From 710e9105e1418616781ee3f8e3912684984cea44 Mon Sep 17 00:00:00 2001
From: Gregory Thiemonge <gthiemon@redhat.com>
Date: Tue, 28 Feb 2023 02:54:52 -0500
Subject: [PATCH] Fix Octavia policies

* switch system scope policies to project scope
* the legacy admin is still an admin

Based on the governance goal document [0]

[0] https://governance.openstack.org/tc/goals/selected/\
        consistent-and-secure-rbac.html

Change-Id: I43529ef6cba7febe44e11afb644d312b8ca26c81
---
 octavia/policies/base.py                      | 31 +++++++++----------
 ...fix-octavia-policies-8f3cb690f1fa4556.yaml |  6 ++++
 2 files changed, 21 insertions(+), 16 deletions(-)
 create mode 100644 releasenotes/notes/fix-octavia-policies-8f3cb690f1fa4556.yaml

diff --git a/octavia/policies/base.py b/octavia/policies/base.py
index 9998e1098c..efaba9080f 100644
--- a/octavia/policies/base.py
+++ b/octavia/policies/base.py
@@ -46,14 +46,14 @@ rules = [
         name='system-admin',
         check_str='role:admin and '
                   'system_scope:all',
-        scope_types=[constants.RBAC_SCOPE_SYSTEM]),
+        scope_types=[constants.RBAC_SCOPE_PROJECT]),
 
     # System scoped Reader
     policy.RuleDefault(
         name='system-reader',
         check_str='role:reader and '
                   'system_scope:all',
-        scope_types=[constants.RBAC_SCOPE_SYSTEM]),
+        scope_types=[constants.RBAC_SCOPE_PROJECT]),
 
     # Project scoped Member
     policy.RuleDefault(
@@ -91,9 +91,10 @@ rules = [
     policy.RuleDefault(
         name='context_is_admin',
         check_str='role:load-balancer_admin or '
-                  'rule:system-admin',
+                  'rule:system-admin or '
+                  'role:admin',
         deprecated_rule=deprecated_context_is_admin,
-        scope_types=[constants.RBAC_SCOPE_SYSTEM]),
+        scope_types=[constants.RBAC_SCOPE_PROJECT]),
 
     # Note: 'is_admin:True' is a policy rule that takes into account the
     # auth_strategy == noauth configuration setting.
@@ -116,7 +117,7 @@ rules = [
         name='load-balancer:global_observer',
         check_str='role:load-balancer_global_observer or '
                   'rule:system-reader',
-        scope_types=[constants.RBAC_SCOPE_SYSTEM]),
+        scope_types=[constants.RBAC_SCOPE_PROJECT]),
 
     policy.RuleDefault(
         name='load-balancer:member_and_owner',
@@ -131,8 +132,9 @@ rules = [
         name='load-balancer:admin',
         check_str='is_admin:True or '
                   'role:load-balancer_admin or '
-                  'rule:system-admin',
-        scope_types=[constants.RBAC_SCOPE_SYSTEM]),
+                  'rule:system-admin or '
+                  'role:admin',
+        scope_types=[constants.RBAC_SCOPE_PROJECT]),
 
     policy.RuleDefault(
         name='load-balancer:read',
@@ -140,21 +142,19 @@ rules = [
                   'rule:load-balancer:global_observer or '
                   'rule:load-balancer:member_and_owner or '
                   'rule:load-balancer:admin',
-        scope_types=[constants.RBAC_SCOPE_PROJECT,
-                     constants.RBAC_SCOPE_SYSTEM]),
+        scope_types=[constants.RBAC_SCOPE_PROJECT]),
 
     policy.RuleDefault(
         name='load-balancer:read-global',
         check_str='rule:load-balancer:global_observer or '
                   'rule:load-balancer:admin',
-        scope_types=[constants.RBAC_SCOPE_SYSTEM]),
+        scope_types=[constants.RBAC_SCOPE_PROJECT]),
 
     policy.RuleDefault(
         name='load-balancer:write',
         check_str='rule:load-balancer:member_and_owner or '
                   'rule:load-balancer:admin',
-        scope_types=[constants.RBAC_SCOPE_PROJECT,
-                     constants.RBAC_SCOPE_SYSTEM]),
+        scope_types=[constants.RBAC_SCOPE_PROJECT]),
 
     policy.RuleDefault(
         name='load-balancer:read-quota',
@@ -163,21 +163,20 @@ rules = [
                   'rule:load-balancer:member_and_owner or '
                   'role:load-balancer_quota_admin or '
                   'rule:load-balancer:admin',
-        scope_types=[constants.RBAC_SCOPE_PROJECT,
-                     constants.RBAC_SCOPE_SYSTEM]),
+        scope_types=[constants.RBAC_SCOPE_PROJECT]),
 
     policy.RuleDefault(
         name='load-balancer:read-quota-global',
         check_str='rule:load-balancer:global_observer or '
                   'role:load-balancer_quota_admin or '
                   'rule:load-balancer:admin',
-        scope_types=[constants.RBAC_SCOPE_SYSTEM]),
+        scope_types=[constants.RBAC_SCOPE_PROJECT]),
 
     policy.RuleDefault(
         name='load-balancer:write-quota',
         check_str='role:load-balancer_quota_admin or '
                   'rule:load-balancer:admin',
-        scope_types=[constants.RBAC_SCOPE_SYSTEM]),
+        scope_types=[constants.RBAC_SCOPE_PROJECT]),
 ]
 
 
diff --git a/releasenotes/notes/fix-octavia-policies-8f3cb690f1fa4556.yaml b/releasenotes/notes/fix-octavia-policies-8f3cb690f1fa4556.yaml
new file mode 100644
index 0000000000..b571dfb75c
--- /dev/null
+++ b/releasenotes/notes/fix-octavia-policies-8f3cb690f1fa4556.yaml
@@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    Fixed the policy of the legacy `admin` role, it is still an admin with sRBAC.
+  - |
+    Removed system scope policies, all the policies are now project scoped.