diff options
author | Zuul <zuul@review.opendev.org> | 2023-05-04 00:35:34 +0000 |
---|---|---|
committer | Gerrit Code Review <review@openstack.org> | 2023-05-04 00:35:34 +0000 |
commit | 4d531e513e714d60ebce4e11fe3b9a538fb525a1 (patch) | |
tree | 7962c6de06c8679a3ac45737ec2a2ed9e1ba001c | |
parent | 084c8a32f5abddc6ad6ebfeb804cefc504928b45 (diff) | |
parent | 84625bedfb5b4aab053d69192c2dfbb42bdf9dd2 (diff) | |
download | glance-4d531e513e714d60ebce4e11fe3b9a538fb525a1.tar.gz |
Merge "Allow easier admin override in policies"
-rw-r--r-- | glance/policies/base.py | 20 | ||||
-rw-r--r-- | glance/policies/discovery.py | 2 | ||||
-rw-r--r-- | glance/policies/image.py | 8 | ||||
-rw-r--r-- | glance/policies/metadef.py | 3 | ||||
-rw-r--r-- | glance/policies/tasks.py | 2 | ||||
-rw-r--r-- | glance/tests/unit/test_policy.py | 6 |
6 files changed, 22 insertions, 19 deletions
diff --git a/glance/policies/base.py b/glance/policies/base.py index 77d023414..3f51eb37a 100644 --- a/glance/policies/base.py +++ b/glance/policies/base.py @@ -57,33 +57,33 @@ PROJECT_READER_OR_PUBLIC_NAMESPACE = ( # typical in OpenStack services. But following check strings offer formal # support for project membership and a read-only variant consistent with # other OpenStack services. -ADMIN_OR_PROJECT_MEMBER = f'role:admin or ({PROJECT_MEMBER})' -ADMIN_OR_PROJECT_READER = f'role:admin or ({PROJECT_READER})' +ADMIN_OR_PROJECT_MEMBER = f'rule:context_is_admin or ({PROJECT_MEMBER})' +ADMIN_OR_PROJECT_READER = f'rule:context_is_admin or ({PROJECT_READER})' ADMIN_OR_PROJECT_READER_GET_IMAGE = ( - f'role:admin or ' + f'rule:context_is_admin or ' f'({PROJECT_READER_OR_IMAGE_MEMBER_OR_COMMUNITY_OR_PUBLIC_OR_SHARED})' ) ADMIN_OR_PROJECT_MEMBER_DOWNLOAD_IMAGE = ( - f'role:admin or ' + f'rule:context_is_admin or ' f'({PROJECT_MEMBER_OR_IMAGE_MEMBER_OR_COMMUNITY_OR_PUBLIC_OR_SHARED})' ) ADMIN_OR_PROJECT_MEMBER_CREATE_IMAGE = ( - f'role:admin or ({PROJECT_MEMBER} and project_id:%(owner)s)' + f'rule:context_is_admin or ({PROJECT_MEMBER} and project_id:%(owner)s)' ) ADMIN_OR_PROJECT_READER_GET_NAMESPACE = ( - f'role:admin or ({PROJECT_READER_OR_PUBLIC_NAMESPACE})' + f'rule:context_is_admin or ({PROJECT_READER_OR_PUBLIC_NAMESPACE})' ) ADMIN_OR_SHARED_MEMBER = ( - f'role:admin or (role:member and {IMAGE_MEMBER_CHECK})' + f'rule:context_is_admin or (role:member and {IMAGE_MEMBER_CHECK})' ) ADMIN_OR_PROJECT_READER_OR_SHARED_MEMBER = ( - f'role:admin or ' + f'rule:context_is_admin or ' f'role:reader and (project_id:%(project_id)s or {IMAGE_MEMBER_CHECK})' ) -ADMIN = f'role:admin' +ADMIN = f'rule:context_is_admin' rules = [ policy.RuleDefault(name='default', check_str='', @@ -92,7 +92,7 @@ rules = [ 'policy in the supplied policy.json file.', deprecated_rule=policy.DeprecatedRule( name='default', - check_str='role:admin', + check_str='rule:context_is_admin', deprecated_reason='In order to allow operators to ' 'accept the default policies from code by not ' 'defining them in the policy file, while still ' diff --git a/glance/policies/discovery.py b/glance/policies/discovery.py index 50a421330..5a0b86e88 100644 --- a/glance/policies/discovery.py +++ b/glance/policies/discovery.py @@ -18,7 +18,7 @@ from oslo_policy import policy discovery_policies = [ policy.DocumentedRuleDefault( name="stores_info_detail", - check_str='role:admin', + check_str='rule:context_is_admin', scope_types=['project'], description='Expose