Make more project level APIs scoped to project only

As per the RBAC new direction, we will allow
project resources operation to be performed by
the project scoped token only and system user will
be allowed to perform system level operation only
not project resources specific.

Details about new direction can be found in community-wide
goal
- https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html

This commit modify more projects level APIs to be scoped
to project only.

Also modifying and adding tests for four cases:
1. enforce_scope=False + legacy rule (current default policies)
2. enforce_scope=False + No legacy rule
3. enforce_scope=True + legacy rule
4. enforce_scope=True + no legacy rule (end goal of new RBAC)

Partial implement blueprint policy-defaults-refresh-2

Change-Id: I6731aa6edd0c6bed5edb9eaaaa98b5e43aaeeb74

Author: Ghanshyam Mann

nova/api/openstack/compute/server_groups.py

@@ -167,7 +167,7 @@ def index(self, req):
             # new defaults completly then we can remove the above check.
             # Until then, let's keep the old behaviour.
             context.can(sg_policies.POLICY_ROOT % 'index:all_projects',
-                        target={})
+                        target={'project_id': project_id})
             sgs = objects.InstanceGroupList.get_all(context)
         else:
             sgs = objects.InstanceGroupList.get_by_project_id(

nova/api/openstack/compute/server_topology.py

@@ -35,7 +35,8 @@ def index(self, req, server_id):
                     target={'project_id': instance.project_id})
 
         host_policy = (st_policies.BASE_POLICY_NAME % 'host:index')
-        show_host_info = context.can(host_policy, fatal=False)
+        show_host_info = context.can(host_policy,
+            target={'project_id': instance.project_id}, fatal=False)
 
         return self._get_numa_topology(context, instance, show_host_info)
 

nova/api/openstack/compute/volumes.py

@@ -506,6 +506,11 @@ def update(self, req, server_id, id, body):
         # different from the 'id' in the url path, or only swap is allowed by
         # the microversion, we should check the swap volume policy.
         # otherwise, check the volume update policy.
+        # NOTE(gmann) We pass empty target to policy enforcement. This API
+        # is called by cinder which does not have correct project_id where
+        # server belongs to. By passing the empty target, we make sure that
+        # we do not check the requester project_id and allow users with
+        # allowed role to perform the swap volume.
         if only_swap or id != volume_id:
             context.can(va_policies.POLICY_ROOT % 'swap', target={})
         else:

nova/policies/attach_interfaces.py

@@ -37,51 +37,51 @@
 attach_interfaces_policies = [
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'list',
-        check_str=base.PROJECT_READER_OR_SYSTEM_READER,
+        check_str=base.PROJECT_READER,
         description="List port interfaces attached to a server",
         operations=[
             {
                 'method': 'GET',
                 'path': '/servers/{server_id}/os-interface'
             },
         ],
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         deprecated_rule=DEPRECATED_INTERFACES_POLICY),
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'show',
-        check_str=base.PROJECT_READER_OR_SYSTEM_READER,
+        check_str=base.PROJECT_READER,
         description="Show details of a port interface attached to a server",
         operations=[
             {
                 'method': 'GET',
                 'path': '/servers/{server_id}/os-interface/{port_id}'
             }
         ],
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         deprecated_rule=DEPRECATED_INTERFACES_POLICY),
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'create',
-        check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
+        check_str=base.PROJECT_MEMBER,
         description="Attach an interface to a server",
         operations=[
             {
                 'method': 'POST',
                 'path': '/servers/{server_id}/os-interface'
             }
         ],
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         deprecated_rule=DEPRECATED_INTERFACES_POLICY),
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'delete',
-        check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
+        check_str=base.PROJECT_MEMBER,
         description="Detach an interface from a server",
         operations=[
             {
                 'method': 'DELETE',
                 'path': '/servers/{server_id}/os-interface/{port_id}'
             }
         ],
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         deprecated_rule=DEPRECATED_INTERFACES_POLICY)
 ]
 

