Implement secure RBAC for snapshot actions
This patch updates the policies for snapshot actions to align with the policy persona matrix established for Xena. Change-Id: Id739c462ffba60328524b3b0b46bbc0ff3a6e2c2
This commit is contained in:
parent
dd00352c35
commit
8ebe3ecef9
@ -23,6 +23,12 @@ FORCE_DELETE_POLICY = 'volume_extension:snapshot_admin_actions:force_delete'
|
|||||||
UPDATE_STATUS_POLICY = \
|
UPDATE_STATUS_POLICY = \
|
||||||
'snapshot_extension:snapshot_actions:update_snapshot_status'
|
'snapshot_extension:snapshot_actions:update_snapshot_status'
|
||||||
|
|
||||||
|
deprecated_update_status = base.CinderDeprecatedRule(
|
||||||
|
name=UPDATE_STATUS_POLICY,
|
||||||
|
check_str=""
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
snapshot_actions_policies = [
|
snapshot_actions_policies = [
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=RESET_STATUS_POLICY,
|
name=RESET_STATUS_POLICY,
|
||||||
@ -33,10 +39,11 @@ snapshot_actions_policies = [
|
|||||||
'method': 'POST',
|
'method': 'POST',
|
||||||
'path': '/snapshots/{snapshot_id}/action (os-reset_status)'
|
'path': '/snapshots/{snapshot_id}/action (os-reset_status)'
|
||||||
}
|
}
|
||||||
]),
|
],
|
||||||
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=UPDATE_STATUS_POLICY,
|
name=UPDATE_STATUS_POLICY,
|
||||||
check_str="",
|
check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER,
|
||||||
description="Update database fields of snapshot.",
|
description="Update database fields of snapshot.",
|
||||||
operations=[
|
operations=[
|
||||||
{
|
{
|
||||||
@ -44,7 +51,9 @@ snapshot_actions_policies = [
|
|||||||
'path': '/snapshots/{snapshot_id}/action '
|
'path': '/snapshots/{snapshot_id}/action '
|
||||||
'(update_snapshot_status)'
|
'(update_snapshot_status)'
|
||||||
}
|
}
|
||||||
]),
|
],
|
||||||
|
deprecated_rule=deprecated_update_status,
|
||||||
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name=FORCE_DELETE_POLICY,
|
name=FORCE_DELETE_POLICY,
|
||||||
check_str=base.RULE_ADMIN_API,
|
check_str=base.RULE_ADMIN_API,
|
||||||
@ -54,7 +63,8 @@ snapshot_actions_policies = [
|
|||||||
'method': 'POST',
|
'method': 'POST',
|
||||||
'path': '/snapshots/{snapshot_id}/action (os-force_delete)'
|
'path': '/snapshots/{snapshot_id}/action (os-force_delete)'
|
||||||
}
|
}
|
||||||
])
|
],
|
||||||
|
)
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
||||||
|
180
cinder/tests/unit/policies/test_snapshot_actions.py
Normal file
180
cinder/tests/unit/policies/test_snapshot_actions.py
Normal file
@ -0,0 +1,180 @@
|
|||||||
|
# Copyright 2021 Red Hat, Inc.
|
||||||
|
# All Rights Reserved.
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
|
||||||
|
import ddt
|
||||||
|
|
||||||
|
from cinder.api.contrib import admin_actions
|
||||||
|
from cinder.api.contrib import snapshot_actions
|
||||||
|
from cinder.api import microversions as mv
|
||||||
|
from cinder import exception
|
||||||
|
from cinder.policies import snapshot_actions as policy
|
||||||
|
from cinder.policies import snapshots as snapshots_policy
|
||||||
|
from cinder.tests.unit.api import fakes as fake_api
|
||||||
|
from cinder.tests.unit.policies import base
|
||||||
|
from cinder.tests.unit import utils as test_utils
|
||||||
|
|
||||||
|
|
||||||
|
@ddt.ddt
|
||||||
|
class SnapshotActionsPolicyTest(base.BasePolicyTest):
|
||||||
|
authorized_members = [
|
||||||
|
'legacy_admin',
|
||||||
|
'legacy_owner',
|
||||||
|
'system_admin',
|
||||||
|
'project_admin',
|
||||||
|
'project_member',
|
||||||
|
'project_reader',
|
||||||
|
'project_foo',
|
||||||
|
]
|
||||||
|
|
||||||
|
unauthorized_members = [
|
||||||
|
'system_member',
|
||||||
|
'system_reader',
|
||||||
|
'system_foo',
|
||||||
|
'other_project_member',
|
||||||
|
'other_project_reader',
|
||||||
|
]
|
||||||
|
|
||||||
|
authorized_admins = [
|
||||||
|
'legacy_admin',
|
||||||
|
'system_admin',
|
||||||
|
'project_admin',
|
||||||
|
]
|
||||||
|
|
||||||
|
unauthorized_admins = [
|
||||||
|
'legacy_owner',
|
||||||
|
'system_member',
|
||||||
|
'system_reader',
|
||||||
|
'system_foo',
|
||||||
|
'project_member',
|
||||||
|
'project_reader',
|
||||||
|
'project_foo',
|
||||||
|
'other_project_member',
|
||||||
|
'other_project_reader',
|
||||||
|
]
|
||||||
|
|
||||||
|
# DB validations will throw SnapshotNotFound for some contexts
|
||||||
|
unauthorized_exceptions = [
|
||||||
|
exception.SnapshotNotFound,
|
||||||
|
]
