diff options
Diffstat (limited to 'nova/policies/base.py')
-rw-r--r-- | nova/policies/base.py | 78 |
1 files changed, 25 insertions, 53 deletions
diff --git a/nova/policies/base.py b/nova/policies/base.py index b04410425d..ab0c319cdf 100644 --- a/nova/policies/base.py +++ b/nova/policies/base.py @@ -37,40 +37,25 @@ DEPRECATED_ADMIN_OR_OWNER_POLICY = policy.DeprecatedRule( deprecated_since='21.0.0' ) -# TODO(gmann): # Special string ``system_scope:all`` is added for system -# scoped policies for backwards compatibility where ``nova.conf [oslo_policy] -# enforce_scope = False``. -# Otherwise, this might open up APIs to be more permissive unintentionally if a -# deployment isn't enforcing scope. For example, the 'list all servers' -# policy will be System Scoped Reader with ``role:reader`` and -# scope_type=['system'] Until enforce_scope=True by default, it would -# be possible for users with the ``reader`` role on a project to access the -# 'list all servers' API. Once nova defaults ``nova.conf [oslo_policy] -# enforce_scope=True``, the ``system_scope:all`` bits of these check strings -# can be removed since that will be handled automatically by scope_types in -# oslo.policy's RuleDefault objects. -SYSTEM_ADMIN = 'rule:system_admin_api' -SYSTEM_READER = 'rule:system_reader_api' -PROJECT_ADMIN = 'rule:project_admin_api' +ADMIN = 'rule:context_is_admin' PROJECT_MEMBER = 'rule:project_member_api' PROJECT_READER = 'rule:project_reader_api' -PROJECT_MEMBER_OR_SYSTEM_ADMIN = 'rule:system_admin_or_owner' -PROJECT_READER_OR_SYSTEM_READER = 'rule:system_or_project_reader' +PROJECT_MEMBER_OR_ADMIN = 'rule:project_member_or_admin' +PROJECT_READER_OR_ADMIN = 'rule:project_reader_or_admin' -# NOTE(gmann): Below is the mapping of new roles and scope_types -# with legacy roles:: +# NOTE(gmann): Below is the mapping of new roles with legacy roles:: -# Legacy Rule | New Rules |Operation |scope_type| -# -------------------+----------------------------------+----------+----------- -# |-> SYSTEM_ADMIN |Global | [system] -# RULE_ADMIN_API | Write -# |-> SYSTEM_READER |Global | [system] -# | |Read | -# -# |-> PROJECT_MEMBER_OR_SYSTEM_ADMIN |Project | [system, -# RULE_ADMIN_OR_OWNER| |Write | project] -# |-> PROJECT_READER_OR_SYSTEM_READER|Project | [system, -# |Read | project] +# Legacy Rule | New Rules |Operation |scope_type| +# -------------------+---------------------------+----------------+----------- +# RULE_ADMIN_API |-> ADMIN |Global resource | [project] +# | |Write & Read | +# -------------------+---------------------------+----------------+----------- +# |-> ADMIN |Project admin | [project] +# | |level operation | +# RULE_ADMIN_OR_OWNER|-> PROJECT_MEMBER_OR_ADMIN |Project resource| [project] +# | |Write | +# |-> PROJECT_READER_OR_ADMIN |Project resource| [project] +# | |Read | # NOTE(johngarbutt) The base rules here affect so many APIs the list # of related API operations has not been populated. It would be @@ -88,7 +73,8 @@ rules = [ policy.RuleDefault( "context_is_admin", "role:admin", - "Decides what is required for the 'is_admin:True' check to succeed."), + "Decides what is required for the 'is_admin:True' check to succeed.", + deprecated_rule=DEPRECATED_ADMIN_POLICY), policy.RuleDefault( "admin_or_owner", "is_admin:True or project_id:%(project_id)s", @@ -104,21 +90,6 @@ rules = [ deprecated_reason=DEPRECATED_REASON, deprecated_since='21.0.0'), policy.RuleDefault( - name="system_admin_api", - check_str='role:admin and system_scope:all', - description="Default rule for System Admin APIs.", - deprecated_rule=DEPRECATED_ADMIN_POLICY), - policy.RuleDefault( - name="system_reader_api", - check_str="role:reader and system_scope:all", - description="Default rule for System level read only APIs.", - deprecated_rule=DEPRECATED_ADMIN_POLICY), - policy.RuleDefault( - "project_admin_api", - "role:admin and project_id:%(project_id)s", - "Default rule for Project level admin APIs.", - deprecated_rule=DEPRECATED_ADMIN_POLICY), - policy.RuleDefault( "project_member_api", "role:member and project_id:%(project_id)s", "Default rule for Project level non admin APIs.", @@ -126,16 +97,17 @@ rules = [ policy.RuleDefault( "project_reader_api", "role:reader and project_id:%(project_id)s", - "Default rule for Project level read only APIs."), + "Default rule for Project level read only APIs.", + deprecated_rule=DEPRECATED_ADMIN_OR_OWNER_POLICY), policy.RuleDefault( - name="system_admin_or_owner", - check_str="rule:system_admin_api or rule:project_member_api", - description="Default rule for System admin+owner APIs.", + "project_member_or_admin", + "rule:project_member_api or rule:context_is_admin", + "Default rule for Project Member or admin APIs.", deprecated_rule=DEPRECATED_ADMIN_OR_OWNER_POLICY), policy.RuleDefault( - "system_or_project_reader", - "rule:system_reader_api or rule:project_reader_api", - "Default rule for System+Project read only APIs.", + "project_reader_or_admin", + "rule:project_reader_api or rule:context_is_admin", + "Default rule for Project reader or admin APIs.", deprecated_rule=DEPRECATED_ADMIN_OR_OWNER_POLICY) ] |