Modify remaining APIs as per RBAC new guidelines

As per the RBAC new direction, we will allow
project resources operation to be performed by
the project scoped token only and system user will
be allowed to perform system level operation only
not project resources specific.

Details about new direction can be found in community-wide
goal
- https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html

This commit modify remaining APIs as per the new guidelines.

Also, allow all project admin to list the other project limits. This is
what we allowed in legacy policy and until we have domain admin or other
way to list other project resources/info, we will keep that behaviour.

Also modifying and adding tests for four cases:
1. enforce_scope=False + legacy rule (current default policies)
2. enforce_scope=False + No legacy rule
3. enforce_scope=True + legacy rule
4. enforce_scope=True + no legacy rule (end goal of new RBAC)

Partial implement blueprint policy-defaults-refresh-2

Change-Id: I006d47aa2f4678a06c78057bcf407302abbe4907

Author: Ghanshyam Mann

nova/api/openstack/compute/assisted_volume_snapshots.py

@@ -39,6 +39,11 @@ def __init__(self):
     def create(self, req, body):
         """Creates a new snapshot."""
         context = req.environ['nova.context']
+        # NOTE(gmann) We pass empty target to policy enforcement. This API
+        # is called by cinder which does not have correct project_id.
+        # By passing the empty target, we make sure that we do not check
+        # the requester project_id and allow users with
+        # allowed role to create snapshot.
         context.can(avs_policies.POLICY_ROOT % 'create', target={})
 
         snapshot = body['snapshot']
@@ -69,6 +74,11 @@ def create(self, req, body):
     def delete(self, req, id):
         """Delete a snapshot."""
         context = req.environ['nova.context']
+        # NOTE(gmann) We pass empty target to policy enforcement. This API
+        # is called by cinder which does not have correct project_id.
+        # By passing the empty target, we make sure that we do not check
+        # the requester project_id and allow users with allowed role to
+        # delete snapshot.
         context.can(avs_policies.POLICY_ROOT % 'delete', target={})
 
         delete_metadata = {}

nova/api/openstack/compute/console_auth_tokens.py

@@ -30,7 +30,7 @@ class ConsoleAuthTokensController(wsgi.Controller):
     def _show(self, req, id, rdp_only):
         """Checks a console auth token and returns the related connect info."""
         context = req.environ['nova.context']
-        context.can(cat_policies.BASE_POLICY_NAME, target={})
+        context.can(cat_policies.BASE_POLICY_NAME)
 
         token = id
         if not token:

nova/api/openstack/compute/limits.py

@@ -78,8 +78,7 @@ def _index(self, req, filtered_limits=None, max_image_meta=True):
         project_id = context.project_id
         if 'tenant_id' in req.GET:
             project_id = req.GET.get('tenant_id')
-            context.can(limits_policies.OTHER_PROJECT_LIMIT_POLICY_NAME,
-                        target={'project_id': project_id})
+            context.can(limits_policies.OTHER_PROJECT_LIMIT_POLICY_NAME)
 
         quotas = QUOTAS.get_project_quotas(context, project_id,
                                            usages=True)

nova/api/openstack/compute/migrations.py

@@ -89,7 +89,7 @@ def _index(self, req, add_link=False, next_link=False, add_uuid=False,
                sort_dirs=None, sort_keys=None, limit=None, marker=None,
                allow_changes_since=False, allow_changes_before=False):
         context = req.environ['nova.context']
-        context.can(migrations_policies.POLICY_ROOT % 'index', target={})
+        context.can(migrations_policies.POLICY_ROOT % 'index')
         search_opts = {}
         search_opts.update(req.GET)
         if 'changes-since' in search_opts:

nova/api/openstack/compute/server_external_events.py

@@ -73,6 +73,11 @@ def _get_instances_all_cells(self, context, instance_uuids,
     def create(self, req, body):
         """Creates a new instance event."""
         context = req.environ['nova.context']
+        # NOTE(gmann) We pass empty target to policy enforcement. This API
+        # is called by neutron which does not have correct project_id where
+        # server belongs to. By passing the empty target, we make sure that
+        # we do not check the requester project_id and allow users with
+        # allowed role to create external event.
         context.can(see_policies.POLICY_ROOT % 'create', target={})
 
