Make some metadef operations admin-only

konan-abhi · kk7ds · commit f8551de8c9d6 · 2021-03-15T07:59:05.000-07:00
This restricts all metadef resource manipulation to admin-only, but still allow users to see everything. There are multiple low-grade security issues with the metadef API, detailed in the related bug. Restricting resource manipulation to admin-only solves most of these concerns. SecurityImpact Depends-On: https://review.opendev.org/c/openstack/tempest/+/780108 Change-Id: I333c58e73c202c1f523030e54e03f2868459b595 Related-Bug: #1916926
diff --git a/api-ref/source/v2/metadefs-index.rst b/api-ref/source/v2/metadefs-index.rst
@@ -55,6 +55,10 @@ constraints, and the resource types to which it can be associated.  See
 <http://docs.openstack.org/developer/glance/metadefs-concepts.html>`_ in the
 Glance Developer documentation for more information.
 
+.. note:: By default, only admins can manipulate the data exposed by
+          this API, but all users may list and show public
+          resources. This changed from a default of "open to all" in
+          the Wallaby release.
 
 .. include:: metadefs-namespaces.inc
 .. include:: metadefs-resourcetypes.inc
diff --git a/doc/source/user/metadefs-concepts.rst b/doc/source/user/metadefs-concepts.rst
@@ -43,6 +43,17 @@ the property is applied to different types of resources, such as "hw\_" for
 images and "hw:" for flavors.  So, on an image, the user would know to set the
 property as "hw_cpu_cores=1".
 
+.. note:: Resource manipulation via this API is restricted to admins
+          by default since the Wallaby release. This API does not
+          provide limits suitable for exposure to all users, and can
+          also leak information between users unintentionally. Even as
+          an admin, be careful with the names you use for resources
+          you create that are intended to be private, in order to
+          avoid unintentional exposure. See Bug 1916926_ for more
+          information.
+
+.. _1916926: https://bugs.launchpad.net/glance/+bug/1916926/
+
 Terminology
 -----------
 
diff --git a/glance/policies/metadef.py b/glance/policies/metadef.py
@@ -14,46 +14,64 @@
 
 
 metadef_policies = [
-    policy.RuleDefault(name="get_metadef_namespace", check_str="rule:default"),
+    policy.RuleDefault(name="metadef_default", check_str=""),
+    policy.RuleDefault(name="metadef_admin", check_str="role:admin"),
+    policy.RuleDefault(name="get_metadef_namespace",
+                       check_str="rule:metadef_default"),
     policy.RuleDefault(name="get_metadef_namespaces",
-                       check_str="rule:default"),
+                       check_str="rule:metadef_default"),
     policy.RuleDefault(name="modify_metadef_namespace",
-                       check_str="rule:default"),
-    policy.RuleDefault(name="add_metadef_namespace", check_str="rule:default"),
+                       check_str="rule:metadef_admin"),
+    policy.RuleDefault(name="add_metadef_namespace",
+                       check_str="rule:metadef_admin"),
     policy.RuleDefault(name="delete_metadef_namespace",
-                       check_str="rule:default"),
+                       check_str="rule:metadef_admin"),
 
-    policy.RuleDefault(name="get_metadef_object", check_str="rule:default"),
-    policy.RuleDefault(name="get_metadef_objects", check_str="rule:default"),
-    policy.RuleDefault(name="modify_metadef_object", check_str="rule:default"),
-    policy.RuleDefault(name="add_metadef_object", check_str="rule:default"),
-    policy.RuleDefault(name="delete_metadef_object", check_str="rule:default"),
+    policy.RuleDefault(name="get_metadef_object",
+                       check_str="rule:metadef_default"),
+    policy.RuleDefault(name="get_metadef_objects",
+                       check_str="rule:metadef_default"),
+    policy.RuleDefault(name="modify_metadef_object",
+                       check_str="rule:metadef_admin"),
+    policy.RuleDefault(name="add_metadef_object",
+                       check_str="rule:metadef_admin"),
+    policy.RuleDefault(name="delete_metadef_object",
+                       check_str="rule:metadef_admin"),
 
     policy.RuleDefault(name="list_metadef_resource_types",
-                       check_str="rule:default"),
+                       check_str="rule:metadef_default"),
     policy.RuleDefault(name="get_metadef_resource_type",
-                       check_str="rule:default"),
+                       check_str="rule:metadef_default"),
     policy.RuleDefault(name="add_metadef_resource_type_association",
-                       check_str="rule:default"),
+                       check_str="rule:metadef_admin"),
     policy.RuleDefault(name="remove_metadef_resource_type_association",
-                       check_str="rule:default"),
+                       check_str="rule:metadef_admin"),
 
