openstack/ironic
Code Issues Proposed changes

Implement system scoped RBAC for volume APIs

Browse Source 
This commit updates the policies for baremetal volume policies to understand
scope checking and account for a read-only role. This is part of a broader
series of changes across OpenStack to provide a consistent RBAC experience and
improve security.

Change-Id: I361a6410f5825b2dc97b50586475a4fa8e0f0f1f
This commit is contained in:
Lance Bragstad 2020-11-18 21:39:15 +00:00 committed by Julia Kreger
parent 69b28ca99c
commit 5ed58df555
4 changed files with 142 additions and 88 deletions

111
ironic/common/policy.py

@ -1062,41 +1062,92 @@ utility_policies = [
),
]
deprecated_volume_get = policy.DeprecatedRule(
name='baremetal:volume:get',
check_str='rule:is_admin or rule:is_observer'
)
deprecated_volume_create = policy.DeprecatedRule(
name='baremetal:volume:create',
check_str='rule:is_admin'
)
deprecated_volume_delete = policy.DeprecatedRule(
name='baremetal:volume:delete',
check_str='rule:is_admin'
)
deprecated_volume_update = policy.DeprecatedRule(
name='baremetal:volume:update',
check_str='rule:is_admin'
)
deprecated_volume_reason = """
The baremetal volume API is now aware of system scope and default
roles.
"""
volume_policies = [
policy.DocumentedRuleDefault(
'baremetal:volume:get',
'rule:is_admin or rule:is_observer',
'Retrieve Volume connector and target records',
[{'path': '/volume', 'method': 'GET'},
{'path': '/volume/connectors', 'method': 'GET'},
{'path': '/volume/connectors/{volume_connector_id}', 'method': 'GET'},
{'path': '/volume/targets', 'method': 'GET'},
{'path': '/volume/targets/{volume_target_id}', 'method': 'GET'},
{'path': '/nodes/{node_ident}/volume', 'method': 'GET'},
{'path': '/nodes/{node_ident}/volume/connectors', 'method': 'GET'},
{'path': '/nodes/{node_ident}/volume/targets', 'method': 'GET'}]),
name='baremetal:volume:get',
check_str=SYSTEM_READER,
scope_types=['system'],
description='Retrieve Volume connector and target records',
operations=[
{'path': '/volume', 'method': 'GET'},
{'path': '/volume/connectors', 'method': 'GET'},
{'path': '/volume/connectors/{volume_connector_id}',
'method': 'GET'},
{'path': '/volume/targets', 'method': 'GET'},
{'path': '/volume/targets/{volume_target_id}', 'method': 'GET'},
{'path': '/nodes/{node_ident}/volume', 'method': 'GET'},
{'path': '/nodes/{node_ident}/volume/connectors', 'method': 'GET'},
{'path': '/nodes/{node_ident}/volume/targets', 'method': 'GET'}
],
deprecated_rule=deprecated_volume_get,
deprecated_reason=deprecated_volume_reason,
deprecated_since=versionutils.deprecated.WALLABY
),
policy.DocumentedRuleDefault(
'baremetal:volume:create',
'rule:is_admin',
'Create Volume connector and target records',
[{'path': '/volume/connectors', 'method': 'POST'},
{'path': '/volume/targets', 'method': 'POST'}]),
name='baremetal:volume:create',
check_str=SYSTEM_MEMBER,
scope_types=['system'],
description='Create Volume connector and target records',
operations=[
{'path': '/volume/connectors', 'method': 'POST'},
{'path': '/volume/targets', 'method': 'POST'}
],
deprecated_rule=deprecated_volume_create,
deprecated_reason=deprecated_volume_reason,
deprecated_since=versionutils.deprecated.WALLABY
),
policy.DocumentedRuleDefault(
'baremetal:volume:delete',
'rule:is_admin',
'Delete Volume connector and target records',
[{'path': '/volume/connectors/{volume_connector_id}',
'method': 'DELETE'},
{'path': '/volume/targets/{volume_target_id}',
'method': 'DELETE'}]),
name='baremetal:volume:delete',
check_str=SYSTEM_MEMBER,
scope_types=['system'],
description='Delete Volume connector and target records',
operations=[
{'path': '/volume/connectors/{volume_connector_id}',
'method': 'DELETE'},
{'path': '/volume/targets/{volume_target_id}',
'method': 'DELETE'}
],
deprecated_rule=deprecated_volume_delete,
deprecated_reason=deprecated_volume_reason,
deprecated_since=versionutils.deprecated.WALLABY
),
policy.DocumentedRuleDefault(
'baremetal:volume:update',
'rule:is_admin',
'Update Volume connector and target records',
[{'path': '/volume/connectors/{volume_connector_id}',
'method': 'PATCH'},
{'path': '/volume/targets/{volume_target_id}',
'method': 'PATCH'}]),
name='baremetal:volume:update',
check_str=SYSTEM_MEMBER,
scope_types=['system'],
description='Update Volume connector and target records',
operations=[
{'path': '/volume/connectors/{volume_connector_id}',
'method': 'PATCH'},
{'path': '/volume/targets/{volume_target_id}',
'method': 'PATCH'}
],
deprecated_rule=deprecated_volume_update,
deprecated_reason=deprecated_volume_reason,
deprecated_since=versionutils.deprecated.WALLABY
),
]
conductor_policies = [