         response_events = []

nova/policies/assisted_volume_snapshots.py

@@ -24,26 +24,40 @@
 assisted_volume_snapshots_policies = [
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'create',
-        check_str=base.SYSTEM_ADMIN,
+        # TODO(gmann): This is internal API policy and called by
+        # cinder. Add 'service' role in this policy so that cinder
+        # can call it with user having 'service' role (not having
+        # correct project_id). That is for phase-2 of RBAC goal and until
+        # then, we keep it open for all admin in any project. We cannot
+        # default it to PROJECT_ADMIN which has the project_id in
+        # check_str and will fail if cinder call it with other project_id.
+        check_str=base.ADMIN,
         description="Create an assisted volume snapshot",
         operations=[
             {
                 'path': '/os-assisted-volume-snapshots',
                 'method': 'POST'
             }
         ],
-        scope_types=['system']),
+        scope_types=['project']),
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'delete',
-        check_str=base.SYSTEM_ADMIN,
+        # TODO(gmann): This is internal API policy and called by
+        # cinder. Add 'service' role in this policy so that cinder
+        # can call it with user having 'service' role (not having
+        # correct project_id). That is for phase-2 of RBAC goal and until
+        # then, we keep it open for all admin in any project. We cannot
+        # default it to PROJECT_ADMIN which has the project_id in
+        # check_str and will fail if cinder call it with other project_id.
+        check_str=base.ADMIN,
         description="Delete an assisted volume snapshot",
         operations=[
             {
                 'path': '/os-assisted-volume-snapshots/{snapshot_id}',
                 'method': 'DELETE'
             }
         ],
-        scope_types=['system']),
+        scope_types=['project']),
 ]
 
 

nova/policies/console_auth_tokens.py

@@ -24,7 +24,7 @@
 console_auth_tokens_policies = [
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME,
-        check_str=base.SYSTEM_READER,
+        check_str=base.PROJECT_ADMIN,
         description="Show console connection information for a given console "
         "authentication token",
         operations=[
@@ -33,7 +33,7 @@
                 'path': '/os-console-auth-tokens/{console_token}'
             }
         ],
-        scope_types=['system'])
+        scope_types=['project'])
 ]
 
 

nova/policies/console_output.py

@@ -24,15 +24,15 @@
 console_output_policies = [
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME,
-        check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
+        check_str=base.PROJECT_MEMBER,
         description='Show console output for a server',
         operations=[
             {
                 'method': 'POST',
                 'path': '/servers/{server_id}/action (os-getConsoleOutput)'
             }
         ],
-        scope_types=['system', 'project'])
+        scope_types=['project'])
 ]
 
 

nova/policies/create_backup.py

@@ -24,15 +24,15 @@
 create_backup_policies = [
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME,
-        check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
+        check_str=base.PROJECT_MEMBER,
         description='Create a back up of a server',
         operations=[
             {
                 'method': 'POST',
                 'path': '/servers/{server_id}/action (createBackup)'
             }
         ],
-        scope_types=['system', 'project'])
+        scope_types=['project'])
 ]
 
 

nova/policies/deferred_delete.py

@@ -36,27 +36,27 @@
 deferred_delete_policies = [
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'restore',
-        check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
+        check_str=base.PROJECT_MEMBER,
         description="Restore a soft deleted server",
         operations=[
             {
                 'method': 'POST',
                 'path': '/servers/{server_id}/action (restore)'
             },
         ],
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         deprecated_rule=DEPRECATED_POLICY),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'force',
-        check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
+        check_str=base.PROJECT_MEMBER,
         description="Force delete a server before deferred cleanup",
         operations=[
             {
                 'method': 'POST',
                 'path': '/servers/{server_id}/action (forceDelete)'
             }
         ],
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         deprecated_rule=DEPRECATED_POLICY)
 ]