openstack/placement
Code Issues Proposed changes

Implement secure RBAC for reshaper

Browse Source 
This commit updates the policies for the resource classes in placement to
support read-only roles.

This is part of a broader community effort to support read-only roles
and implement secure, consistent default policies.

Change-Id: Ifeb5ae29d9d637708cd5c0bc62a2abfcbac3ca6e
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
This commit is contained in:
Stephen Finucane
2021-02-10 10:37:55 +00:00
parent 6805790dda
commit 94279af1e1
3 changed files with 274 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
placement/policies/reshaper.py
View File

@@ -11,6 +11,7 @@
# under the License. # under the License.
from oslo_log import versionutils
from oslo_policy import policy from oslo_policy import policy
from placement.policies import base from placement.policies import base
@@ -19,10 +20,19 @@ from placement.policies import base
PREFIX = 'placement:reshaper:%s' PREFIX = 'placement:reshaper:%s'
RESHAPE = PREFIX % 'reshape' RESHAPE = PREFIX % 'reshape'
deprecated_reshape = policy.DeprecatedRule(
name=RESHAPE,
check_str=base.RULE_ADMIN_API,
)
DEPRECATED_REASON = """
The reshape API now supports scoped rule by default.
"""
rules = [ rules = [
policy.DocumentedRuleDefault( policy.DocumentedRuleDefault(
RESHAPE, RESHAPE,
base.RULE_ADMIN_API, base.SYSTEM_ADMIN,
"Reshape Inventory and Allocations.", "Reshape Inventory and Allocations.",
[ [
{ {
@@ -30,7 +40,11 @@ rules = [
'path': '/reshaper' 'path': '/reshaper'
} }
], ],
scope_types=['system']), scope_types=['system'],
deprecated_rule=deprecated_reshape,
deprecated_reason=DEPRECATED_REASON,
deprecated_since=versionutils.deprecated.WALLABY,
),
] ]

90
placement/tests/functional/gabbits/reshaper-legacy-rbac.yaml Normal file
View File

@@ -0,0 +1,90 @@
---
fixtures:
- LegacyRBACPolicyFixture
vars:
- &project_id $ENVIRON['PROJECT_ID']
- &project_admin_headers
x-auth-token: user
x-roles: admin,member,reader
x-project-id: *project_id
accept: application/json
content-type: application/json
openstack-api-version: placement latest
- &project_member_headers
x-auth-token: user
x-roles: member,reader
x-project-id: *project_id
accept: application/json
content-type: application/json
openstack-api-version: placement latest
tests:
- name: create parent resource provider
POST: /resource_providers
request_headers: *project_admin_headers
data:
name: $ENVIRON['RP_NAME']
uuid: $ENVIRON['RP_UUID']
status: 200
- name: create inventory for the parent resource provider
POST: /resource_providers/$ENVIRON['RP_UUID']/inventories
request_headers: *project_admin_headers
data:
resource_class: DISK_GB
total: 2048
reserved: 512
min_unit: 10
max_unit: 1024
step_size: 10
allocation_ratio: 1.0
status: 201
- name: create a child provider
POST: /resource_providers
request_headers: *project_admin_headers
data:
uuid: 04914444-41ae-4ff3-ab56-ded01552cd1e
name: 636f2798-9599-4371-a3ed-e7b2128aef97
parent_provider_uuid: $ENVIRON['RP_UUID']
status: 200
- name: project member cannot reshape
POST: /reshaper
request_headers: *project_member_headers
data:
inventories:
$ENVIRON['RP_UUID']:
resource_provider_generation: 1
inventories: []
04914444-41ae-4ff3-ab56-ded01552cd1e:
resource_provider_generation: 0
inventories:
DISK_GB:
total: 2048
step_size: 10
min_unit: 10
max_unit: 1200
allocations: {}
status: 403
- name: project admin can reshape
POST: /reshaper
request_headers: *project_admin_headers
data:
inventories:
$ENVIRON['RP_UUID']:
resource_provider_generation: 1
inventories: {}
04914444-41ae-4ff3-ab56-ded01552cd1e:
resource_provider_generation: 0
inventories:
DISK_GB:
total: 2048
step_size: 10
min_unit: 10
max_unit: 1200
allocations: {}
status: 204

