From 5dc2ab7bcda39b0eab2da06f346f3a2ca1603e83 Mon Sep 17 00:00:00 2001 From: Lance Bragstad Date: Wed, 20 Dec 2017 16:55:28 +0000 Subject: [PATCH] Add configuration option for enforcing scope A previous patch made it so that oslo.policy's ``enforce()`` method compares the context of the request to the ``scope_types`` of the policy being evaluated: I7fa171d859d82939511f8279e4e9464f792ed2cd After consuming the change across various projects, it became apparent that we would be duplicating configuration options in each project in order for operators to opt into this functionality. This commit adds a new configuration option that is meant to replace the kwarg that was introduced in a previous patch. This will make things more consistent for operators as they fix RBAC across their deployment. It will also make it easier for other OpenStack services to consumes the new scope_types enforcement. bp add-scope-to-policy Change-Id: Ia573b8cac3bf9cee2962790589dea24c7f530ef5 --- oslo_policy/opts.py | 10 ++++++++++ oslo_policy/policy.py | 10 ++-------- oslo_policy/tests/test_policy.py | 2 +- 3 files changed, 13 insertions(+), 9 deletions(-) diff --git a/oslo_policy/opts.py b/oslo_policy/opts.py index 6fbdcb51..9bd84108 100644 --- a/oslo_policy/opts.py +++ b/oslo_policy/opts.py @@ -25,6 +25,16 @@ from oslo_policy._i18n import _ _option_group = 'oslo_policy' _options = [ + cfg.BoolOpt('enforce_scope', + default=False, + help=_('This option controls whether or not to enforce scope ' + 'when evaluating policies. If ``True``, the scope of ' + 'the token used in the request is compared to the ' + '``scope_types`` of the policy being enforced. If the ' + 'scopes do not match, an ``InvalidScope`` exception ' + 'will be raised. If ``False``, a message will be ' + 'logged informing operators that policies are being ' + 'invoked with mismatching scope.')), cfg.StrOpt('policy_file', default='policy.json', help=_('The file that defines policies.'), diff --git a/oslo_policy/policy.py b/oslo_policy/policy.py index 821275c4..6a7fc494 100644 --- a/oslo_policy/policy.py +++ b/oslo_policy/policy.py @@ -777,7 +777,7 @@ class Enforcer(object): raise cfg.ConfigFilesNotFoundError((path,)) def enforce(self, rule, target, creds, do_raise=False, exc=None, - enforce_scope=True, *args, **kwargs): + *args, **kwargs): """Checks authorization of a rule against the target and credentials. :param rule: The rule to evaluate. @@ -797,12 +797,6 @@ class Enforcer(object): positional and keyword arguments) will be passed to the exception class. If not specified, :class:`PolicyNotAuthorized` will be used. - :param enforce_scope: A boolean value denoting if an exception should - be raised in the event the operation requires a - different scope from the one in the request (e.g. - using a project-scope token to do something - system-wide). If False, a warning will be logged - with details of the scope failure. :return: ``False`` if the policy does not allow the action and `exc` is not provided; otherwise, returns a value that evaluates to @@ -850,7 +844,7 @@ class Enforcer(object): registered_rule = self.registered_rules.get(rule) if registered_rule and registered_rule.scope_types: if token_scope not in registered_rule.scope_types: - if enforce_scope: + if self.conf.oslo_policy.enforce_scope: raise InvalidScope( rule, registered_rule.scope_types, token_scope ) diff --git a/oslo_policy/tests/test_policy.py b/oslo_policy/tests/test_policy.py index 670f5517..6ff90099 100644 --- a/oslo_policy/tests/test_policy.py +++ b/oslo_policy/tests/test_policy.py @@ -742,7 +742,7 @@ class CheckFunctionTestCase(base.PolicyBaseTestCase): creds = {} exc = self.assertRaises( MyException, self.enforcer.enforce, 'rule', 'target', creds, - True, MyException, False, 'arg1', 'arg2', kw1='kwarg1', + True, MyException, 'arg1', 'arg2', kw1='kwarg1', kw2='kwarg2') self.assertEqual(('arg1', 'arg2'), exc.args) self.assertEqual(dict(kw1='kwarg1', kw2='kwarg2'), exc.kwargs)