RBAC updates: drop system scope

Based on the operator feedback, we have updated the RBAC
community wide goal to drop the system scope from all the
OpenStack services except Ironic and Keystone[1]. We are keeping
scope_type in policy-in-code and every policy will be scoped
to project whihc will help to return better error code (403)
if system token is used to access the glance APIs (in case
deployment having Ironic, Keystone using the scope checks).

[1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html

Change-Id: Ie3174593454e35d23a3e2be439a9213bbfa1a89e

Author: ghanshyam mann

glance/policies/base.py

@@ -54,16 +54,9 @@
 #
 # These check strings do not support tenancy with the `admin` role. This means
 # anyone with the `admin` role on any project can execute a policy, which is
-# typical in OpenStack services. Eventually, these check strings will be
-# superseded by check strings that implement scope checking and system-scope
-# for applicable APIs (e.g., making an image public). But, we have a lot of
-# cleanup to do in different parts of glance to sweep all the authorization
-# code into a single layer before we can safely consume system-scope and
-# implement scope checking. This refactoring also needs significant API testing
-# to ensure we don't leave doors open to unintended users, or expose
-# authoritative regressions. In the mean time, we can use the following check
-# strings to offer formal support for project membership and a read-only
-# variant consistent with other OpenStack services.
+# typical in OpenStack services. But following check strings offer formal
+# support for project membership and a read-only variant consistent with
+# other OpenStack services.
 ADMIN_OR_PROJECT_MEMBER = f'role:admin or ({PROJECT_MEMBER})'
 ADMIN_OR_PROJECT_READER = f'role:admin or ({PROJECT_READER})'
 ADMIN_OR_PROJECT_READER_GET_IMAGE = (

glance/policies/discovery.py

@@ -19,7 +19,7 @@
     policy.DocumentedRuleDefault(
         name="stores_info_detail",
         check_str='role:admin',
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description='Expose store specific information',
         operations=[
             {'path': '/v2/info/stores/detail',

glance/policies/image.py

@@ -24,7 +24,7 @@
     policy.DocumentedRuleDefault(
         name="add_image",
         check_str=base.ADMIN_OR_PROJECT_MEMBER_CREATE_IMAGE,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description='Create new image',
         operations=[
             {'path': '/v2/images',
@@ -38,7 +38,7 @@
     policy.DocumentedRuleDefault(
         name="delete_image",
         check_str=base.ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description='Deletes the image',
         operations=[
             {'path': '/v2/images/{image_id}',
@@ -52,7 +52,7 @@
     policy.DocumentedRuleDefault(
         name="get_image",
         check_str=base.ADMIN_OR_PROJECT_READER_GET_IMAGE,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description='Get specified image',
         operations=[
             {'path': '/v2/images/{image_id}',
@@ -66,7 +66,7 @@
     policy.DocumentedRuleDefault(
         name="get_images",
         check_str=base.ADMIN_OR_PROJECT_READER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description='Get all available images',
         operations=[
             {'path': '/v2/images',
@@ -80,7 +80,7 @@
     policy.DocumentedRuleDefault(
         name="modify_image",
         check_str=base.ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description='Updates given image',
         operations=[
             {'path': '/v2/images/{image_id}',
@@ -94,7 +94,7 @@
     policy.DocumentedRuleDefault(
         name="publicize_image",
         check_str='role:admin',
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description='Publicize given image',
         operations=[
             {'path': '/v2/images/{image_id}',
@@ -104,7 +104,7 @@
     policy.DocumentedRuleDefault(
         name="communitize_image",
         check_str=base.ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description='Communitize given image',
         operations=[
             {'path': '/v2/images/{image_id}',
@@ -119,7 +119,7 @@
     policy.DocumentedRuleDefault(
         name="download_image",
         check_str=base.ADMIN_OR_PROJECT_MEMBER_DOWNLOAD_IMAGE,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description='Downloads given image',
         operations=[
             {'path': '/v2/images/{image_id}/file',
@@ -133,7 +133,7 @@
     policy.DocumentedRuleDefault(
         name="upload_image",
         check_str=base.ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description='Uploads data to specified image',
         operations=[
             {'path': '/v2/images/{image_id}/file',
@@ -148,7 +148,7 @@
     policy.DocumentedRuleDefault(
         name="delete_image_location",
         check_str="role:admin",
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description='Deletes the location of given image',
         operations=[
             {'path': '/v2/images/{image_id}',
@@ -162,7 +162,7 @@
     policy.DocumentedRuleDefault(
         name="get_image_location",
         check_str=base.ADMIN_OR_PROJECT_READER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description='Reads the location of the image',
         operations=[
             {'path': '/v2/images/{image_id}',
@@ -176,7 +176,7 @@
     policy.DocumentedRuleDefault(
         name="set_image_location",
         check_str=base.ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description='Sets location URI to given image',
         operations=[
             {'path': '/v2/images/{image_id}',
@@ -191,7 +191,7 @@
     policy.DocumentedRuleDefault(
         name="add_member",
         check_str=base.ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description='Create image member',
         operations=[
             {'path': '/v2/images/{image_id}/members',
@@ -205,7 +205,7 @@
     policy.DocumentedRuleDefault(
         name="delete_member",
         check_str=base.ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description='Delete image member',
         operations=[
             {'path': '/v2/images/{image_id}/members/{member_id}',
@@ -219,7 +219,7 @@
     policy.DocumentedRuleDefault(
         name="get_member",
         check_str=base.ADMIN_OR_PROJECT_READER_OR_SHARED_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description='Show image member details',
         operations=[
             {'path': '/v2/images/{image_id}/members/{member_id}',
@@ -233,7 +233,7 @@
     policy.DocumentedRuleDefault(
         name="get_members",
         check_str=base.ADMIN_OR_PROJECT_READER_OR_SHARED_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description='List image members',
         operations=[
             {'path': '/v2/images/{image_id}/members',
@@ -247,7 +247,7 @@
     policy.DocumentedRuleDefault(
         name="modify_member",
         check_str=base.ADMIN_OR_SHARED_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description='Update image member',
         operations=[
             {'path': '/v2/images/{image_id}/members/{member_id}',
@@ -262,17 +262,14 @@
     policy.RuleDefault(
         name="manage_image_cache",
         check_str='role:admin',
-        # NOTE(lbragstad): Remove 'project' from the list below when glance
-        # fully supports system-scope and this policy is updated to reflect
-        # that in the check string.
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description='Manage image cache'
     ),
 
     policy.DocumentedRuleDefault(
         name="deactivate",
         check_str=base.ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description='Deactivate image',
         operations=[
             {'path': '/v2/images/{image_id}/actions/deactivate',
@@ -286,7 +283,7 @@
     policy.DocumentedRuleDefault(
         name="reactivate",
         check_str=base.ADMIN_OR_PROJECT_MEMBER,
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description='Reactivate image',
         operations=[
             {'path': '/v2/images/{image_id}/actions/reactivate',
@@ -301,11 +298,10 @@
     policy.DocumentedRuleDefault(
         name="copy_image",
         check_str='role:admin',
-        # Eventually, we need to make sure we update the check string here to
-        # be scope-aware, but for now this is restricted to system-admins and
-        # project-admins. That might change in the future if we decide to push
+        # For now this is restricted to project-admins.
+        # That might change in the future if we decide to push
         # this functionality down to project-members.
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         description='Copy existing image to other stores',
         operations=[
             {'path': '/v2/images/{image_id}/import',