198ef70c2b
this patch introduces an oslo.policy-based API access policy
enforcement engine to ironic-inspector.
As part of implementation, a proper oslo.context-based request
context is also generated and assigned to each request.
Short overview of changes:
- added custom RequestContext class
- extends oslo.context to handle of "is_public_api" flag
(False by default)
- added context to request in each API route
- '/continue' api sets the "is_public_api" flag to True
- added documented definitions for API access policies and their
defaults
- added enforcement of these policies on API requests
- added oslo.policy-specific entry points to setup.cfg
- added autogenerated policy sample file with defaults
- added documentation with autogenerated policies
Change-Id: Iff6f98fa9950d78608f0a7c325d132c11a1383b3
Closes-Bug: #1719812
60 lines
1.5 KiB
Plaintext
60 lines
1.5 KiB
Plaintext
# Full read/write API access
|
|
#"is_admin": "role:admin or role:administrator or role:baremetal_admin"
|
|
|
|
# Read-only API access
|
|
#"is_observer": "role:baremetal_observer"
|
|
|
|
# Internal flag for public API routes
|
|
#"public_api": "is_public_api:True"
|
|
|
|
# Default API access policy
|
|
#"default": "!"
|
|
|
|
# Access the API root for available versions information
|
|
# GET /
|
|
#"introspection": "rule:public_api"
|
|
|
|
# Access the versioned API root for version information
|
|
# GET /{version}
|
|
#"introspection:version": "rule:public_api"
|
|
|
|
# Ramdisk callback to continue introspection
|
|
# POST /continue
|
|
#"introspection:continue": "rule:public_api"
|
|
|
|
# Get introspection status
|
|
# GET /introspection
|
|
# GET /introspection/{node_id}
|
|
#"introspection:status": "rule:is_admin or rule:is_observer"
|
|
|
|
# Start introspection
|
|
# POST /introspection/{node_id}
|
|
#"introspection:start": "rule:is_admin"
|
|
|
|
# Abort introspection
|
|
# POST /introspection/{node_id}/abort
|
|
#"introspection:abort": "rule:is_admin"
|
|
|
|
# Get introspection data
|
|
# GET /introspection/{node_id}/data
|
|
#"introspection:data": "rule:is_admin"
|
|
|
|
# Reapply introspection on stored data
|
|
# POST /introspection/{node_id}/data/unprocessed
|
|
#"introspection:reapply": "rule:is_admin"
|
|
|
|
# Get introspection rule(s)
|
|
# GET /rules
|
|
# GET /rules/{rule_id}
|
|
#"introspection:rule:get": "rule:is_admin"
|
|
|
|
# Delete introspection rule(s)
|
|
# DELETE /rules
|
|
# DELETE /rules/{rule_id}
|
|
#"introspection:rule:delete": "rule:is_admin"
|
|
|
|
# Create introspection rule
|
|
# POST /rules
|
|
#"introspection:rule:create": "rule:is_admin"
|
|
|