42
ironic/tests/unit/api/test_rbac_legacy.yaml

@ -1270,18 +1270,21 @@ volume_get_admin:
method: get
headers: *admin_headers
assert_status: 200
deprecated: true
volume_get_member:
path: '/v1/volume'
method: get
headers: *member_headers
assert_status: 403
deprecated: true
volume_get_observer:
path: '/v1/volume'
method: get
headers: *observer_headers
assert_status: 200
deprecated: true
# Volume connectors
@ -1290,18 +1293,21 @@ volume_connectors_get_admin:
method: get
headers: *admin_headers
assert_status: 200
deprecated: true
volume_connectors_get_member:
path: '/v1/volume/connectors'
method: get
headers: *member_headers
assert_status: 403
deprecated: true
volume_connectors_get_observer:
path: '/v1/volume/connectors'
method: get
headers: *observer_headers
assert_status: 200
deprecated: true
# NOTE(TheJulia): This ends up returning a 400 due to the
# UUID not already being in ironic.
@ -1314,6 +1320,7 @@ volume_connectors_post_admin:
node_uuid: 68a552fb-dcd2-43bf-9302-e4c93287be16
type: ip
connector_id: 192.168.1.100
deprecated: true
volume_connectors_post_member:
path: '/v1/volume/connectors'
@ -1321,6 +1328,7 @@ volume_connectors_post_member:
headers: *member_headers
assert_status: 403
body: *volume_connector_body
deprecated: true
volume_connectors_post_observer:
path: '/v1/volume/connectors'
@ -1328,24 +1336,28 @@ volume_connectors_post_observer:
headers: *observer_headers
assert_status: 403
body: *volume_connector_body
deprecated: true
volume_volume_connector_id_get_admin:
path: '/v1/volume/connectors/{volume_connector_ident}'
method: get
headers: *admin_headers
assert_status: 200
deprecated: true
volume_volume_connector_id_get_member:
path: '/v1/volume/connectors/{volume_connector_ident}'
method: get
headers: *member_headers
assert_status: 403
deprecated: true
volume_volume_connector_id_get_observer:
path: '/v1/volume/connectors/{volume_connector_ident}'
method: get
headers: *observer_headers
assert_status: 200
deprecated: true
volume_volume_connector_id_patch_admin:
path: '/v1/volume/connectors/{volume_connector_ident}'
@ -1356,6 +1368,7 @@ volume_volume_connector_id_patch_admin:
path: /extra
value: {'test': 'testing'}
assert_status: 503
deprecated: true
volume_volume_connector_id_patch_member:
path: '/v1/volume/connectors/{volume_connector_ident}'
@ -1363,6 +1376,7 @@ volume_volume_connector_id_patch_member:
headers: *member_headers
body: *connector_patch_body
assert_status: 403
deprecated: true
volume_volume_connector_id_patch_observer:
path: '/v1/volume/connectors/{volume_connector_ident}'
@ -1370,24 +1384,28 @@ volume_volume_connector_id_patch_observer:
headers: *observer_headers
body: *connector_patch_body
assert_status: 403
deprecated: true
volume_volume_connector_id_delete_admin:
path: '/v1/volume/connectors/{volume_connector_ident}'
method: delete
headers: *admin_headers
assert_status: 503
deprecated: true
volume_volume_connector_id_delete_member:
path: '/v1/volume/connectors/{volume_connector_ident}'
method: delete
headers: *member_headers
assert_status: 403
deprecated: true
volume_volume_connector_id_delete_observer:
path: '/v1/volume/connectors/{volume_connector_ident}'
method: delete
headers: *observer_headers
assert_status: 403
deprecated: true
# Volume targets
@ -1396,11 +1414,13 @@ volume_targets_get_admin:
method: get
headers: *admin_headers
assert_status: 200
deprecated: true
volume_targets_get_member:
path: '/v1/volume/targets'
method: get
headers: *member_headers
deprecated: true
assert_status: 403
volume_targets_get_observer:
@ -1408,6 +1428,7 @@ volume_targets_get_observer:
method: get
headers: *observer_headers
assert_status: 200
deprecated: true
# NOTE(TheJulia): Because we can't seem to get the uuid
# to load from an existing uuid, since we're not subsituting
@ -1422,6 +1443,7 @@ volume_targets_post_admin:
volume_type: iscsi
boot_index: 0
volume_id: 'test-id'
deprecated: true
volume_targets_post_member:
path: '/v1/volume/targets'
@ -1429,6 +1451,7 @@ volume_targets_post_member:
headers: *member_headers
assert_status: 403
body: *volume_target_body
deprecated: true
volume_targets_post_observer:
path: '/v1/volume/targets'
@ -1436,24 +1459,28 @@ volume_targets_post_observer:
headers: *observer_headers
assert_status: 403
body: *volume_target_body
deprecated: true
volume_volume_target_id_get_admin:
path: '/v1/volume/targets/{volume_target_ident}'
method: get
headers: *admin_headers
assert_status: 200
deprecated: true
volume_volume_target_id_get_member:
path: '/v1/volume/targets/{volume_target_ident}'
method: get
headers: *member_headers
assert_status: 403
deprecated: true
volume_volume_target_id_get_observer:
path: '/v1/volume/targets/{volume_target_ident}'
method: get
headers: *observer_headers
assert_status: 200
deprecated: true
volume_volume_target_id_patch_admin:
path: '/v1/volume/targets/{volume_target_ident}'
@ -1464,6 +1491,7 @@ volume_volume_target_id_patch_admin:
value: {'test': 'testing'}
headers: *admin_headers
assert_status: 503
deprecated: true
volume_volume_target_id_patch_admin:
path: '/v1/volume/targets/{volume_target_ident}'
@ -1471,6 +1499,7 @@ volume_volume_target_id_patch_admin:
body: *volume_target_patch
headers: *member_headers
assert_status: 403
deprecated: true
volume_volume_target_id_patch_observer:
path: '/v1/volume/targets/{volume_target_ident}'
@ -1478,24 +1507,28 @@ volume_volume_target_id_patch_observer:
body: *volume_target_patch
headers: *observer_headers
assert_status: 403
deprecated: true
volume_volume_target_id_delete_admin:
path: '/v1/volume/targets/{volume_target_ident}'
method: delete
headers: *admin_headers
assert_status: 503
deprecated: true
volume_volume_target_id_delete_member:
path: '/v1/volume/targets/{volume_target_ident}'
method: delete
headers: *member_headers
assert_status: 403
deprecated: true
volume_volume_target_id_delete_observer:
path: '/v1/volume/targets/{volume_target_ident}'
method: delete
headers: *observer_headers
assert_status: 403
deprecated: true
# Get Volumes by Node - https://docs.openstack.org/api-ref/baremetal/#listing-volume-resources-by-node-nodes-volume
@ -1504,54 +1537,63 @@ nodes_volume_get_admin:
method: get
headers: *admin_headers
assert_status: 200
deprecated: true
nodes_volume_get_member:
path: '/v1/nodes/{node_ident}/volume'
method: get
headers: *member_headers
assert_status: 403
deprecated: true
nodes_volume_get_observer:
path: '/v1/nodes/{node_ident}/volume'
method: get
headers: *observer_headers
assert_status: 200
deprecated: true
nodes_volume_connectors_get_admin:
path: '/v1/nodes/{node_ident}/volume/connectors'
method: get
headers: *admin_headers
assert_status: 200
deprecated: true
nodes_volume_connectors_get_member:
path: '/v1/nodes/{node_ident}/volume/connectors'
method: get
headers: *member_headers
assert_status: 403
deprecated: true
nodes_volume_connectors_get_observer:
path: '/v1/nodes/{node_ident}/volume/connectors'
method: get
headers: *observer_headers
assert_status: 200
deprecated: true
nodes_volume_targets_get_admin:
path: '/v1/nodes/{node_ident}/volume/targets'
method: get
headers: *admin_headers
assert_status: 200
deprecated: true
nodes_volume_targets_get_member:
path: '/v1/nodes/{node_ident}/volume/targets'
method: get
headers: *member_headers
assert_status: 403
deprecated: true
nodes_volume_targets_get_observer:
path: '/v1/nodes/{node_ident}/volume/targets'
method: get
headers: *observer_headers
assert_status: 200
deprecated: true
# Drivers - https://docs.openstack.org/api-ref/baremetal/#drivers-drivers

