Introduce scope_types in Device Profiles Actions

oslo.policy introduced the scope_type feature which can
control the access level at system-level and project-level.
 - https://docs.openstack.org/oslo.policy/latest/user/usage.html#setting-scope
 - http://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html

Each policy rules will be covered with appropriate oslo.policy’s
“scope_types”, ‘system’ and ‘project’ in cyborg cases as that defined in
the policies: https://wiki.openstack.org/wiki/Cyborg/Policy

This commit introduce scope_type for Device Profiles API policies.

Create and delete Device Profiles policies are scopped as 'system' because
device_profile operation should not be given access to project scopped token,
it has the same security requirement as that of manage a nova flavor.

GET operations are scopped as [‘system’, ‘project’] because any
reader(either system_reader or project_reader) can retrieve a device profile.

Also adds the test case with scope_type enabled and verify we
pass and fail the policy check with expected context.

Story: 2007024
Task: 40836
Change-Id: Ib58e6ba92513245dac915dfff29b02c556b542ee
This commit is contained in:
Yumeng Bao 2020-09-08 20:08:17 +08:00
parent b1c223afd8
commit 9c1714b3ae
4 changed files with 33 additions and 3 deletions

View File

@ -135,6 +135,8 @@ def authorize_wsgi(api_name, act=None, need_target=True):
context = pecan.request.context
credentials = context.to_policy_values()
credentials['is_admin'] = context.is_admin
if context.system_scope == 'all':
credentials['system'] = True
target = {}
# maybe we can pass "_get_resource" to authorize_wsgi
if need_target and hasattr(self, "_get_resource"):

View File

@ -54,6 +54,7 @@ device_profile_policies = [
'path': '/v2/device_profiles',
'method': 'GET'
}],
scope_types=['system', 'project'],
deprecated_rule=deprecated_get_all,
deprecated_reason=('request admin_or_owmer rule is too strict for '
'listing device_profile'),
@ -67,6 +68,7 @@ device_profile_policies = [
'path': '/v2/device_profiles/{device_profiles_uuid}',
'method': 'GET'
}],
scope_types=['system', 'project'],
deprecated_rule=deprecated_get_one,
deprecated_reason=('request admin_or_owmer rule is too strict for '
'retrieving a device_profile'),
@ -80,6 +82,7 @@ device_profile_policies = [
'path': '/v2/device_profiles',
'method': 'POST'
}],
scope_types=['system'],
deprecated_rule=deprecated_create,
deprecated_reason=('project_admin_or_owner is too permissive, '
'introduce system_scoped admin for creation'),
@ -96,6 +99,7 @@ device_profile_policies = [
'path': '/v2/device_profiles?value={device_profile_name1}',
'method': 'DELETE'},
],
scope_types=['system'],
deprecated_rule=deprecated_delete,
deprecated_reason=('project_admin_or_owner is too permissive, '
'introduce system_scoped admin for deletion'),

View File

@ -22,7 +22,6 @@ import pecan.testing
from cyborg.tests.unit.db import base
cfg.CONF.import_group('keystone_authtoken', 'keystonemiddleware.auth_token')
@ -49,6 +48,12 @@ class BaseApiTest(base.DbTestCase):
self.addCleanup(reset_pecan)
def flags(self, **kw):
"""Override flag variables for a test."""
group = kw.pop('group', None)
for k, v in kw.items():
cfg.CONF.set_override(k, v, group)
def _make_app(self):
# Determine where we are so we can set up paths in the config
root_dir = self.get_path()
@ -132,7 +137,7 @@ class BaseApiTest(base.DbTestCase):
'X-User-Name': ct.get("user_name") or "user",
'X-User-Id':
ct.get("user") or "1d6d686bc2c949ddb685ffb4682e0047",
'X-Project-Name': ct.get("project_name") or "project",
'X-Project-Name': ct.get("project_name") or "no_project_name",
'X-Project-Id':
ct.get("tenant") or "86f64f561b6d4f479655384572727f70",
'X-User-Domain-Id':
@ -140,8 +145,10 @@ class BaseApiTest(base.DbTestCase):
'X-User-Domain-Name': ct.get("domain_name") or "no_domain",
'X-Auth-Token':
ct.get("auth_token") or "b9764005b8c145bf972634fb16a826e8",
'X-Roles': ct.get("roles") or role
'X-Roles': ct.get("roles") or role,
}
if ct.get('system_scope') == 'all':
headers.update({'Openstack-System-Scope': 'all'})
return headers
def get_json(self, path, expect_errors=False, headers=None,

View File

@ -41,6 +41,7 @@ class DeviceProfilePolicyTest(base.BasePolicyTest):
def setUp(self):
super(DeviceProfilePolicyTest, self).setUp()
self.flags(enforce_scope=False, group="oslo_policy")
self.controller = device_profiles.DeviceProfilesController()
self.fake_dp_objs = fake_device_profile.get_obj_devprofs()
self.fake_dps = fake_device_profile.get_api_devprofs()
@ -152,3 +153,19 @@ class DeviceProfileScopeTypePolicyTest(DeviceProfilePolicyTest):
def setUp(self):
super(DeviceProfileScopeTypePolicyTest, self).setUp()
self.flags(enforce_scope=True, group="oslo_policy")
# check that system_admin is able to do create and delete operations.
self.create_authorized_contexts = [
self.system_admin_context]
self.delete_authorized_contexts = self.create_authorized_contexts
# Check that non-system or non-admin is not able to perform the system
# level actions on device_profiles.
self.create_unauthorized_contexts = [
self.legacy_admin_context, self.system_member_context,
self.system_reader_context, self.system_foo_context,
self.project_admin_context, self.project_member_context,
self.other_project_member_context,
self.project_foo_context, self.project_reader_context
]
self.delete_unauthorized_contexts = self.create_unauthorized_contexts