|
||||||
|
|
||||||
|
# Basic policy test is without enforcing scope (which cinder doesn't
|
||||||
|
# yet support) and deprecated rules enabled.
|
||||||
|
def setUp(self, enforce_scope=False, enforce_new_defaults=False,
|
||||||
|
*args, **kwargs):
|
||||||
|
super().setUp(enforce_scope, enforce_new_defaults, *args, **kwargs)
|
||||||
|
self.controller = snapshot_actions.SnapshotActionsController()
|
||||||
|
self.admin_controller = admin_actions.SnapshotAdminController()
|
||||||
|
self.api_path = '/v3/%s/snapshots' % (self.project_id)
|
||||||
|
self.api_version = mv.BASE_VERSION
|
||||||
|
# Relax the snapshots GET_POLICY in order to get past that check.
|
||||||
|
self.policy.set_rules({snapshots_policy.GET_POLICY: ""},
|
||||||
|
overwrite=False)
|
||||||
|
|
||||||
|
def _create_snapshot(self, **kwargs):
|
||||||
|
vol_type = test_utils.create_volume_type(self.project_admin_context,
|
||||||
|
name='fake_vol_type',
|
||||||
|
testcase_instance=self)
|
||||||
|
|
||||||
|
volume = test_utils.create_volume(self.project_member_context,
|
||||||
|
volume_type_id=vol_type.id,
|
||||||
|
testcase_instance=self)
|
||||||
|
|
||||||
|
snapshot = test_utils.create_snapshot(self.project_member_context,
|
||||||
|
volume_id=volume.id,
|
||||||
|
testcase_instance=self, **kwargs)
|
||||||
|
return snapshot
|
||||||
|
|
||||||
|
@ddt.data(*base.all_users)
|
||||||
|
def test_reset_status_policy(self, user_id):
|
||||||
|
snapshot = self._create_snapshot(status='error')
|
||||||
|
rule_name = policy.RESET_STATUS_POLICY
|
||||||
|
url = '%s/%s/action' % (self.api_path, snapshot.id)
|
||||||
|
req = fake_api.HTTPRequest.blank(url, version=self.api_version)
|
||||||
|
req.method = 'POST'
|
||||||
|
body = {
|
||||||
|
"os-reset_status": {
|
||||||
|
"status": "available",
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
self.common_policy_check(user_id, self.authorized_admins,
|
||||||
|
self.unauthorized_admins,
|
||||||
|
self.unauthorized_exceptions,
|
||||||
|
rule_name,
|
||||||
|
self.admin_controller._reset_status, req,
|
||||||
|
id=snapshot.id, body=body)
|
||||||
|
|
||||||
|
@ddt.data(*base.all_users)
|
||||||
|
def test_update_status_policy(self, user_id):
|
||||||
|
snapshot = self._create_snapshot(status='creating')
|
||||||
|
rule_name = policy.UPDATE_STATUS_POLICY
|
||||||
|
url = '%s/%s/action' % (self.api_path, snapshot.id)
|
||||||
|
req = fake_api.HTTPRequest.blank(url, version=self.api_version)
|
||||||
|
req.method = 'POST'
|
||||||
|
body = {
|
||||||
|
"os-update_snapshot_status": {
|
||||||
|
"status": "error"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
self.common_policy_check(user_id, self.authorized_members,
|
||||||
|
self.unauthorized_members,
|
||||||
|
self.unauthorized_exceptions,
|
||||||
|
rule_name,
|
||||||
|
self.controller._update_snapshot_status, req,
|
||||||
|
id=snapshot.id, body=body)
|
||||||
|
|
||||||
|
@ddt.data(*base.all_users)
|
||||||
|
def test_force_delete_policy(self, user_id):
|
||||||
|
snapshot = self._create_snapshot(status='error')
|
||||||
|
rule_name = policy.FORCE_DELETE_POLICY
|
||||||
|
url = '%s/%s/action' % (self.api_path, snapshot.id)
|
||||||
|
req = fake_api.HTTPRequest.blank(url, version=self.api_version)
|
||||||
|
req.method = 'POST'
|
||||||
|
body = {
|
||||||
|
"os-force_delete": {}
|
||||||
|
}
|
||||||
|
|
||||||
|
self.common_policy_check(user_id, self.authorized_admins,
|
||||||
|
self.unauthorized_admins,
|
||||||
|
self.unauthorized_exceptions,
|
||||||
|
rule_name,
|
||||||
|
self.admin_controller._force_delete, req,
|
||||||
|
id=snapshot.id, body=body)
|
||||||
|
|
||||||
|
|
||||||
|
class SnapshotActionsPolicySecureRbacTest(SnapshotActionsPolicyTest):
|
||||||
|
authorized_members = [
|
||||||
|
'legacy_admin',
|
||||||
|
'system_admin',
|
||||||
|
'project_admin',
|
||||||
|
'project_member',
|
||||||
|
]
|
||||||
|
|
||||||
|
unauthorized_members = [
|
||||||
|
'legacy_owner',
|
||||||
|
'system_member',
|
||||||
|
'system_reader',
|
||||||
|
'system_foo',
|
||||||
|
'project_reader',
|
||||||
|
'project_foo',
|
||||||
|
'other_project_member',
|
||||||
|
'other_project_reader',
|
||||||
|
]
|
||||||
|
|
||||||
|
def setUp(self, *args, **kwargs):
|
||||||
|
# Test secure RBAC by disabling deprecated policy rules (scope
|
||||||
|
# is still not enabled).
|
||||||
|
super().setUp(enforce_scope=False, enforce_new_defaults=True,
|
||||||
|
*args, **kwargs)
|
Loading…
Reference in New Issue
Block a user