Skip to content

Commit 60c9e3e

Browse files
author
Ghanshyam Mann
committed
Convert SYSTEM_ADMIN|READER to Admin and system scope
As per the new direction, we will move all the system level policies to system admin even GET policies. system reader will be added in next phase in future cycle. To dissociate the scope checks form the new defaults, check_str is added as 'admin' rule (role:admin) without 'system:all'. So that policy with that admin rule and scope_type as 'system' works like: - with enforce_scope=false, legacy or project admin still able to access the system level APIs. - with enforce_scope=True, only system user with admin role can access the system level APIs. Also modifying and adding tests for four cases: 1. enforce_scope=False + legacy rule (current default policies) 2. enforce_scope=False + No legacy rule 3. enforce_scope=True + legacy rule 4. enforce_scope=True + no legacy rule (end goal of new RBAC) Partial implement blueprint policy-defaults-refresh-2 Change-Id: I344276d2ab054311a4b6c34c6998e116e7507246
1 parent ed1a854 commit 60c9e3e

15 files changed

+344
-573
lines changed

nova/policies/aggregates.py

Lines changed: 9 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -25,7 +25,7 @@
2525
aggregates_policies = [
2626
policy.DocumentedRuleDefault(
2727
name=POLICY_ROOT % 'set_metadata',
28-
check_str=base.SYSTEM_ADMIN,
28+
check_str=base.ADMIN,
2929
description="Create or replace metadata for an aggregate",
3030
operations=[
3131
{
@@ -36,7 +36,7 @@
3636
scope_types=['system']),
3737
policy.DocumentedRuleDefault(
3838
name=POLICY_ROOT % 'add_host',
39-
check_str=base.SYSTEM_ADMIN,
39+
check_str=base.ADMIN,
4040
description="Add a host to an aggregate",
4141
operations=[
4242
{
@@ -47,7 +47,7 @@
4747
scope_types=['system']),
4848
policy.DocumentedRuleDefault(
4949
name=POLICY_ROOT % 'create',
50-
check_str=base.SYSTEM_ADMIN,
50+
check_str=base.ADMIN,
5151
description="Create an aggregate",
5252
operations=[
5353
{
@@ -58,7 +58,7 @@
5858
scope_types=['system']),
5959
policy.DocumentedRuleDefault(
6060
name=POLICY_ROOT % 'remove_host',
61-
check_str=base.SYSTEM_ADMIN,
61+
check_str=base.ADMIN,
6262
description="Remove a host from an aggregate",
6363
operations=[
6464
{
@@ -69,7 +69,7 @@
6969
scope_types=['system']),
7070
policy.DocumentedRuleDefault(
7171
name=POLICY_ROOT % 'update',
72-
check_str=base.SYSTEM_ADMIN,
72+
check_str=base.ADMIN,
7373
description="Update name and/or availability zone for an aggregate",
7474
operations=[
7575
{
@@ -80,7 +80,7 @@
8080
scope_types=['system']),
8181
policy.DocumentedRuleDefault(
8282
name=POLICY_ROOT % 'index',
83-
check_str=base.SYSTEM_READER,
83+
check_str=base.ADMIN,
8484
description="List all aggregates",
8585
operations=[
8686
{
@@ -91,7 +91,7 @@
9191
scope_types=['system']),
9292
policy.DocumentedRuleDefault(
9393
name=POLICY_ROOT % 'delete',
94-
check_str=base.SYSTEM_ADMIN,
94+
check_str=base.ADMIN,
9595
description="Delete an aggregate",
9696
operations=[
9797
{
@@ -102,7 +102,7 @@
102102
scope_types=['system']),
103103
policy.DocumentedRuleDefault(
104104
name=POLICY_ROOT % 'show',
105-
check_str=base.SYSTEM_READER,
105+
check_str=base.ADMIN,
106106
description="Show details for an aggregate",
107107
operations=[
108108
{
@@ -113,7 +113,7 @@
113113
scope_types=['system']),
114114
policy.DocumentedRuleDefault(
115115
name=NEW_POLICY_ROOT % 'images',
116-
check_str=base.SYSTEM_ADMIN,
116+
check_str=base.ADMIN,
117117
description="Request image caching for an aggregate",
118118
operations=[
119119
{

