Add new default roles in server password policies
This adds new defaults roles in server password API policies. - Policies are made granular and default to System or project reader for get and system admin or owner for clear policy. Also add tests to simulates the future where we drop the deprecation fall back in the policy by overriding the rules with a version where there are no deprecated rule options. Operators can do the same by adding overrides in their policy files that match the default but stop the rule deprecation fallback from happening. Partial implement blueprint policy-defaults-refresh Change-Id: I3571b73a3094f5f523ff7b655ca05355c65f90ff
This commit is contained in:
parent
bea6e368a6
commit
189e818c26
|
@ -32,7 +32,7 @@ class ServerPasswordController(wsgi.Controller):
|
|||
def index(self, req, server_id):
|
||||
context = req.environ['nova.context']
|
||||
instance = common.get_instance(self.compute_api, context, server_id)
|
||||
context.can(sp_policies.BASE_POLICY_NAME,
|
||||
context.can(sp_policies.BASE_POLICY_NAME % 'show',
|
||||
target={'project_id': instance.project_id})
|
||||
|
||||
passw = password.extract_password(instance)
|
||||
|
@ -49,7 +49,7 @@ class ServerPasswordController(wsgi.Controller):
|
|||
|
||||
context = req.environ['nova.context']
|
||||
instance = common.get_instance(self.compute_api, context, server_id)
|
||||
context.can(sp_policies.BASE_POLICY_NAME,
|
||||
context.can(sp_policies.BASE_POLICY_NAME % 'clear',
|
||||
target={'project_id': instance.project_id})
|
||||
meta = password.convert_password(context, None)
|
||||
instance.system_metadata.update(meta)
|
||||
|
|
|
@ -18,26 +18,51 @@ from oslo_policy import policy
|
|||
from nova.policies import base
|
||||
|
||||
|
||||
BASE_POLICY_NAME = 'os_compute_api:os-server-password'
|
||||
BASE_POLICY_NAME = 'os_compute_api:os-server-password:%s'
|
||||
|
||||
DEPRECATED_POLICY = policy.DeprecatedRule(
|
||||
'os_compute_api:os-server-password',
|
||||
base.RULE_ADMIN_OR_OWNER,
|
||||
)
|
||||
|
||||
DEPRECATED_REASON = """
|
||||
Nova API policies are introducing new default roles with scope_type
|
||||
capabilities. Old policies are deprecated and silently going to be ignored
|
||||
in nova 23.0.0 release.
|
||||
"""
|
||||
|
||||
|
||||
server_password_policies = [
|
||||
policy.DocumentedRuleDefault(
|
||||
name=BASE_POLICY_NAME,
|
||||
check_str=base.RULE_ADMIN_OR_OWNER,
|
||||
description="Show and clear the encrypted administrative "
|
||||
name=BASE_POLICY_NAME % 'show',
|
||||
check_str=base.PROJECT_READER_OR_SYSTEM_READER,
|
||||
description="Show the encrypted administrative "
|
||||
"password of a server",
|
||||
operations=[
|
||||
{
|
||||
'method': 'GET',
|
||||
'path': '/servers/{server_id}/os-server-password'
|
||||
},
|
||||
],
|
||||
scope_types=['system', 'project'],
|
||||
deprecated_rule=DEPRECATED_POLICY,
|
||||
deprecated_reason=DEPRECATED_REASON,
|
||||
deprecated_since='21.0.0'),
|
||||
policy.DocumentedRuleDefault(
|
||||
name=BASE_POLICY_NAME % 'clear',
|
||||
check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
|
||||
description="Clear the encrypted administrative "
|
||||
"password of a server",
|
||||
operations=[
|
||||
{
|
||||
'method': 'DELETE',
|
||||
'path': '/servers/{server_id}/os-server-password'
|
||||
}
|
||||
],
|
||||
scope_types=['system', 'project']),
|
||||
scope_types=['system', 'project'],
|
||||
deprecated_rule=DEPRECATED_POLICY,
|
||||
deprecated_reason=DEPRECATED_REASON,
|
||||
deprecated_since='21.0.0'),
|
||||
]
|
||||
|
||||
|
||||
|
|
|
@ -93,7 +93,8 @@ policy_data = """
|
|||
"os_compute_api:os-security-groups:add": "",
|
||||
"os_compute_api:os-security-groups:remove": "",
|
||||
"os_compute_api:os-server-diagnostics": "",
|
||||
"os_compute_api:os-server-password": "",
|
||||
