From 0d9984199f4dd5b7c25fabbe3aca91686ce72ef3 Mon Sep 17 00:00:00 2001
From: Ghanshyam Mann <gmann@ghanshyammann.com>
Date: Wed, 6 Mar 2024 16:12:24 -0800
Subject: [PATCH] Add new default base rules and mapping in policy base class

We are introducing new default roles (project personas) in
Tacker  policies. To reuse those new default roles among policies,
default base rules have been defined in base class.

Those are basically:
- admin: stay same
- project member or admin: this is replacement of admin-or-owner for write operations
- Project reader or admin: this is replacement of admin-or-owner for reader operations

Partial implement blueprint implement-project-personas

Change-Id: Id95d07e6f2bb66eddc4205c541d606af9271ef44
---
 tacker/policies/base.py | 87 ++++++++++++++++++++++++++++++++++++++---
 1 file changed, 82 insertions(+), 5 deletions(-)

diff --git a/tacker/policies/base.py b/tacker/policies/base.py
index bd2caebf5..b0d16a9a3 100644
--- a/tacker/policies/base.py
+++ b/tacker/policies/base.py
@@ -21,27 +21,104 @@ RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner'
 RULE_ADMIN_API = 'rule:admin_only'
 RULE_ANY = '@'
 
+
+DEPRECATED_REASON = """
+Tacker API policies are introducing new default roles with scope_type
+capabilities. Old policies are deprecated and silently going to be ignored
+in future.
+"""
+
+DEPRECATED_ADMIN_POLICY = policy.DeprecatedRule(
+    name=RULE_ADMIN_API,
+    check_str='is_admin:True',
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since='11.0.0'
+)
+
+DEPRECATED_ADMIN_OR_OWNER_POLICY = policy.DeprecatedRule(
+    name=RULE_ADMIN_OR_OWNER,
+    check_str='is_admin:True or project_id:%(project_id)s',
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since='11.0.0'
+)
+
+RULE_PROJECT_MEMBER = 'rule:project_member'
+RULE_PROJECT_READER = 'rule:project_reader'
+# NOTE(gmann): or_admin in below rules make sure that legacy (existing) admin
+# continue working in same way as currently.
+RULE_PROJECT_MEMBER_OR_ADMIN = 'rule:project_member_or_admin'
+RULE_PROJECT_READER_OR_ADMIN = 'rule:project_reader_or_admin'
+
+# NOTE: Below is the mapping of new defaults with legacy defaults::
+# Legacy Defaults    |New Defaults               |Operation       |scope_type|
+# -------------------+---------------------------+----------------+-----------
+# RULE_ADMIN_API     |-> ADMIN                   |Global resource | [project]
+#                    |                           |Write & Read    |
+# -------------------+---------------------------+----------------+-----------
+#                    |-> ADMIN                   |Project admin   | [project]
+#                    |                           |level operation |
+# RULE_ADMIN_OR_OWNER|-> PROJECT_MEMBER_OR_ADMIN |Project resource| [project]
+#                    |                           |Write           |
+#                    |-> PROJECT_READER_OR_ADMIN |Project resource| [project]
+#                    |                           |Read            |
+
+# NOTE(gmann): The OpenStack Keystone already supports implied roles which
+# means the assignment of one role implies the assignment of another.
+# The new default roles reader and member also have been added in bootstrap.
+# If the bootstrap process is re-run, and a reader, member or admin role
+# already exists, a role implication chain will be created: `admin` implies
+# `member` implies `reader`.
+# For example: If we give access to 'reader' it means the 'admin' and
+# 'member' also gets the access.
 rules = [
     policy.RuleDefault(
         "context_is_admin",
         "role:admin",
-        "Decides what is required for the 'is_admin:True' check to succeed."),
+        "Decides what is required for the 'is_admin:True' check to succeed.",
+        deprecated_rule=DEPRECATED_ADMIN_POLICY),
     policy.RuleDefault(
         "admin_or_owner",
         "is_admin:True or project_id:%(project_id)s",
-        "Default rule for most non-Admin APIs."),
+        "Default rule for most non-Admin APIs.",
+        deprecated_for_removal=True,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since='11.0.0'),
     policy.RuleDefault(
         "admin_only",
         "is_admin:True",
-        "Default rule for most Admin APIs."),
+        "Default rule for most Admin APIs.",
+        deprecated_for_removal=True,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since='11.0.0'),
     policy.RuleDefault(
         "shared",
         "field:vims:shared=True",
         "Default rule for sharing vims."),
+    policy.RuleDefault(
+        "project_member",
+        "role:member and project_id:%(project_id)s",
+        "Default rule for Project level non admin APIs.",
+        deprecated_rule=DEPRECATED_ADMIN_OR_OWNER_POLICY),
+    policy.RuleDefault(
+        "project_member_or_admin",
+        "rule:project_member or rule:context_is_admin",
+        "Default rule for Project Member or admin APIs.",
+        deprecated_rule=DEPRECATED_ADMIN_OR_OWNER_POLICY),
+    policy.RuleDefault(
+        "project_reader",
+        "role:reader and project_id:%(project_id)s",
+        "Default rule for Project level read only APIs.",
+        deprecated_rule=DEPRECATED_ADMIN_OR_OWNER_POLICY),
+    policy.RuleDefault(
+        "project_reader_or_admin",
+        "rule:project_reader or rule:context_is_admin",
+        "Default rule for Project reader or admin APIs.",
+        deprecated_rule=DEPRECATED_ADMIN_OR_OWNER_POLICY),
     policy.RuleDefault(
         "default",
-        "rule:admin_or_owner",
-        "Default rule for most non-Admin APIs.")
+        "rule:project_member_or_admin",
+        "Default rule for most non-Admin APIs.",
+        deprecated_rule=DEPRECATED_ADMIN_OR_OWNER_POLICY)
 ]