-    policy.RuleDefault(name="get_metadef_property", check_str="rule:default"),
+    policy.RuleDefault(name="get_metadef_property",
+                       check_str="rule:metadef_default"),
     policy.RuleDefault(name="get_metadef_properties",
-                       check_str="rule:default"),
+                       check_str="rule:metadef_default"),
     policy.RuleDefault(name="modify_metadef_property",
-                       check_str="rule:default"),
-    policy.RuleDefault(name="add_metadef_property", check_str="rule:default"),
+                       check_str="rule:metadef_admin"),
+    policy.RuleDefault(name="add_metadef_property",
+                       check_str="rule:metadef_admin"),
     policy.RuleDefault(name="remove_metadef_property",
-                       check_str="rule:default"),
-
-    policy.RuleDefault(name="get_metadef_tag", check_str="rule:default"),
-    policy.RuleDefault(name="get_metadef_tags", check_str="rule:default"),
-    policy.RuleDefault(name="modify_metadef_tag", check_str="rule:default"),
-    policy.RuleDefault(name="add_metadef_tag", check_str="rule:default"),
-    policy.RuleDefault(name="add_metadef_tags", check_str="rule:default"),
-    policy.RuleDefault(name="delete_metadef_tag", check_str="rule:default"),
-    policy.RuleDefault(name="delete_metadef_tags", check_str="rule:default"),
+                       check_str="rule:metadef_admin"),
+
+    policy.RuleDefault(name="get_metadef_tag",
+                       check_str="rule:metadef_default"),
+    policy.RuleDefault(name="get_metadef_tags",
+                       check_str="rule:metadef_default"),
+    policy.RuleDefault(name="modify_metadef_tag",
+                       check_str="rule:metadef_admin"),
+    policy.RuleDefault(name="add_metadef_tag",
+                       check_str="rule:metadef_admin"),
+    policy.RuleDefault(name="add_metadef_tags",
+                       check_str="rule:metadef_admin"),
+    policy.RuleDefault(name="delete_metadef_tag",
+                       check_str="rule:metadef_admin"),
+    policy.RuleDefault(name="delete_metadef_tags",
+                       check_str="rule:metadef_admin"),
 ]
 
 
diff --git a/glance/tests/etc/policy.yaml b/glance/tests/etc/policy.yaml
@@ -5,6 +5,9 @@
 # Defines the rule for the is_admin:True check.
 #"context_is_admin": "role:admin"
 
+# Default for admin-only metadef rules
+"metadef_admin": "role:admin"
+
 # add_image
 "add_image": ""
 
@@ -84,13 +87,13 @@
 "get_metadef_namespaces": ""
 
 # modify_metadef_namespace
-"modify_metadef_namespace": ""
+"modify_metadef_namespace": "rule:metadef_admin"
 
 # add_metadef_namespace
-"add_metadef_namespace": ""
+"add_metadef_namespace": "rule:metadef_admin"
 
 # delete_metadef_namespace
-"delete_metadef_namespace": ""
+"delete_metadef_namespace": "rule:metadef_admin"
 
 # get_metadef_object
 "get_metadef_object": ""
@@ -99,13 +102,13 @@
 "get_metadef_objects": ""
 
 # modify_metadef_object
-"modify_metadef_object": ""
+"modify_metadef_object": "rule:metadef_admin"
 
 # add_metadef_object
-"add_metadef_object": ""
+"add_metadef_object": "rule:metadef_admin"
 
 # delete_metadef_object
-"delete_metadef_object": ""
+"delete_metadef_object": "rule:metadef_admin"
 
 # list_metadef_resource_types
 "list_metadef_resource_types": ""
@@ -114,10 +117,10 @@
 "get_metadef_resource_type": ""
 
 # add_metadef_resource_type_association
-"add_metadef_resource_type_association": ""
+"add_metadef_resource_type_association": "rule:metadef_admin"
 
 # remove_metadef_resource_type_association
-"remove_metadef_resource_type_association": ""
+"remove_metadef_resource_type_association": "rule:metadef_admin"
 
 # get_metadef_property
 "get_metadef_property": ""
@@ -126,13 +129,13 @@
 "get_metadef_properties": ""
 
 # modify_metadef_property
-"modify_metadef_property": ""
+"modify_metadef_property": "rule:metadef_admin"
 
 # add_metadef_property
-"add_metadef_property": ""
+"add_metadef_property": "rule:metadef_admin"
 
 # remove_metadef_property
-"remove_metadef_property": ""
+"remove_metadef_property": "rule:metadef_admin"
 
 # get_metadef_tag
 "get_metadef_tag": ""
@@ -141,19 +144,19 @@
 "get_metadef_tags": ""
 
 # modify_metadef_tag
-"modify_metadef_tag": ""
+"modify_metadef_tag": "rule:metadef_admin"
 
 # add_metadef_tag
-"add_metadef_tag": ""
+"add_metadef_tag": "rule:metadef_admin"
 
 # add_metadef_tags
-"add_metadef_tags": ""
+"add_metadef_tags": "rule:metadef_admin"
 
 # delete_metadef_tag
-"delete_metadef_tag": ""
+"delete_metadef_tag": "rule:metadef_admin"
 
 # delete_metadef_tags
-"delete_metadef_tags": ""
+"delete_metadef_tags": "rule:metadef_admin"
 
 # WARNING: Below rules are either deprecated rules
 # or extra rules in policy file, it is strongly
diff --git a/glance/tests/unit/v2/test_metadef_resources.py b/glance/tests/unit/v2/test_metadef_resources.py
diff --git a/releasenotes/notes/metadef-api-admin-operations-b9a2d863913b0cae.yaml b/releasenotes/notes/metadef-api-admin-operations-b9a2d863913b0cae.yaml
