Merge "Modify remaining APIs as per RBAC new guidelines"

Author: Zuul

nova/api/openstack/compute/assisted_volume_snapshots.py

@@ -39,6 +39,11 @@ def __init__(self):
     def create(self, req, body):
         """Creates a new snapshot."""
         context = req.environ['nova.context']
+        # NOTE(gmann) We pass empty target to policy enforcement. This API
+        # is called by cinder which does not have correct project_id.
+        # By passing the empty target, we make sure that we do not check
+        # the requester project_id and allow users with
+        # allowed role to create snapshot.
         context.can(avs_policies.POLICY_ROOT % 'create', target={})
 
         snapshot = body['snapshot']
@@ -69,6 +74,11 @@ def create(self, req, body):
     def delete(self, req, id):
         """Delete a snapshot."""
         context = req.environ['nova.context']
+        # NOTE(gmann) We pass empty target to policy enforcement. This API
+        # is called by cinder which does not have correct project_id.
+        # By passing the empty target, we make sure that we do not check
+        # the requester project_id and allow users with allowed role to
+        # delete snapshot.
         context.can(avs_policies.POLICY_ROOT % 'delete', target={})
 
         delete_metadata = {}

nova/api/openstack/compute/console_auth_tokens.py

@@ -30,7 +30,7 @@ class ConsoleAuthTokensController(wsgi.Controller):
     def _show(self, req, id, rdp_only):
         """Checks a console auth token and returns the related connect info."""
         context = req.environ['nova.context']
-        context.can(cat_policies.BASE_POLICY_NAME, target={})
+        context.can(cat_policies.BASE_POLICY_NAME)
 
         token = id
         if not token:

nova/api/openstack/compute/limits.py

@@ -78,8 +78,7 @@ def _index(self, req, filtered_limits=None, max_image_meta=True):
         project_id = context.project_id
         if 'tenant_id' in req.GET:
             project_id = req.GET.get('tenant_id')
-            context.can(limits_policies.OTHER_PROJECT_LIMIT_POLICY_NAME,
-                        target={'project_id': project_id})
+            context.can(limits_policies.OTHER_PROJECT_LIMIT_POLICY_NAME)
 
         quotas = QUOTAS.get_project_quotas(context, project_id,
                                            usages=True)

nova/api/openstack/compute/migrations.py

@@ -89,7 +89,7 @@ def _index(self, req, add_link=False, next_link=False, add_uuid=False,
                sort_dirs=None, sort_keys=None, limit=None, marker=None,
                allow_changes_since=False, allow_changes_before=False):
         context = req.environ['nova.context']
-        context.can(migrations_policies.POLICY_ROOT % 'index', target={})
+        context.can(migrations_policies.POLICY_ROOT % 'index')
         search_opts = {}
         search_opts.update(req.GET)
         if 'changes-since' in search_opts:

nova/api/openstack/compute/server_external_events.py

@@ -73,6 +73,11 @@ def _get_instances_all_cells(self, context, instance_uuids,
     def create(self, req, body):
         """Creates a new instance event."""
         context = req.environ['nova.context']
+        # NOTE(gmann) We pass empty target to policy enforcement. This API
+        # is called by neutron which does not have correct project_id where
+        # server belongs to. By passing the empty target, we make sure that
+        # we do not check the requester project_id and allow users with
+        # allowed role to create external event.
         context.can(see_policies.POLICY_ROOT % 'create', target={})
 
         response_events = []

nova/policies/assisted_volume_snapshots.py

@@ -24,26 +24,40 @@
 assisted_volume_snapshots_policies = [
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'create',
-        check_str=base.SYSTEM_ADMIN,
+        # TODO(gmann): This is internal API policy and called by
+        # cinder. Add 'service' role in this policy so that cinder
+        # can call it with user having 'service' role (not having
+        # correct project_id). That is for phase-2 of RBAC goal and until
+        # then, we keep it open for all admin in any project. We cannot
+        # default it to PROJECT_ADMIN which has the project_id in
+        # check_str and will fail if cinder call it with other project_id.
+        check_str=base.ADMIN,
         description="Create an assisted volume snapshot",
         operations=[
             {
                 'path': '/os-assisted-volume-snapshots',
                 'method': 'POST'
             }
         ],
-        scope_types=['system']),
+        scope_types=['project']),
     policy.DocumentedRuleDefault(
         name=POLICY_ROOT % 'delete',
-        check_str=base.SYSTEM_ADMIN,
+        # TODO(gmann): This is internal API policy and called by
+        # cinder. Add 'service' role in this policy so that cinder
+        # can call it with user having 'service' role (not having
+        # correct project_id). That is for phase-2 of RBAC goal and until
+        # then, we keep it open for all admin in any project. We cannot
+        # default it to PROJECT_ADMIN which has the project_id in
+        # check_str and will fail if cinder call it with other project_id.
+        check_str=base.ADMIN,
         description="Delete an assisted volume snapshot",
         operations=[
             {
                 'path': '/os-assisted-volume-snapshots/{snapshot_id}',
                 'method': 'DELETE'
             }
         ],
-        scope_types=['system']),
+        scope_types=['project']),
 ]
 
 

nova/policies/console_auth_tokens.py

@@ -24,7 +24,7 @@
 console_auth_tokens_policies = [
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME,
-        check_str=base.SYSTEM_READER,
+        check_str=base.PROJECT_ADMIN,
         description="Show console connection information for a given console "
         "authentication token",
         operations=[
@@ -33,7 +33,7 @@
                 'path': '/os-console-auth-tokens/{console_token}'
             }
         ],
-        scope_types=['system'])
+        scope_types=['project'])
 ]
 
 

nova/policies/console_output.py

@@ -24,15 +24,15 @@
 console_output_policies = [
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME,
-        check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
+        check_str=base.PROJECT_MEMBER,
         description='Show console output for a server',
         operations=[
             {
                 'method': 'POST',
                 'path': '/servers/{server_id}/action (os-getConsoleOutput)'
             }
         ],
-        scope_types=['system', 'project'])
+        scope_types=['project'])
 ]
 
 

nova/policies/create_backup.py

@@ -24,15 +24,15 @@
 create_backup_policies = [
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME,
-        check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
+        check_str=base.PROJECT_MEMBER,
         description='Create a back up of a server',
         operations=[
             {
                 'method': 'POST',
                 'path': '/servers/{server_id}/action (createBackup)'
             }
         ],
-        scope_types=['system', 'project'])
+        scope_types=['project'])
 ]
 
 

nova/policies/deferred_delete.py

@@ -36,27 +36,27 @@
 deferred_delete_policies = [
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'restore',
-        check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
+        check_str=base.PROJECT_MEMBER,
         description="Restore a soft deleted server",
         operations=[
             {
                 'method': 'POST',
                 'path': '/servers/{server_id}/action (restore)'
             },
         ],
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         deprecated_rule=DEPRECATED_POLICY),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'force',
-        check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN,
+        check_str=base.PROJECT_MEMBER,
         description="Force delete a server before deferred cleanup",
         operations=[
             {
                 'method': 'POST',
                 'path': '/servers/{server_id}/action (forceDelete)'
             }
         ],
-        scope_types=['system', 'project'],
+        scope_types=['project'],
         deprecated_rule=DEPRECATED_POLICY)
 ]