Add new default base rules and mapping in policy base class

We are introducing new default roles (project personas) in Tacker policies. To reuse those new default roles among policies, default base rules have been defined in base class. Those are basically: - admin: stay same - project member or admin: this is replacement of admin-or-owner for write operations - Project reader or admin: this is replacement of admin-or-owner for reader operations Partial implement blueprint implement-project-personas Change-Id: Id95d07e6f2bb66eddc4205c541d606af9271ef44
2024-03-06 16:12:24 -08:00 · 2024-03-06 16:12:24 -08:00 · 0d9984199f
parent bd2ff5e817
commit 0d9984199f
1 changed files with 82 additions and 5 deletions
--- a/tacker/policies/base.py
+++ b/tacker/policies/base.py
@ -21,27 +21,104 @@ RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner'
 RULE_ADMIN_API = 'rule:admin_only'
 RULE_ANY = '@'

+
+DEPRECATED_REASON = """
+Tacker API policies are introducing new default roles with scope_type
+capabilities. Old policies are deprecated and silently going to be ignored
+in future.
+"""
+
+DEPRECATED_ADMIN_POLICY = policy.DeprecatedRule(
+    name=RULE_ADMIN_API,
+    check_str='is_admin:True',
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since='11.0.0'
+)
+
+DEPRECATED_ADMIN_OR_OWNER_POLICY = policy.DeprecatedRule(
+    name=RULE_ADMIN_OR_OWNER,
+    check_str='is_admin:True or project_id:%(project_id)s',
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since='11.0.0'
+)
+
+RULE_PROJECT_MEMBER = 'rule:project_member'
+RULE_PROJECT_READER = 'rule:project_reader'
+# NOTE(gmann): or_admin in below rules make sure that legacy (existing) admin
+# continue working in same way as currently.
+RULE_PROJECT_MEMBER_OR_ADMIN = 'rule:project_member_or_admin'
+RULE_PROJECT_READER_OR_ADMIN = 'rule:project_reader_or_admin'
+
+# NOTE: Below is the mapping of new defaults with legacy defaults::
+# Legacy Defaults    |New Defaults               |Operation       |scope_type|
+# -------------------+---------------------------+----------------+-----------
+# RULE_ADMIN_API     |-> ADMIN                   |Global resource | [project]
+#                    |                           |Write & Read    |
+# -------------------+---------------------------+----------------+-----------
+#                    |-> ADMIN                   |Project admin   | [project]
+#                    |                           |level operation |
+# RULE_ADMIN_OR_OWNER|-> PROJECT_MEMBER_OR_ADMIN |Project resource| [project]
+#                    |                           |Write           |
+#                    |-> PROJECT_READER_OR_ADMIN |Project resource| [project]
+#                    |                           |Read            |
+
+# NOTE(gmann): The OpenStack Keystone already supports implied roles which
+# means the assignment of one role implies the assignment of another.
+# The new default roles reader and member also have been added in bootstrap.
+# If the bootstrap process is re-run, and a reader, member or admin role
+# already exists, a role implication chain will be created: `admin` implies
+# `member` implies `reader`.
+# For example: If we give access to 'reader' it means the 'admin' and
+# 'member' also gets the access.
 rules = [
    policy.RuleDefault(
        "context_is_admin",
        "role:admin",
-        "Decides what is required for the 'is_admin:True' check to succeed."),
+        "Decides what is required for the 'is_admin:True' check to succeed.",
+        deprecated_rule=DEPRECATED_ADMIN_POLICY),
    policy.RuleDefault(
        "admin_or_owner",
        "is_admin:True or project_id:%(project_id)s",
-        "Default rule for most non-Admin APIs."),
+        "Default rule for most non-Admin APIs.",
+        deprecated_for_removal=True,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since='11.0.0'),
    policy.RuleDefault(
        "admin_only",
        "is_admin:True",
-        "Default rule for most Admin APIs."),
+        "Default rule for most Admin APIs.",
+        deprecated_for_removal=True,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since='11.0.0'),
    policy.RuleDefault(
        "shared",
        "field:vims:shared=True",
        "Default rule for sharing vims."),
+    policy.RuleDefault(
+        "project_member",
+        "role:member and project_id:%(project_id)s",
+        "Default rule for Project level non admin APIs.",
+        deprecated_rule=DEPRECATED_ADMIN_OR_OWNER_POLICY),
+    policy.RuleDefault(
+        "project_member_or_admin",
+        "rule:project_member or rule:context_is_admin",
+        "Default rule for Project Member or admin APIs.",
+        deprecated_rule=DEPRECATED_ADMIN_OR_OWNER_POLICY),
+    policy.RuleDefault(
+        "project_reader",
+        "role:reader and project_id:%(project_id)s",
+        "Default rule for Project level read only APIs.",
+        deprecated_rule=DEPRECATED_ADMIN_OR_OWNER_POLICY),
+    policy.RuleDefault(
+        "project_reader_or_admin",
+        "rule:project_reader or rule:context_is_admin",
+        "Default rule for Project reader or admin APIs.",
+        deprecated_rule=DEPRECATED_ADMIN_OR_OWNER_POLICY),
    policy.RuleDefault(
        "default",
-        "rule:admin_or_owner",
-        "Default rule for most non-Admin APIs.")
+        "rule:project_member_or_admin",
+        "Default rule for most non-Admin APIs.",
+        deprecated_rule=DEPRECATED_ADMIN_OR_OWNER_POLICY)
 ]