac070e Remove extraneous vim configuration comments
Remove vim setting:
comment - # vim: tabstop=4 shiftwidth=4 softtabstop=4

at the top of source code files, except for files in
openstack/common.

Change-Id: I9a5c6b17c6ef7ecec601f4503dfc7b31fc72e90a
Close-bug: #1229324
2014-05-06 15:30:10 +08:00
David Lyle ae82f1d83c Policy check needs to check for None in target
For objects that don't have a project_id attached to them, the
property can be set to None, which does not get overridden in
the policy engine where it being not set currently does.  This
adds a check for user_id and project_id being None and setting them
if they are.

Change-Id: I7aeb6d3830a19a7191de9944f8de90ee12dbf127
Closes-bug: #1274053
2014-02-05 12:11:33 -07:00
David Lyle 985bd7390d adding policy checks for cinder
Adding cinder policy rules file for policy checks. Implementing
rule checks as well. Some cinder API calls actually hit nova, so
adding those calls as well.

Also a couple of improvements to the Horizon policy engine. First,
now providing the token scope project_id and user_id as targets by
default, unless otherwise specified.  Most service policy rules
check on or both of these.  Second, checking to see if rule exists,
before attempting enforcement.  If the rule does not exist, using
the default rule for that service.  This now matches what the
service policy engines do.

Implements: blueprint block-rbac

Change-Id: Ifef08b8975280f4e621ba8eebec9d405e1e870a2
2014-01-10 15:07:15 -07:00
Jenkins cbef9d83a7 Merge "Fixed sphinx ERRORs." 2014-01-09 01:59:00 +00:00
Radomir Dopieralski 028332da4a Remove #noqa from most common imports and add them to import_exceptions
We have a lot of import with #noqa that is there to ignore h302,
because it's traditional to import and use a name directly, instead
of a whole module. This hides other errors and gives people the
impression that it's actually fine to import non-modules, you just
have to slap #noqa on those lines.

I went through the code and identified about a dozen names that are
most commonly imported this way. I remove the #noqa tag from them,
and added them to the list in import_exceptions.

I also removed a few unused imports that were revealed in the process.

Change-Id: I27afb8e2b1d4759ec974ded9464d8f010312ee78
2014-01-07 12:26:35 +01:00
Facundo Maldonado 1880fd63aa Fixed sphinx ERRORs.
Fixed errors and warnings due to formatting and layout errors
in documentation.
Those errors makes the page be empty or unavailable.
Other layouts/format fixes makes documentation more clear.

Removed rpc/common.py from patch as suggested in code review.

Change-Id: I0fe11f66384f1aa8919bbb3f5cdf5339f0cbdfc6
Partial-Bug:1257725
2014-01-06 15:17:56 -03:00
Paul Belanger da8c69afa6 Gate on H4xx docstrings for pep8
In an effort to help horizon more friendly to OpenStack hacking
guidelines, we now gate on H40* violations.

Change-Id: Id07294543660368d2f7f5ac363710176ab23b874
Signed-off-by: Paul Belanger <paul.belanger@polybeacon.com>
2013-11-23 12:51:07 -05:00
David Lyle 5984e34862 Adding RBAC policy system and checks for identity
Adding file based RBAC engine for Horizon using copies of nova and
keystone policy.json files

Policy engine builds on top of oslo incubator policy.py, fileutils
was also pulled from oslo incubator as a dependency of policy.py

When Horizon runs and a policy check is made, a path and mapping of
services to policy files is used to load the rules into the policy
engine.  Each check is mapped to a service type and validated.  This
extra level of mapping is required because the policy.json files
may each contain a 'default' rule or unqualified (no service name
include) rule.  Additionally, maintaining separate policy.json
files per service will allow easier syncing with the service
projects.

The engine allows for compound 'and' checks at this time.  E.g.,
the way the Create User action is written, multiple APIs are
called to read data (roles, projects) and more are required to
update data (grants, user).

Other workflows e.g., Edit Project,  should have separate save
actions per step as they are unrelated.  Only the applicable
policy checks to that step were added.  The separating unrelated
steps saves will should be future work.

The underlying engine supports more rule types that are used in the
underlying policy.json files.

Policy checks were added for all actions on tables in the Identity
Panel only.  And the service policy files imported are limited in
this commit to reduce scope of the change.

Additionally, changes were made to the base action class to add
support or setting policy rules and an overridable method for
determining the policy check target. This reduces the need for
redundant code in each action policy check.

Note, the benefit Horizon has is that the underlying APIs will
correct us if we get it wrong, so if a policy file is not found for
a particular service, permission is assumed and the actual API call
to the service will fail if the action isn't authorized for that user.

Finally, adding documentation regarding policy enforcement.

Implements: blueprint rbac

Change-Id: I4a4a71163186b973229a0461b165c16936bc10e5
2013-08-26 10:32:28 -06:00