nova/policies/floating_ips.py

@@ -38,7 +38,7 @@
 floating_ips_policies = [
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'add',
-        check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
+        check_str=base.PROJECT_MEMBER,
         description="Associate floating IPs to server. "
         " This API is deprecated.",
         operations=[
@@ -47,11 +47,11 @@
                 'path': '/servers/{server_id}/action (addFloatingIp)'
             }
         ],
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         deprecated_rule=DEPRECATED_FIP_POLICY),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'remove',
-        check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
+        check_str=base.PROJECT_MEMBER,
         description="Disassociate floating IPs to server. "
         " This API is deprecated.",
         operations=[
@@ -60,55 +60,55 @@
                 'path': '/servers/{server_id}/action (removeFloatingIp)'
             }
         ],
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         deprecated_rule=DEPRECATED_FIP_POLICY),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'list',
-        check_str=base.PROJECT_READER_OR_SYSTEM_READER,
+        check_str=base.PROJECT_READER,
         description="List floating IPs. This API is deprecated.",
         operations=[
             {
                 'method': 'GET',
                 'path': '/os-floating-ips'
             }
         ],
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         deprecated_rule=DEPRECATED_FIP_POLICY),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'create',
-        check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
+        check_str=base.PROJECT_MEMBER,
         description="Create floating IPs. This API is deprecated.",
         operations=[
             {
                 'method': 'POST',
                 'path': '/os-floating-ips'
             }
         ],
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         deprecated_rule=DEPRECATED_FIP_POLICY),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'show',
-        check_str=base.PROJECT_READER_OR_SYSTEM_READER,
+        check_str=base.PROJECT_READER,
         description="Show floating IPs. This API is deprecated.",
         operations=[
             {
                 'method': 'GET',
                 'path': '/os-floating-ips/{floating_ip_id}'
             }
         ],
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         deprecated_rule=DEPRECATED_FIP_POLICY),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'delete',
-        check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
+        check_str=base.PROJECT_MEMBER,
         description="Delete floating IPs. This API is deprecated.",
         operations=[
             {
                 'method': 'DELETE',
                 'path': '/os-floating-ips/{floating_ip_id}'
             }
         ],
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         deprecated_rule=DEPRECATED_FIP_POLICY),
 ]
 

nova/policies/instance_actions.py

@@ -38,7 +38,7 @@
 instance_actions_policies = [
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'events:details',
-        check_str=base.SYSTEM_READER,
+        check_str=base.PROJECT_ADMIN,
         description="""Add "details" key in action events for a server.
 
 This check is performed only after the check
@@ -56,10 +56,10 @@
                 'path': '/servers/{server_id}/os-instance-actions/{request_id}'
             }
         ],
-        scope_types=['system', 'project']),
+        scope_types=['project']),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'events',
-        check_str=base.SYSTEM_READER,
+        check_str=base.PROJECT_ADMIN,
         description="""Add events details in action details for a server.
 This check is performed only after the check
 os_compute_api:os-instance-actions:show passes. Beginning with Microversion
@@ -73,30 +73,30 @@
                 'path': '/servers/{server_id}/os-instance-actions/{request_id}'
             }
         ],
-        scope_types=['system', 'project']),
+        scope_types=['project']),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'list',
-        check_str=base.PROJECT_READER_OR_SYSTEM_READER,
+        check_str=base.PROJECT_READER,
         description="""List actions for a server.""",
         operations=[
             {
                 'method': 'GET',
                 'path': '/servers/{server_id}/os-instance-actions'
             }
         ],
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         deprecated_rule=DEPRECATED_INSTANCE_ACTION_POLICY),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'show',
-        check_str=base.PROJECT_READER_OR_SYSTEM_READER,
+        check_str=base.PROJECT_READER,
         description="""Show action details for a server.""",
         operations=[
             {
                 'method': 'GET',
                 'path': '/servers/{server_id}/os-instance-actions/{request_id}'
             }
         ],
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         deprecated_rule=DEPRECATED_INSTANCE_ACTION_POLICY),
 ]
 

