From 27a889854021d20c15b3eaa309d6d8a3b33cb737 Mon Sep 17 00:00:00 2001 From: Lance Bragstad Date: Wed, 18 Nov 2020 22:01:53 +0000 Subject: [PATCH] Implement system scoped RBAC for the deploy templates APIs This commit updates the policies for baremetal deploy template policies to understand scope checking and account for a read-only role. This is part of a broader series of changes across OpenStack to provide a consistent RBAC experience and improve security. Change-Id: I1d1d1bdae0171c44e122018a8a83b35dbb093c39 --- ironic/common/policy.py | 87 ++++++++++++++----- ironic/tests/unit/api/test_rbac_legacy.yaml | 15 ++++ .../unit/api/test_rbac_system_scoped.yaml | 19 +--- ...coped-authentication-28e3651de250bea8.yaml | 3 +- 4 files changed, 86 insertions(+), 38 deletions(-) diff --git a/ironic/common/policy.py b/ironic/common/policy.py index 67a01bd1c2..57722f6fbb 100644 --- a/ironic/common/policy.py +++ b/ironic/common/policy.py @@ -1316,31 +1316,78 @@ event_policies = [ ] +deprecated_deploy_template_get = policy.DeprecatedRule( + name='baremetal:deploy_template:get', + check_str='rule:is_admin or rule:is_observer' +) +deprecated_deploy_template_create = policy.DeprecatedRule( + name='baremetal:deploy_template:create', + check_str='rule:is_admin' +) +deprecated_deploy_template_delete = policy.DeprecatedRule( + name='baremetal:deploy_template:delete', + check_str='rule:is_admin' +) +deprecated_deploy_template_update = policy.DeprecatedRule( + name='baremetal:deploy_template:update', + check_str='rule:is_admin' +) +deprecated_template_reason = """ +The baremetal deploy template API is now aware of system scope and +default roles. +""" + deploy_template_policies = [ policy.DocumentedRuleDefault( - 'baremetal:deploy_template:get', - 'rule:is_admin or rule:is_observer', - 'Retrieve Deploy Template records', - [{'path': '/deploy_templates', 'method': 'GET'}, - {'path': '/deploy_templates/{deploy_template_ident}', - 'method': 'GET'}]), + name='baremetal:deploy_template:get', + check_str=SYSTEM_READER, + scope_types=['system'], + description='Retrieve Deploy Template records', + operations=[ + {'path': '/deploy_templates', 'method': 'GET'}, + {'path': '/deploy_templates/{deploy_template_ident}', + 'method': 'GET'} + ], + deprecated_rule=deprecated_deploy_template_get, + deprecated_reason=deprecated_template_reason, + deprecated_since=versionutils.deprecated.WALLABY + ), policy.DocumentedRuleDefault( - 'baremetal:deploy_template:create', - 'rule:is_admin', - 'Create Deploy Template records', - [{'path': '/deploy_templates', 'method': 'POST'}]), + name='baremetal:deploy_template:create', + check_str=SYSTEM_ADMIN, + scope_types=['system'], + description='Create Deploy Template records', + operations=[{'path': '/deploy_templates', 'method': 'POST'}], + deprecated_rule=deprecated_deploy_template_create, + deprecated_reason=deprecated_template_reason, + deprecated_since=versionutils.deprecated.WALLABY + ), policy.DocumentedRuleDefault( - 'baremetal:deploy_template:delete', - 'rule:is_admin', - 'Delete Deploy Template records', - [{'path': '/deploy_templates/{deploy_template_ident}', - 'method': 'DELETE'}]), + name='baremetal:deploy_template:delete', + check_str=SYSTEM_ADMIN, + scope_types=['system'], + description='Delete Deploy Template records', + operations=[ + {'path': '/deploy_templates/{deploy_template_ident}', + 'method': 'DELETE'} + ], + deprecated_rule=deprecated_deploy_template_delete, + deprecated_reason=deprecated_template_reason, + deprecated_since=versionutils.deprecated.WALLABY + ), policy.DocumentedRuleDefault( - 'baremetal:deploy_template:update', - 'rule:is_admin', - 'Update Deploy Template records', - [{'path': '/deploy_templates/{deploy_template_ident}', - 'method': 'PATCH'}]), + name='baremetal:deploy_template:update', + check_str=SYSTEM_ADMIN, + scope_types=['system'], + description='Update Deploy Template records', + operations=[ + {'path': '/deploy_templates/{deploy_template_ident}', + 'method': 'PATCH'} + ], + deprecated_rule=deprecated_deploy_template_update, + deprecated_reason=deprecated_template_reason, + deprecated_since=versionutils.deprecated.WALLABY + ), ] diff --git a/ironic/tests/unit/api/test_rbac_legacy.yaml b/ironic/tests/unit/api/test_rbac_legacy.yaml index 2ec4942105..5f4009b387 100644 --- a/ironic/tests/unit/api/test_rbac_legacy.yaml +++ b/ironic/tests/unit/api/test_rbac_legacy.yaml @@ -2053,6 +2053,7 @@ deploy_templates_post_admin: priority: 0 headers: *admin_headers assert_status: 201 + deprecated: true deploy_templates_post_member: path: '/v1/deploy_templates' @@ -2060,6 +2061,7 @@ deploy_templates_post_member: body: *deploy_template_body headers: *member_headers assert_status: 403 + deprecated: true deploy_templates_post_observer: path: '/v1/deploy_templates' @@ -2067,42 +2069,49 @@ deploy_templates_post_observer: body: *deploy_template_body headers: *observer_headers assert_status: 403 + deprecated: true deploy_templates_get_admin: path: '/v1/deploy_templates' method: get headers: *admin_headers assert_status: 200 + deprecated: true deploy_templates_get_member: path: '/v1/deploy_templates' method: get headers: *member_headers assert_status: 403 + deprecated: true deploy_templates_get_observer: path: '/v1/deploy_templates' method: get headers: *observer_headers assert_status: 200 + deprecated: true deploy_templates_deploy_template_id_get_admin: path: '/v1/deploy_templates/{deploy_template_ident}' method: get headers: *admin_headers assert_status: 200 + deprecated: true deploy_templates_deploy_template_id_get_member: path: '/v1/deploy_templates/{deploy_template_ident}' method: get headers: *member_headers assert_status: 403 + deprecated: true deploy_templates_deploy_template_id_get_observer: path: '/v1/deploy_templates/{deploy_template_ident}' method: get headers: *observer_headers assert_status: 200 + deprecated: true deploy_templates_deploy_template_id_patch_admin: path: '/v1/deploy_templates/{deploy_template_ident}' @@ -2113,6 +2122,7 @@ deploy_templates_deploy_template_id_patch_admin: value: 'CUSTOM_MAGIC' headers: *admin_headers assert_status: 200 + deprecated: true deploy_templates_deploy_template_id_patch_member: path: '/v1/deploy_templates/{deploy_template_ident}' @@ -2120,6 +2130,7 @@ deploy_templates_deploy_template_id_patch_member: body: *template_patch headers: *member_headers assert_status: 403 + deprecated: true deploy_templates_deploy_template_id_patch_observer: path: '/v1/deploy_templates/{deploy_template_ident}' @@ -2127,24 +2138,28 @@ deploy_templates_deploy_template_id_patch_observer: body: *template_patch headers: *observer_headers assert_status: 403 + deprecated: true deploy_templates_deploy_template_id_delete_admin: path: '/v1/deploy_templates/{deploy_template_ident}' method: delete headers: *admin_headers assert_status: 204 + deprecated: true deploy_templates_deploy_template_id_delete_member: path: '/v1/deploy_templates/{deploy_template_ident}' method: delete headers: *member_headers assert_status: 403 + deprecated: true deploy_templates_deploy_template_id_delete_observer: path: '/v1/deploy_templates/{deploy_template_ident}' method: delete headers: *observer_headers assert_status: 403 + deprecated: true # Chassis endpoints - https://docs.openstack.org/api-ref/baremetal/#chassis-chassis diff --git a/ironic/tests/unit/api/test_rbac_system_scoped.yaml b/ironic/tests/unit/api/test_rbac_system_scoped.yaml index e03902ec17..df36fb66a5 100644 --- a/ironic/tests/unit/api/test_rbac_system_scoped.yaml +++ b/ironic/tests/unit/api/test_rbac_system_scoped.yaml @@ -1794,7 +1794,6 @@ deploy_templates_post_admin: priority: 0 headers: *admin_headers assert_status: 201 - skip_reason: not updated for scope testing deploy_templates_post_member: path: '/v1/deploy_templates' @@ -1802,7 +1801,6 @@ deploy_templates_post_member: body: *deploy_template_body headers: *scoped_member_headers assert_status: 403 - skip_reason: not updated for scope testing deploy_templates_post_observer: path: '/v1/deploy_templates' @@ -1810,49 +1808,42 @@ deploy_templates_post_observer: body: *deploy_template_body headers: *observer_headers assert_status: 403 - skip_reason: not updated for scope testing deploy_templates_get_admin: path: '/v1/deploy_templates' method: get headers: *admin_headers assert_status: 200 - skip_reason: not updated for scope testing deploy_templates_get_member: path: '/v1/deploy_templates' method: get headers: *scoped_member_headers - assert_status: 403 - skip_reason: not updated for scope testing + assert_status: 200 deploy_templates_get_observer: path: '/v1/deploy_templates' method: get headers: *observer_headers assert_status: 200 - skip_reason: not updated for scope testing deploy_templates_deploy_template_id_get_admin: path: '/v1/deploy_templates/{deploy_template_ident}' method: get headers: *admin_headers assert_status: 200 - skip_reason: not updated for scope testing deploy_templates_deploy_template_id_get_member: path: '/v1/deploy_templates/{deploy_template_ident}' method: get headers: *scoped_member_headers - assert_status: 403 - skip_reason: not updated for scope testing + assert_status: 200 deploy_templates_deploy_template_id_get_observer: path: '/v1/deploy_templates/{deploy_template_ident}' method: get headers: *observer_headers assert_status: 200 - skip_reason: not updated for scope testing deploy_templates_deploy_template_id_patch_admin: path: '/v1/deploy_templates/{deploy_template_ident}' @@ -1863,7 +1854,6 @@ deploy_templates_deploy_template_id_patch_admin: value: 'CUSTOM_MAGIC' headers: *admin_headers assert_status: 200 - skip_reason: not updated for scope testing deploy_templates_deploy_template_id_patch_member: path: '/v1/deploy_templates/{deploy_template_ident}' @@ -1871,7 +1861,6 @@ deploy_templates_deploy_template_id_patch_member: body: *template_patch headers: *scoped_member_headers assert_status: 403 - skip_reason: not updated for scope testing deploy_templates_deploy_template_id_patch_observer: path: '/v1/deploy_templates/{deploy_template_ident}' @@ -1879,28 +1868,24 @@ deploy_templates_deploy_template_id_patch_observer: body: *template_patch headers: *observer_headers assert_status: 403 - skip_reason: not updated for scope testing deploy_templates_deploy_template_id_delete_admin: path: '/v1/deploy_templates/{deploy_template_ident}' method: delete headers: *admin_headers assert_status: 204 - skip_reason: not updated for scope testing deploy_templates_deploy_template_id_delete_member: path: '/v1/deploy_templates/{deploy_template_ident}' method: delete headers: *scoped_member_headers assert_status: 403 - skip_reason: not updated for scope testing deploy_templates_deploy_template_id_delete_observer: path: '/v1/deploy_templates/{deploy_template_ident}' method: delete headers: *observer_headers assert_status: 403 - skip_reason: not updated for scope testing # Chassis endpoints - https://docs.openstack.org/api-ref/baremetal/#chassis-chassis diff --git a/releasenotes/notes/system-scoped-authentication-28e3651de250bea8.yaml b/releasenotes/notes/system-scoped-authentication-28e3651de250bea8.yaml index 76f16ac161..9301183f85 100644 --- a/releasenotes/notes/system-scoped-authentication-28e3651de250bea8.yaml +++ b/releasenotes/notes/system-scoped-authentication-28e3651de250bea8.yaml @@ -4,7 +4,8 @@ features: The Baremetal API, provided by the ironic-api process, now supports use of ``system`` scoped ``keystone`` authentication for the following endpoints: nodes, ports, portgroups, chassis, drivers, driver vendor passthru, - volume targets, volume connectors, conductors, allocations, events + volume targets, volume connectors, conductors, allocations, events, + deploy templates upgrade: - | Deprecated policy rules are not expressed via a default policy file