nova/policies/availability_zone.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -36,7 +36,7 @@
3636
scope_types=['system', 'project']),
3737
policy.DocumentedRuleDefault(
3838
name=POLICY_ROOT % 'detail',
39-
check_str=base.SYSTEM_READER,
39+
check_str=base.ADMIN,
4040
description="List detailed availability zone information with host "
4141
"information",
4242
operations=[

nova/policies/baremetal_nodes.py

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -38,7 +38,7 @@
3838
baremetal_nodes_policies = [
3939
policy.DocumentedRuleDefault(
4040
name=BASE_POLICY_NAME % 'list',
41-
check_str=base.SYSTEM_READER,
41+
check_str=base.ADMIN,
4242
description="""List and show details of bare metal nodes.
4343
4444
These APIs are proxy calls to the Ironic service and are deprecated.
@@ -53,7 +53,7 @@
5353
deprecated_rule=DEPRECATED_BAREMETAL_POLICY),
5454
policy.DocumentedRuleDefault(
5555
name=BASE_POLICY_NAME % 'show',
56-
check_str=base.SYSTEM_READER,
56+
check_str=base.ADMIN,
5757
description="""Show action details for a server.""",
5858
operations=[
5959
{

nova/policies/hosts.py

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -38,7 +38,7 @@
3838
hosts_policies = [
3939
policy.DocumentedRuleDefault(
4040
name=POLICY_NAME % 'list',
41-
check_str=base.SYSTEM_READER,
41+
check_str=base.ADMIN,
4242
description="""List physical hosts.
4343
4444
This API is deprecated in favor of os-hypervisors and os-services.""",
@@ -52,7 +52,7 @@
5252
deprecated_rule=DEPRECATED_POLICY),
5353
policy.DocumentedRuleDefault(
5454
name=POLICY_NAME % 'show',
55-
check_str=base.SYSTEM_READER,
55+
check_str=base.ADMIN,
5656
description="""Show physical host.
5757
5858
This API is deprecated in favor of os-hypervisors and os-services.""",
@@ -66,7 +66,7 @@
6666
deprecated_rule=DEPRECATED_POLICY),
6767
policy.DocumentedRuleDefault(
6868
name=POLICY_NAME % 'update',
69-
check_str=base.SYSTEM_ADMIN,
69+
check_str=base.ADMIN,
7070
description="""Update physical host.
7171
7272
This API is deprecated in favor of os-hypervisors and os-services.""",
@@ -80,7 +80,7 @@
8080
deprecated_rule=DEPRECATED_POLICY),
8181
policy.DocumentedRuleDefault(
8282
name=POLICY_NAME % 'reboot',
83-
check_str=base.SYSTEM_ADMIN,
83+
check_str=base.ADMIN,
8484
description="""Reboot physical host.
8585
8686
This API is deprecated in favor of os-hypervisors and os-services.""",
@@ -94,7 +94,7 @@
9494
deprecated_rule=DEPRECATED_POLICY),
9595
policy.DocumentedRuleDefault(
9696
name=POLICY_NAME % 'shutdown',
97-
check_str=base.SYSTEM_ADMIN,
97+
check_str=base.ADMIN,
9898
description="""Shutdown physical host.
9999
100100
This API is deprecated in favor of os-hypervisors and os-services.""",
@@ -108,7 +108,7 @@
108108
deprecated_rule=DEPRECATED_POLICY),
109109
policy.DocumentedRuleDefault(
110110
name=POLICY_NAME % 'start',
111-
check_str=base.SYSTEM_ADMIN,
111+
check_str=base.ADMIN,
112112
description="""Start physical host.
113113
114114
This API is deprecated in favor of os-hypervisors and os-services.""",