nova/policies/ips.py

@@ -24,7 +24,7 @@
 ips_policies = [
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'show',
-        check_str=base.PROJECT_READER_OR_SYSTEM_READER,
+        check_str=base.PROJECT_READER,
         description="Show IP addresses details for a network label of a "
         " server",
         operations=[
@@ -33,18 +33,18 @@
                 'path': '/servers/{server_id}/ips/{network_label}'
             }
         ],
-        scope_types=['system', 'project']),
+        scope_types=['project']),
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'index',
-        check_str=base.PROJECT_READER_OR_SYSTEM_READER,
+        check_str=base.PROJECT_READER,
         description="List IP addresses that are assigned to a server",
         operations=[
             {
                 'method': 'GET',
                 'path': '/servers/{server_id}/ips'
             }
         ],
-        scope_types=['system', 'project']),
+        scope_types=['project']),
 ]
 
 

nova/policies/networks.py

@@ -38,7 +38,7 @@
 networks_policies = [
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'list',
-        check_str=base.PROJECT_READER_OR_SYSTEM_READER,
+        check_str=base.PROJECT_READER,
         description="""List networks for the project.
 
 This API is proxy calls to the Network service. This is deprecated.""",
@@ -48,11 +48,11 @@
                 'path': '/os-networks'
             }
         ],
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         deprecated_rule=DEPRECATED_POLICY),
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'show',
-        check_str=base.PROJECT_READER_OR_SYSTEM_READER,
+        check_str=base.PROJECT_READER,
         description="""Show network details.
 
 This API is proxy calls to the Network service. This is deprecated.""",
@@ -62,7 +62,7 @@
                 'path': '/os-networks/{network_id}'
             }
         ],
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         deprecated_rule=DEPRECATED_POLICY),
 ]
 

nova/policies/quota_sets.py

@@ -24,15 +24,15 @@
 quota_sets_policies = [
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'update',
-        check_str=base.SYSTEM_ADMIN,
+        check_str=base.PROJECT_ADMIN,
         description="Update the quotas",
         operations=[
             {
                 'method': 'PUT',
                 'path': '/os-quota-sets/{tenant_id}'
             }
         ],
-        scope_types=['system']),
+        scope_types=['project']),
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'defaults',
         check_str=base.RULE_ANY,
@@ -46,37 +46,46 @@
         scope_types=['system', 'project']),
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'show',
-        check_str=base.PROJECT_READER_OR_SYSTEM_READER,
+        # TODO(gmann): Until we have domain admin or so to get other project's
+        # data, allow admin role(with scope check it will be project admin) to
+        # get other project quota. We cannot use PROJECT_ADMIN here as
+        # project_id passed in request url is used as policy targets which
+        # would not match with context's project_id fetched for rule
+        # PROJECT_ADMIN check.
+        check_str='(' + base.PROJECT_READER + ') or role:admin',
         description="Show a quota",
         operations=[
             {
                 'method': 'GET',
                 'path': '/os-quota-sets/{tenant_id}'
             }
         ],
-        scope_types=['system', 'project']),
+        scope_types=['project']),
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'delete',
-        check_str=base.SYSTEM_ADMIN,
+        check_str=base.PROJECT_ADMIN,
         description="Revert quotas to defaults",
         operations=[
             {
                 'method': 'DELETE',
                 'path': '/os-quota-sets/{tenant_id}'
             }
         ],
-        scope_types=['system']),
+        scope_types=['project']),
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'detail',
-        check_str=base.PROJECT_READER_OR_SYSTEM_READER,
+        # TODO(gmann): Until we have domain admin or so to get other project's
+        # data, allow admin role(with scope check it will be project admin) to
+        # get other project quota.
+        check_str='(' + base.PROJECT_READER + ') or role:admin',
         description="Show the detail of quota",
         operations=[
             {
                 'method': 'GET',
                 'path': '/os-quota-sets/{tenant_id}/detail'
             }
         ],
-        scope_types=['system', 'project']),
+        scope_types=['project']),
 ]