168
placement/tests/functional/gabbits/reshaper-secure-rbac.yaml Normal file
View File

@@ -0,0 +1,168 @@
---
fixtures:
- SecureRBACPolicyFixture
vars:
- &project_id $ENVIRON['PROJECT_ID']
- &system_admin_headers
x-auth-token: user
x-roles: admin,member,reader
accept: application/json
content-type: application/json
openstack-api-version: placement latest
openstack-system-scope: all
- &system_reader_headers
x-auth-token: user
x-roles: reader
accept: application/json
content-type: application/json
openstack-api-version: placement latest
openstack-system-scope: all
- &project_admin_headers
x-auth-token: user
x-roles: admin,member,reader
x-project-id: *project_id
accept: application/json
content-type: application/json
openstack-api-version: placement latest
- &project_member_headers
x-auth-token: user
x-roles: member,reader
x-project-id: *project_id
accept: application/json
content-type: application/json
openstack-api-version: placement latest
- &project_reader_headers
x-auth-token: user
x-roles: reader
x-project-id: *project_id
accept: application/json
content-type: application/json
openstack-api-version: placement latest
tests:
- name: create parent resource provider
POST: /resource_providers
request_headers: *system_admin_headers
data:
name: $ENVIRON['RP_NAME']
uuid: $ENVIRON['RP_UUID']
status: 200
- name: create inventory for the parent resource provider
POST: /resource_providers/$ENVIRON['RP_UUID']/inventories
request_headers: *system_admin_headers
data:
resource_class: DISK_GB
total: 2048
reserved: 512
min_unit: 10
max_unit: 1024
step_size: 10
allocation_ratio: 1.0
status: 201
- name: create a child provider
POST: /resource_providers
request_headers: *system_admin_headers
data:
uuid: 04914444-41ae-4ff3-ab56-ded01552cd1e
name: 636f2798-9599-4371-a3ed-e7b2128aef97
parent_provider_uuid: $ENVIRON['RP_UUID']
status: 200
- name: project reader cannot reshape
POST: /reshaper
request_headers: *project_reader_headers
data:
inventories:
$ENVIRON['RP_UUID']:
resource_provider_generation: 1
inventories: []
04914444-41ae-4ff3-ab56-ded01552cd1e:
resource_provider_generation: 0
inventories:
DISK_GB:
total: 2048
step_size: 10
min_unit: 10
max_unit: 1200
allocations: {}
status: 403
- name: project member cannot reshape
POST: /reshaper
request_headers: *project_member_headers
data:
inventories:
$ENVIRON['RP_UUID']:
resource_provider_generation: 1
inventories: []
04914444-41ae-4ff3-ab56-ded01552cd1e:
resource_provider_generation: 0
inventories:
DISK_GB:
total: 2048
step_size: 10
min_unit: 10
max_unit: 1200
allocations: {}
status: 403
- name: project admin cannot reshape
POST: /reshaper
request_headers: *project_admin_headers
data:
inventories:
$ENVIRON['RP_UUID']:
resource_provider_generation: 1
inventories: {}
04914444-41ae-4ff3-ab56-ded01552cd1e:
resource_provider_generation: 0
inventories:
DISK_GB:
total: 2048
step_size: 10
min_unit: 10
max_unit: 1200
allocations: {}
status: 403
- name: system reader cannot reshape
POST: /reshaper
request_headers: *system_reader_headers
data:
inventories:
$ENVIRON['RP_UUID']:
resource_provider_generation: 1
inventories: []
04914444-41ae-4ff3-ab56-ded01552cd1e:
resource_provider_generation: 0
inventories:
DISK_GB:
total: 2048
step_size: 10
min_unit: 10
max_unit: 1200
allocations: {}
status: 403
- name: system admin can reshape
POST: /reshaper
request_headers: *system_admin_headers
data:
inventories:
$ENVIRON['RP_UUID']:
resource_provider_generation: 1
inventories: {}
04914444-41ae-4ff3-ab56-ded01552cd1e:
resource_provider_generation: 0
inventories:
DISK_GB:
total: 2048
step_size: 10
min_unit: 10
max_unit: 1200
allocations: {}
status: 204