Merge "Fix artifical rbac policy constraint that resulted in 500s"

2024-03-17 21:33:45 +00:00 · 2024-03-17 21:33:45 +00:00 · 0237392002
commit 0237392002
parent 10785a0550 c6a4005049
3 changed files with 22 additions and 14 deletions
--- a/ironic/common/policy.py
+++ b/ironic/common/policy.py
@ -1638,7 +1638,7 @@ conductor_policies = [
    policy.DocumentedRuleDefault(
        name='baremetal:conductor:get',
        check_str=SYSTEM_READER,
-        scope_types=['system'],
+        scope_types=['system', 'project'],
        description='Retrieve Conductor records',
        operations=[
            {'path': '/conductors', 'method': 'GET'},
@ -1839,7 +1839,7 @@ deploy_template_policies = [
    policy.DocumentedRuleDefault(
        name='baremetal:deploy_template:get',
        check_str=SYSTEM_READER,
-        scope_types=['system'],
+        scope_types=['system', 'project'],
        description='Retrieve Deploy Template records',
        operations=[
            {'path': '/deploy_templates', 'method': 'GET'},
@ -1851,7 +1851,7 @@ deploy_template_policies = [
    policy.DocumentedRuleDefault(
        name='baremetal:deploy_template:create',
        check_str=SYSTEM_ADMIN,
-        scope_types=['system'],
+        scope_types=['system', 'project'],
        description='Create Deploy Template records',
        operations=[{'path': '/deploy_templates', 'method': 'POST'}],
        deprecated_rule=deprecated_deploy_template_create
@ -1859,7 +1859,7 @@ deploy_template_policies = [
    policy.DocumentedRuleDefault(
        name='baremetal:deploy_template:delete',
        check_str=SYSTEM_ADMIN,
-        scope_types=['system'],
+        scope_types=['system', 'project'],
        description='Delete Deploy Template records',
        operations=[
            {'path': '/deploy_templates/{deploy_template_ident}',
@ -1870,7 +1870,7 @@ deploy_template_policies = [
    policy.DocumentedRuleDefault(
        name='baremetal:deploy_template:update',
        check_str=SYSTEM_ADMIN,
-        scope_types=['system'],
+        scope_types=['system', 'project'],
        description='Update Deploy Template records',
        operations=[
            {'path': '/deploy_templates/{deploy_template_ident}',
--- a/ironic/tests/unit/api/test_rbac_project_scoped.yaml
+++ b/ironic/tests/unit/api/test_rbac_project_scoped.yaml
@ -3383,19 +3383,19 @@ owner_reader_cannot_get_conductors:
  path: '/v1/conductors'
  method: get
  headers: *owner_reader_headers
-  assert_status: 500
+  assert_status: 403

 lessee_reader_cannot_get_conductors:
  path: '/v1/conductors'
  method: get
  headers: *lessee_reader_headers
-  assert_status: 500
+  assert_status: 403

 third_party_admin_cannot_get_conductors:
  path: '/v1/conductors'
  method: get
  headers: *third_party_admin_headers
-  assert_status: 500
+  assert_status: 403

 # Allocations - https://docs.openstack.org/api-ref/baremetal/#allocations-allocations

@ -3631,19 +3631,19 @@ owner_reader_cannot_get_deploy_templates:
  path: '/v1/deploy_templates'
  method: get
  headers: *owner_reader_headers
-  assert_status: 500
+  assert_status: 403

 lessee_reader_cannot_get_deploy_templates:
  path: '/v1/deploy_templates'
  method: get
  headers: *lessee_reader_headers
-  assert_status: 500
+  assert_status: 403

 third_party_admin_cannot_get_deploy_templates:
  path: '/v1/deploy_templates'
  method: get
  headers: *third_party_admin_headers
-  assert_status: 500
+  assert_status: 403

 third_party_admin_cannot_post_deploy_template:
  path: '/v1/deploy_templates'
@ -3656,20 +3656,20 @@ third_party_admin_cannot_post_deploy_template:
        args: {}
        priority: 0
  headers: *third_party_admin_headers
-  assert_status: 500
+  assert_status: 403

 service_cannot_get_deploy_templates:
  path: '/v1/deploy_templates'
  method: get
  headers: *service_headers
-  assert_status: 500
+  assert_status: 403

 service_cannot_post_deploy_template:
  path: '/v1/deploy_templates'
  method: post
  body: *deploy_template
  headers: *service_headers
-  assert_status: 500
+  assert_status: 403

 # Chassis endpoints - https://docs.openstack.org/api-ref/baremetal/#chassis-chassis

--- a/releasenotes/notes/address-rbac-originating-500-errors-4b54977631a015d9.yaml
+++ b/releasenotes/notes/address-rbac-originating-500-errors-4b54977631a015d9.yaml
@ -0,0 +1,8 @@
+---
+fixes:
+  - |
+    Some of Ironic's API endpoints, when the new RBAC policy is being enforced,
+    were previously emitting *500* error codes when insufficent access rights were
+    being used, specifically because the policy required ``system`` scope. This
+    has been corrected, and the endpoints should now properly signal a *403* error
+    code if insufficient access rights are present for an authenticated requestor.