nova/policies/hypervisors.py

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -37,7 +37,7 @@
3737
hypervisors_policies = [
3838
policy.DocumentedRuleDefault(
3939
name=BASE_POLICY_NAME % 'list',
40-
check_str=base.SYSTEM_READER,
40+
check_str=base.ADMIN,
4141
description="List all hypervisors.",
4242
operations=[
4343
{
@@ -49,7 +49,7 @@
4949
deprecated_rule=DEPRECATED_POLICY),
5050
policy.DocumentedRuleDefault(
5151
name=BASE_POLICY_NAME % 'list-detail',
52-
check_str=base.SYSTEM_READER,
52+
check_str=base.ADMIN,
5353
description="List all hypervisors with details",
5454
operations=[
5555
{
@@ -61,7 +61,7 @@
6161
deprecated_rule=DEPRECATED_POLICY),
6262
policy.DocumentedRuleDefault(
6363
name=BASE_POLICY_NAME % 'statistics',
64-
check_str=base.SYSTEM_READER,
64+
check_str=base.ADMIN,
6565
description="Show summary statistics for all hypervisors "
6666
"over all compute nodes.",
6767
operations=[
@@ -74,7 +74,7 @@
7474
deprecated_rule=DEPRECATED_POLICY),
7575
policy.DocumentedRuleDefault(
7676
name=BASE_POLICY_NAME % 'show',
77-
check_str=base.SYSTEM_READER,
77+
check_str=base.ADMIN,
7878
description="Show details for a hypervisor.",
7979
operations=[
8080
{
@@ -86,7 +86,7 @@
8686
deprecated_rule=DEPRECATED_POLICY),
8787
policy.DocumentedRuleDefault(
8888
name=BASE_POLICY_NAME % 'uptime',
89-
check_str=base.SYSTEM_READER,
89+
check_str=base.ADMIN,
9090
description="Show the uptime of a hypervisor.",
9191
operations=[
9292
{
@@ -98,7 +98,7 @@
9898
deprecated_rule=DEPRECATED_POLICY),
9999
policy.DocumentedRuleDefault(
100100
name=BASE_POLICY_NAME % 'search',
101-
check_str=base.SYSTEM_READER,
101+
check_str=base.ADMIN,
102102
description="Search hypervisor by hypervisor_hostname pattern.",
103103
operations=[
104104
{
@@ -110,7 +110,7 @@
110110
deprecated_rule=DEPRECATED_POLICY),
111111
policy.DocumentedRuleDefault(
112112
name=BASE_POLICY_NAME % 'servers',
113-
check_str=base.SYSTEM_READER,
113+
check_str=base.ADMIN,
114114
description="List all servers on hypervisors that can match "
115115
"the provided hypervisor_hostname pattern.",
116116
operations=[

nova/policies/quota_class_sets.py

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -24,7 +24,7 @@
2424
quota_class_sets_policies = [
2525
policy.DocumentedRuleDefault(
2626
name=POLICY_ROOT % 'show',
27-
check_str=base.SYSTEM_READER,
27+
check_str=base.ADMIN,
2828
description="List quotas for specific quota classs",
2929
operations=[
3030
{
@@ -35,7 +35,7 @@
3535
scope_types=['system']),
3636
policy.DocumentedRuleDefault(
3737
name=POLICY_ROOT % 'update',
38-
check_str=base.SYSTEM_ADMIN,
38+
check_str=base.ADMIN,
3939
description='Update quotas for specific quota class',
4040
operations=[
4141
{

nova/policies/services.py

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -37,7 +37,7 @@
3737
services_policies = [
3838
policy.DocumentedRuleDefault(
3939
name=BASE_POLICY_NAME % 'list',
40-
check_str=base.SYSTEM_READER,
40+
check_str=base.ADMIN,
4141
description="List all running Compute services in a region.",
4242
operations=[
4343
{
@@ -49,7 +49,7 @@
4949
deprecated_rule=DEPRECATED_SERVICE_POLICY),
5050
policy.DocumentedRuleDefault(
5151
name=BASE_POLICY_NAME % 'update',
52-
check_str=base.SYSTEM_ADMIN,
52+
check_str=base.ADMIN,
5353
description="Update a Compute service.",
5454
operations=[
5555
{
@@ -62,7 +62,7 @@
6262
deprecated_rule=DEPRECATED_SERVICE_POLICY),
6363
policy.DocumentedRuleDefault(
6464
name=BASE_POLICY_NAME % 'delete',
65-
check_str=base.SYSTEM_ADMIN,
65+
check_str=base.ADMIN,
6666
description="Delete a Compute service.",
6767
operations=[
6868
{

nova/tests/unit/policies/base.py

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -139,6 +139,8 @@ def setUp(self):
139139
# To simulate the new world, remove deprecations by overriding
140140
# rules which has the deprecated rules.
141141
self.rules_without_deprecation.update({
142+
"context_is_admin":
143+
"role:admin",
142144
"system_admin_or_owner":
143145
"rule:system_admin_api or rule:project_member_api",
144146
"system_or_project_reader":

0 commit comments

Comments
 (0)