Server actions APIs scoped to project scope

As per the RBAC new direction, we will allow
project resources operation to be performed by
the project scoped token only and system user will
be allowed to perform system level operation only
not project resources specific.

Details about new direction can be found in community-wide
goal
- https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html

This commit modify the server action APIs to be scoped
to project scope.

Fix the shelve-offload policy to pass the instance project
id as target.

Also modifying and adding tests for four cases:
1. enforce_scope=False + legacy rule (current default policies)
2. enforce_scope=False + No legacy rule
3. enforce_scope=True + legacy rule
4. enforce_scope=True + no legacy rule (end goal of new RBAC)

Partial implement blueprint policy-defaults-refresh-2

Change-Id: I5293e9aa9cb3b48f97a5a2cf272939ada1aea2db

Author: Ghanshyam Mann

nova/api/openstack/compute/shelve.py

@@ -64,9 +64,11 @@ def _shelve(self, req, id, body):
     def _shelve_offload(self, req, id, body):
         """Force removal of a shelved instance from the compute node."""
         context = req.environ["nova.context"]
-        context.can(shelve_policies.POLICY_ROOT % 'shelve_offload')
-
         instance = common.get_instance(self.compute_api, context, id)
+        context.can(shelve_policies.POLICY_ROOT % 'shelve_offload',
+                    target={'user_id': instance.user_id,
+                            'project_id': instance.project_id})
+
         try:
             self.compute_api.shelve_offload(context, instance)
         except exception.InstanceIsLocked as e:

nova/policies/admin_actions.py

@@ -24,26 +24,26 @@
 admin_actions_policies = [
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'reset_state',
-        check_str=base.SYSTEM_ADMIN,
+        check_str=base.PROJECT_ADMIN,
         description="Reset the state of a given server",
         operations=[
             {
                 'method': 'POST',
                 'path': '/servers/{server_id}/action (os-resetState)'
             }
         ],
-        scope_types=['system', 'project']),
+        scope_types=['project']),
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'inject_network_info',
-        check_str=base.SYSTEM_ADMIN,
+        check_str=base.PROJECT_ADMIN,
         description="Inject network information into the server",
         operations=[
             {
                 'method': 'POST',
                 'path': '/servers/{server_id}/action (injectNetworkInfo)'
             }
         ],
-        scope_types=['system', 'project']),
+        scope_types=['project']),
 ]
 
 

nova/policies/admin_password.py

@@ -24,15 +24,15 @@
 admin_password_policies = [
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME,
-        check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
+        check_str=base.PROJECT_MEMBER,
         description="Change the administrative password for a server",
         operations=[
             {
                 'path': '/servers/{server_id}/action (changePassword)',
                 'method': 'POST'
             }
         ],
-        scope_types=['system', 'project'])
+        scope_types=['project'])
 ]
 
 

nova/policies/evacuate.py

@@ -24,15 +24,15 @@
 evacuate_policies = [
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME,
-        check_str=base.SYSTEM_ADMIN,
+        check_str=base.PROJECT_ADMIN,
         description="Evacuate a server from a failed host to a new host",
         operations=[
             {
                 'path': '/servers/{server_id}/action (evacuate)',
                 'method': 'POST'
             }
         ],
-        scope_types=['system', 'project']),
+        scope_types=['project']),
 ]
 
 

nova/policies/lock_server.py

@@ -24,31 +24,31 @@
 lock_server_policies = [
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'lock',
-        check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
+        check_str=base.PROJECT_MEMBER,
         description="Lock a server",
         operations=[
             {
                 'path': '/servers/{server_id}/action (lock)',
                 'method': 'POST'
             }
         ],
-        scope_types=['system', 'project']
+        scope_types=['project']
     ),
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'unlock',
-        check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
+        check_str=base.PROJECT_MEMBER,
         description="Unlock a server",
         operations=[
             {
                 'path': '/servers/{server_id}/action (unlock)',
                 'method': 'POST'
             }
         ],
-        scope_types=['system', 'project']
+        scope_types=['project']
     ),
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'unlock:unlock_override',
-        check_str=base.SYSTEM_ADMIN,
+        check_str=base.PROJECT_ADMIN,
         description="""Unlock a server, regardless who locked the server.
 