"os_compute_api:os-server-password:show": "",
|
||||
"os_compute_api:os-server-password:clear": "",
|
||||
"os_compute_api:os-server-tags:index": "",
|
||||
"os_compute_api:os-server-tags:show": "",
|
||||
"os_compute_api:os-server-tags:update": "",
|
||||
|
|
|
@ -15,6 +15,7 @@ import mock
|
|||
from oslo_utils.fixture import uuidsentinel as uuids
|
||||
|
||||
from nova.api.openstack.compute import server_password
|
||||
from nova.policies import base as base_policy
|
||||
from nova.policies import server_password as policies
|
||||
from nova.tests.unit.api.openstack import fakes
|
||||
from nova.tests.unit import fake_instance
|
||||
|
@ -41,32 +42,45 @@ class ServerPasswordPolicyTest(base.BasePolicyTest):
|
|||
system_metadata={}, expected_attrs=['system_metadata'])
|
||||
self.mock_get.return_value = self.instance
|
||||
|
||||
# Check that admin or and server owner is able to get
|
||||
# and delete the server password.
|
||||
# Check that admin or and server owner is able to
|
||||
# delete the server password.
|
||||
self.admin_or_owner_authorized_contexts = [
|
||||
self.legacy_admin_context, self.system_admin_context,
|
||||
self.project_admin_context, self.project_member_context,
|
||||
self.project_reader_context, self.project_foo_context]
|
||||
# Check that non-admin/owner is not able to get and delete
|
||||
# Check that non-admin/owner is not able to delete
|
||||
# the server password.
|
||||
self.admin_or_owner_unauthorized_contexts = [
|
||||
self.system_member_context, self.system_reader_context,
|
||||
self.system_foo_context,
|
||||
self.other_project_member_context
|
||||
self.system_foo_context, self.other_project_member_context,
|
||||
self.other_project_reader_context
|
||||
]
|
||||
# Check that admin or and server owner is able to get
|
||||
# the server password.
|
||||
self.reader_authorized_contexts = [
|
||||
self.legacy_admin_context, self.system_admin_context,
|
||||
self.system_member_context, self.system_reader_context,
|
||||
self.project_admin_context, self.project_member_context,
|
||||
self.project_reader_context, self.project_foo_context]
|
||||
# Check that non-admin/owner is not able to get
|
||||
# the server password.
|
||||
self.reader_unauthorized_contexts = [
|
||||
self.system_foo_context, self.other_project_member_context,
|
||||
self.other_project_reader_context
|
||||
]
|
||||
|
||||
@mock.patch('nova.api.metadata.password.extract_password')
|
||||
def test_index_server_password_policy(self, mock_pass):
|
||||
rule_name = policies.BASE_POLICY_NAME
|
||||
self.common_policy_check(self.admin_or_owner_authorized_contexts,
|
||||
self.admin_or_owner_unauthorized_contexts,
|
||||
rule_name = policies.BASE_POLICY_NAME % 'show'
|
||||
self.common_policy_check(self.reader_authorized_contexts,
|
||||
self.reader_unauthorized_contexts,
|
||||
rule_name,
|
||||
self.controller.index,
|
||||
self.req, self.instance.uuid)
|
||||
|
||||
@mock.patch('nova.api.metadata.password.convert_password')
|
||||
def test_clear_server_password_policy(self, mock_pass):
|
||||
rule_name = policies.BASE_POLICY_NAME
|
||||
rule_name = policies.BASE_POLICY_NAME % 'clear'
|
||||
self.common_policy_check(self.admin_or_owner_authorized_contexts,
|
||||
self.admin_or_owner_unauthorized_contexts,
|
||||
rule_name,
|
||||
|
@ -87,3 +101,50 @@ class ServerPasswordScopeTypePolicyTest(ServerPasswordPolicyTest):
|
|||
def setUp(self):
|
||||
super(ServerPasswordScopeTypePolicyTest, self).setUp()
|
||||
self.flags(enforce_scope=True, group="oslo_policy")
|
||||
|
||||
|
||||
class ServerPasswordNoLegacyPolicyTest(ServerPasswordScopeTypePolicyTest):
|
||||
"""Test Server Password APIs policies with system scope enabled,
|
||||
and no more deprecated rules that allow the legacy admin API to
|
||||
access system_admin_or_owner APIs.
