diff options
author | Ghanshyam Mann <gmann@ghanshyammann.com> | 2020-04-03 14:48:29 -0500 |
---|---|---|
committer | Stephen Finucane <stephenfin@redhat.com> | 2020-04-08 14:46:10 +0100 |
commit | 189e818c26949613971511ee29f05b459eb1ee44 (patch) | |
tree | 53178ad651b9f28458980300e876b1e9e84948fc /nova/policies | |
parent | bea6e368a6590eb83d9c9fa0941aa74102d67d67 (diff) | |
download | nova-189e818c26949613971511ee29f05b459eb1ee44.tar.gz |
Add new default roles in server password policies
This adds new defaults roles in server password API policies.
- Policies are made granular and default to System or project reader
for get and system admin or owner for clear policy.
Also add tests to simulates the future where we drop the deprecation
fall back in the policy by overriding the rules with a version where
there are no deprecated rule options. Operators can do the same by
adding overrides in their policy files that match the default but
stop the rule deprecation fallback from happening.
Partial implement blueprint policy-defaults-refresh
Change-Id: I3571b73a3094f5f523ff7b655ca05355c65f90ff
Diffstat (limited to 'nova/policies')
-rw-r--r-- | nova/policies/server_password.py | 35 |
1 files changed, 30 insertions, 5 deletions
diff --git a/nova/policies/server_password.py b/nova/policies/server_password.py index 1a43f4af22..6015789cba 100644 --- a/nova/policies/server_password.py +++ b/nova/policies/server_password.py @@ -18,26 +18,51 @@ from oslo_policy import policy from nova.policies import base -BASE_POLICY_NAME = 'os_compute_api:os-server-password' +BASE_POLICY_NAME = 'os_compute_api:os-server-password:%s' + +DEPRECATED_POLICY = policy.DeprecatedRule( + 'os_compute_api:os-server-password', + base.RULE_ADMIN_OR_OWNER, +) + +DEPRECATED_REASON = """ +Nova API policies are introducing new default roles with scope_type +capabilities. Old policies are deprecated and silently going to be ignored +in nova 23.0.0 release. +""" server_password_policies = [ policy.DocumentedRuleDefault( - name=BASE_POLICY_NAME, - check_str=base.RULE_ADMIN_OR_OWNER, - description="Show and clear the encrypted administrative " + name=BASE_POLICY_NAME % 'show', + check_str=base.PROJECT_READER_OR_SYSTEM_READER, + description="Show the encrypted administrative " "password of a server", operations=[ { 'method': 'GET', 'path': '/servers/{server_id}/os-server-password' }, + ], + scope_types=['system', 'project'], + deprecated_rule=DEPRECATED_POLICY, + deprecated_reason=DEPRECATED_REASON, + deprecated_since='21.0.0'), + policy.DocumentedRuleDefault( + name=BASE_POLICY_NAME % 'clear', + check_str=base.PROJECT_MEMBER_OR_SYSTEM_ADMIN, + description="Clear the encrypted administrative " + "password of a server", + operations=[ { 'method': 'DELETE', 'path': '/servers/{server_id}/os-server-password' } ], - scope_types=['system', 'project']), + scope_types=['system', 'project'], + deprecated_rule=DEPRECATED_POLICY, + deprecated_reason=DEPRECATED_REASON, + deprecated_since='21.0.0'), ] |