 This check is performed only after the check
@@ -59,7 +59,7 @@
                 'method': 'POST'
             }
         ],
-        scope_types=['system', 'project']
+        scope_types=['project']
     ),
 ]
 

nova/policies/multinic.py

@@ -38,7 +38,7 @@
 multinic_policies = [
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'add',
-        check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
+        check_str=base.PROJECT_MEMBER,
         description="""Add a fixed IP address to a server.
 
 This API is proxy calls to the Network service. This is
@@ -49,11 +49,11 @@
                 'path': '/servers/{server_id}/action (addFixedIp)'
             }
         ],
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         deprecated_rule=DEPRECATED_POLICY),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'remove',
-        check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
+        check_str=base.PROJECT_MEMBER,
         description="""Remove a fixed IP address from a server.
 
 This API is proxy calls to the Network service. This is
@@ -64,7 +64,7 @@
                 'path': '/servers/{server_id}/action (removeFixedIp)'
             }
         ],
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         deprecated_rule=DEPRECATED_POLICY),
 ]
 

nova/policies/pause_server.py

@@ -24,27 +24,27 @@
 pause_server_policies = [
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'pause',
-        check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
+        check_str=base.PROJECT_MEMBER,
         description="Pause a server",
         operations=[
             {
                 'path': '/servers/{server_id}/action (pause)',
                 'method': 'POST'
             }
         ],
-        scope_types=['system', 'project']
+        scope_types=['project']
     ),
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'unpause',
-        check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
+        check_str=base.PROJECT_MEMBER,
         description="Unpause a paused server",
         operations=[
             {
                 'path': '/servers/{server_id}/action (unpause)',
                 'method': 'POST'
             }
         ],
-        scope_types=['system', 'project']
+        scope_types=['project']
     ),
 ]
 

nova/policies/remote_consoles.py

@@ -24,7 +24,7 @@
 remote_consoles_policies = [
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME,
-        check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
+        check_str=base.PROJECT_MEMBER,
         description="""Generate a URL to access remove server console.
 
 This policy is for ``POST /remote-consoles`` API and below Server actions APIs
@@ -56,7 +56,7 @@
                 'path': '/servers/{server_id}/remote-consoles'
             },
         ],
-        scope_types=['system', 'project']),
+        scope_types=['project']),
 ]
 
 

nova/policies/rescue.py

@@ -37,26 +37,26 @@
 rescue_policies = [
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME,
-        check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
+        check_str=base.PROJECT_MEMBER,
         description="Rescue a server",
         operations=[
             {
                 'path': '/servers/{server_id}/action (rescue)',
                 'method': 'POST'
             },
         ],
-        scope_types=['system', 'project']),
+        scope_types=['project']),
     policy.DocumentedRuleDefault(
         name=UNRESCUE_POLICY_NAME,
-        check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
+        check_str=base.PROJECT_MEMBER,
         description="Unrescue a server",
         operations=[
             {
                 'path': '/servers/{server_id}/action (unrescue)',
                 'method': 'POST'
             }
         ],
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         deprecated_rule=DEPRECATED_POLICY
     ),
 ]

nova/policies/shelve.py

@@ -24,37 +24,37 @@
 shelve_policies = [
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'shelve',
-        check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
+        check_str=base.PROJECT_MEMBER,
         description="Shelve server",
         operations=[
             {
                 'method': 'POST',
                 'path': '/servers/{server_id}/action (shelve)'
             }
         ],
-        scope_types=['system', 'project']),
+        scope_types=['project']),
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'unshelve',
-        check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
+        check_str=base.PROJECT_MEMBER,
         description="Unshelve (restore) shelved server",
         operations=[
             {
                 'method': 'POST',
                 'path': '/servers/{server_id}/action (unshelve)'
             }
         ],
-        scope_types=['system', 'project']),
+        scope_types=['project']),
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'shelve_offload',
-        check_str=base.SYSTEM_ADMIN,
+        check_str=base.PROJECT_ADMIN,
         description="Shelf-offload (remove) server",
         operations=[
             {
                 'method': 'POST',
                 'path': '/servers/{server_id}/action (shelveOffload)'
             }
         ],
-        scope_types=['system', 'project']),
+        scope_types=['project']),
 ]