|
||||
"""
|
||||
without_deprecated_rules = True
|
||||
rules_without_deprecation = {
|
||||
policies.BASE_POLICY_NAME % 'show':
|
||||
base_policy.PROJECT_READER_OR_SYSTEM_READER,
|
||||
policies.BASE_POLICY_NAME % 'clear':
|
||||
base_policy.PROJECT_MEMBER_OR_SYSTEM_ADMIN}
|
||||
|
||||
def setUp(self):
|
||||
super(ServerPasswordNoLegacyPolicyTest, self).setUp()
|
||||
|
||||
# Check that system or projct admin or owner is able to clear
|
||||
# server password.
|
||||
self.admin_or_owner_authorized_contexts = [
|
||||
self.system_admin_context,
|
||||
self.project_admin_context, self.project_member_context]
|
||||
# Check that non-system and non-admin/owner is not able to clear
|
||||
# server password.
|
||||
self.admin_or_owner_unauthorized_contexts = [
|
||||
self.legacy_admin_context, self.project_reader_context,
|
||||
self.project_foo_context,
|
||||
self.system_member_context, self.system_reader_context,
|
||||
self.system_foo_context, self.other_project_member_context,
|
||||
self.other_project_reader_context]
|
||||
|
||||
# Check that system reader or projct owner is able to get
|
||||
# server password.
|
||||
self.reader_authorized_contexts = [
|
||||
self.system_admin_context,
|
||||
self.project_admin_context, self.system_member_context,
|
||||
self.system_reader_context, self.project_reader_context,
|
||||
self.project_member_context,
|
||||
]
|
||||
|
||||
# Check that non-system reader nd non-admin/owner is not able to get
|
||||
# server password.
|
||||
self.reader_unauthorized_contexts = [
|
||||
self.legacy_admin_context, self.project_foo_context,
|
||||
self.system_foo_context, self.other_project_member_context,
|
||||
self.other_project_reader_context
|
||||
]
|
||||
|
|
|
@ -429,7 +429,7 @@ class RealRolePolicyTestCase(test.NoDBTestCase):
|
|||
"os_compute_api:os-security-groups",
|
||||
"os_compute_api:os-security-groups:add",
|
||||
"os_compute_api:os-security-groups:remove",
|
||||
"os_compute_api:os-server-password",
|
||||
"os_compute_api:os-server-password:clear",
|
||||
"os_compute_api:os-server-tags:delete",
|
||||
"os_compute_api:os-server-tags:delete_all",
|
||||
"os_compute_api:os-server-tags:update",
|
||||
|
@ -478,6 +478,7 @@ class RealRolePolicyTestCase(test.NoDBTestCase):
|
|||
"os_compute_api:os-attach-interfaces:show",
|
||||
"os_compute_api:os-instance-actions:list",
|
||||
"os_compute_api:os-instance-actions:show",
|
||||
"os_compute_api:os-server-password:show",
|
||||
"os_compute_api:os-server-tags:index",
|
||||
"os_compute_api:os-server-tags:show",
|
||||
)
|
||||
|
|
Loading…
Reference in New Issue