openstack/aodh
Code Issues Proposed changes

Isolate project scope and system scope

Browse Source 
This change updates the default policies implemented in Heat, to follow
the updated guideline[1] to implement SRBAC.

The main change is that system users are no longer allowed to perform
any operations about project-level resources like alarms, while project
admin(*1) is still allowed to perform operations about project-level
resources BEYOND project (like getting alarms for all projects)

[1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#direction-change

Change-Id: I0a59e3f892aff306e47812b69dbf82066411a542
This commit is contained in:
Takashi Kajinami 2024-07-18 01:09:01 +09:00
parent f43e903117
commit 807e65e352
2 changed files with 33 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

68
aodh/api/policies.py
View File

@ -22,24 +22,10 @@ RULE_ADMIN_OR_OWNER = 'rule:context_is_admin or project_id:%(project_id)s'
UNPROTECTED = ''
# Constants that represent common personas.
SYSTEM_ADMIN = 'role:admin and system_scope:all'
SYSTEM_READER = 'role:reader and system_scope:all'
PROJECT_ADMIN = 'role:admin and project_id:%(project_id)s'
PROJECT_MEMBER = 'role:member and project_id:%(project_id)s'
PROJECT_READER = 'role:reader and project_id:%(project_id)s'
# Composite check strings built using the personas defined above, where a
# particular API is designed to work with multiple scopes. For example,
# listing alarms for all projects (system-scope) or listing alarms for a single
# project (project-scope).
SYSTEM_ADMIN_OR_PROJECT_MEMBER = (
'(' + SYSTEM_ADMIN + ')'
' or (' + PROJECT_MEMBER + ')'
)
SYSTEM_OR_PROJECT_READER = (
'(' + SYSTEM_READER + ')'
' or (' + PROJECT_READER + ')'
)
DEPRECATED_REASON = """
The alarm and quota APIs now support system-scope and default roles.
"""
@ -153,8 +139,8 @@ rules = [
),
policy.DocumentedRuleDefault(
name="telemetry:get_alarm",
check_str=SYSTEM_OR_PROJECT_READER,
scope_types=['system', 'project'],
check_str=PROJECT_READER,
scope_types=['project'],
description='Get an alarm.',
operations=[
{
@ -167,8 +153,8 @@ rules = [
),
policy.DocumentedRuleDefault(
name="telemetry:get_alarms",
check_str=SYSTEM_OR_PROJECT_READER,
scope_types=['system', 'project'],
check_str=PROJECT_READER,
scope_types=['project'],
description='Get all alarms, based on the query provided.',
operations=[
{
@ -180,8 +166,8 @@ rules = [
),
policy.DocumentedRuleDefault(
name="telemetry:get_alarms:all_projects",
check_str=SYSTEM_READER,
scope_types=['system', 'project'],
check_str=PROJECT_ADMIN,
scope_types=['project'],
description='Get alarms of all projects.',
operations=[
{
@ -193,8 +179,8 @@ rules = [
),
policy.DocumentedRuleDefault(
name="telemetry:query_alarm",
check_str=SYSTEM_OR_PROJECT_READER,
scope_types=['system', 'project'],
check_str=PROJECT_READER,
scope_types=['project'],
description='Get all alarms, based on the query provided.',
operations=[
{
@ -206,8 +192,8 @@ rules = [
),
policy.DocumentedRuleDefault(
name="telemetry:create_alarm",
check_str=SYSTEM_ADMIN_OR_PROJECT_MEMBER,
scope_types=['system', 'project'],
check_str=PROJECT_MEMBER,
scope_types=['project'],
description='Create a new alarm.',
operations=[
{
@ -219,8 +205,8 @@ rules = [
),
policy.DocumentedRuleDefault(
name="telemetry:change_alarm",
check_str=SYSTEM_ADMIN_OR_PROJECT_MEMBER,
scope_types=['system', 'project'],
check_str=PROJECT_MEMBER,
scope_types=['project'],
description='Modify this alarm.',
operations=[
{
@ -232,8 +218,8 @@ rules = [
),
policy.DocumentedRuleDefault(
name="telemetry:delete_alarm",
check_str=SYSTEM_ADMIN_OR_PROJECT_MEMBER,
scope_types=['system', 'project'],
check_str=PROJECT_MEMBER,
scope_types=['project'],
description='Delete this alarm.',
operations=[
{
@ -245,8 +231,8 @@ rules = [
),
policy.DocumentedRuleDefault(
name="telemetry:get_alarm_state",
check_str=SYSTEM_OR_PROJECT_READER,
scope_types=['system', 'project'],
check_str=PROJECT_READER,
scope_types=['project'],
description='Get the state of this alarm.',
operations=[
{
@ -258,8 +244,8 @@ rules = [
),
policy.DocumentedRuleDefault(
name="telemetry:change_alarm_state",
check_str=SYSTEM_ADMIN_OR_PROJECT_MEMBER,
scope_types=['system', 'project'],
check_str=PROJECT_MEMBER,
scope_types=['project'],
description='Set the state of this alarm.',
operations=[
{
@ -271,8 +257,8 @@ rules = [
),
policy.DocumentedRuleDefault(
name="telemetry:alarm_history",
check_str=SYSTEM_OR_PROJECT_READER,
scope_types=['system', 'project'],
check_str=PROJECT_READER,
scope_types=['project'],
description='Assembles the alarm history requested.',
operations=[
{
@ -284,8 +270,8 @@ rules = [
),
policy.DocumentedRuleDefault(
name="telemetry:query_alarm_history",
check_str=SYSTEM_OR_PROJECT_READER,
scope_types=['system', 'project'],
check_str=PROJECT_READER,
scope_types=['project'],
description='Define query for retrieving AlarmChange data.',
operations=[
{
@ -297,8 +283,8 @@ rules = [
),
policy.DocumentedRuleDefault(
name="telemetry:update_quotas",
check_str=SYSTEM_ADMIN,
scope_types=['system'],
check_str=PROJECT_ADMIN,
scope_types=['project'],
description='Update resources quotas for project.',
operations=[
{
@ -310,8 +296,8 @@ rules = [
),
policy.DocumentedRuleDefault(
name="telemetry:delete_quotas",
check_str=SYSTEM_ADMIN,
scope_types=['system'],
check_str=PROJECT_ADMIN,
scope_types=['project'],
description='Delete resources quotas for project.',
operations=[
{

6
releasenotes/notes/policy-defaults-refresh-95b565bee059f611.yaml Normal file
View File

@ -0,0 +1,6 @@
---
features:
- |
Aodh policies have been modified to isolate the system and project level
APIs policy. Because of this change, system users will not be allowed to
perform any operations on project level resources.