store specific information', operations=[ diff --git a/glance/policies/image.py b/glance/policies/image.py index c4400ec0b..1fdd97acc 100644 --- a/glance/policies/image.py +++ b/glance/policies/image.py @@ -93,7 +93,7 @@ image_policies = [ ), policy.DocumentedRuleDefault( name="publicize_image", - check_str='role:admin', + check_str='rule:context_is_admin', scope_types=['project'], description='Publicize given image', operations=[ @@ -147,7 +147,7 @@ image_policies = [ policy.DocumentedRuleDefault( name="delete_image_location", - check_str="role:admin", + check_str="rule:context_is_admin", scope_types=['project'], description='Deletes the location of given image', operations=[ @@ -261,7 +261,7 @@ image_policies = [ policy.RuleDefault( name="manage_image_cache", - check_str='role:admin', + check_str='rule:context_is_admin', scope_types=['project'], description='Manage image cache' ), @@ -297,7 +297,7 @@ image_policies = [ policy.DocumentedRuleDefault( name="copy_image", - check_str='role:admin', + check_str='rule:context_is_admin', # For now this is restricted to project-admins. # That might change in the future if we decide to push # this functionality down to project-members. diff --git a/glance/policies/metadef.py b/glance/policies/metadef.py index d1feaaed8..84641f42c 100644 --- a/glance/policies/metadef.py +++ b/glance/policies/metadef.py @@ -23,7 +23,8 @@ The metadata API now supports project scope and default roles. metadef_policies = [ policy.RuleDefault(name="metadef_default", check_str=""), - policy.RuleDefault(name="metadef_admin", check_str="role:admin"), + policy.RuleDefault(name="metadef_admin", + check_str="rule:context_is_admin"), policy.DocumentedRuleDefault( name="get_metadef_namespace", check_str=base.ADMIN_OR_PROJECT_READER_GET_NAMESPACE, diff --git a/glance/policies/tasks.py b/glance/policies/tasks.py index 42d25a5f6..64aa9e42a 100644 --- a/glance/policies/tasks.py +++ b/glance/policies/tasks.py @@ -101,7 +101,7 @@ task_policies = [ ), policy.DocumentedRuleDefault( name="tasks_api_access", - check_str="role:admin", + check_str="rule:context_is_admin", scope_types=['project'], description=TASK_ACCESS_DESCRIPTION, operations=[ diff --git a/glance/tests/unit/test_policy.py b/glance/tests/unit/test_policy.py index b37268592..a78f6b315 100644 --- a/glance/tests/unit/test_policy.py +++ b/glance/tests/unit/test_policy.py @@ -486,7 +486,8 @@ class TestDefaultPolicyCheckStrings(base.IsolatedUnitTest): self.assertEqual(expected, base_policy.PROJECT_MEMBER) def test_admin_or_project_member_check_string(self): - expected = 'role:admin or (role:member and project_id:%(project_id)s)' + expected = ('rule:context_is_admin or ' + '(role:member and project_id:%(project_id)s)') self.assertEqual(expected, base_policy.ADMIN_OR_PROJECT_MEMBER) def test_project_member_download_image_check_string(self): @@ -506,7 +507,8 @@ class TestDefaultPolicyCheckStrings(base.IsolatedUnitTest): self.assertEqual(expected, base_policy.PROJECT_READER) def test_admin_or_project_reader_check_string(self): - expected = 'role:admin or (role:reader and project_id:%(project_id)s)' + expected = ('rule:context_is_admin or ' + '(role:reader and project_id:%(project_id)s)') self.assertEqual(expected, base_policy.ADMIN_OR_PROJECT_READER) def test_project_reader_get_image_check_string(self): |