74
ironic/tests/unit/api/test_rbac_system_scoped.yaml

@ -1100,21 +1100,18 @@ volume_get_admin:
method: get
headers: *admin_headers
assert_status: 200
skip_reason: not updated for scope testing
volume_get_member:
path: '/v1/volume'
method: get
headers: *scoped_member_headers
assert_status: 403
skip_reason: not updated for scope testing
assert_status: 200
volume_get_observer:
path: '/v1/volume'
method: get
headers: *observer_headers
assert_status: 200
skip_reason: not updated for scope testing
# Volume connectors
@ -1123,23 +1120,20 @@ volume_connectors_get_admin:
method: get
headers: *admin_headers
assert_status: 200
skip_reason: not updated for scope testing
volume_connectors_get_member:
path: '/v1/volume/connectors'
method: get
headers: *scoped_member_headers
assert_status: 403
skip_reason: not updated for scope testing
assert_status: 200
volume_connectors_get_observer:
path: '/v1/volume/connectors'
method: get
headers: *observer_headers
assert_status: 200
skip_reason: not updated for scope testing
# NOTE(TheJulia): This ends up returning a 403 due to the
# NOTE(TheJulia): This ends up returning a 400 due to the
# UUID not already being in ironic.
volume_connectors_post_admin:
path: '/v1/volume/connectors'
@ -1150,15 +1144,15 @@ volume_connectors_post_admin:
node_uuid: 68a552fb-dcd2-43bf-9302-e4c93287be16
type: ip
connector_id: 192.168.1.100
skip_reason: not updated for scope testing
# If nova-compute is to operate as member rights, it needs to be able
# to add volumes.
volume_connectors_post_member:
path: '/v1/volume/connectors'
method: post
headers: *scoped_member_headers
assert_status: 403
assert_status: 400
body: *volume_connector_body
skip_reason: not updated for scope testing
volume_connectors_post_observer:
path: '/v1/volume/connectors'
@ -1166,28 +1160,24 @@ volume_connectors_post_observer:
headers: *observer_headers
assert_status: 403
body: *volume_connector_body
skip_reason: not updated for scope testing
volume_volume_connector_id_get_admin:
path: '/v1/volume/connectors/{volume_connector_ident}'
method: get
headers: *admin_headers
assert_status: 200
skip_reason: not updated for scope testing
volume_volume_connector_id_get_member:
path: '/v1/volume/connectors/{volume_connector_ident}'
method: get
headers: *scoped_member_headers
assert_status: 403
skip_reason: not updated for scope testing
assert_status: 200
volume_volume_connector_id_get_observer:
path: '/v1/volume/connectors/{volume_connector_ident}'
method: get
headers: *observer_headers
assert_status: 200
skip_reason: not updated for scope testing
volume_volume_connector_id_patch_admin:
path: '/v1/volume/connectors/{volume_connector_ident}'
@ -1198,15 +1188,13 @@ volume_volume_connector_id_patch_admin:
path: /extra
value: {'test': 'testing'}
assert_status: 503
skip_reason: not updated for scope testing
volume_volume_connector_id_patch_member:
path: '/v1/volume/connectors/{volume_connector_ident}'
method: patch
headers: *scoped_member_headers
body: *connector_patch_body
assert_status: 403
skip_reason: not updated for scope testing
assert_status: 503
volume_volume_connector_id_patch_observer:
path: '/v1/volume/connectors/{volume_connector_ident}'
@ -1214,28 +1202,24 @@ volume_volume_connector_id_patch_observer:
headers: *observer_headers
body: *connector_patch_body
assert_status: 403
skip_reason: not updated for scope testing
volume_volume_connector_id_delete_admin:
path: '/v1/volume/connectors/{volume_connector_ident}'
method: delete
headers: *admin_headers
assert_status: 503
skip_reason: not updated for scope testing
volume_volume_connector_id_delete_member:
path: '/v1/volume/connectors/{volume_connector_ident}'
method: delete
headers: *scoped_member_headers
assert_status: 403
skip_reason: not updated for scope testing
assert_status: 503
volume_volume_connector_id_delete_observer:
path: '/v1/volume/connectors/{volume_connector_ident}'
method: delete
headers: *observer_headers
assert_status: 403
skip_reason: not updated for scope testing
# Volume targets
@ -1244,21 +1228,18 @@ volume_targets_get_admin:
method: get
headers: *admin_headers
assert_status: 200
skip_reason: not updated for scope testing
volume_targets_get_member:
path: '/v1/volume/targets'
method: get
headers: *scoped_member_headers
assert_status: 403
skip_reason: not updated for scope testing
assert_status: 200
volume_targets_get_observer:
path: '/v1/volume/targets'
method: get
headers: *observer_headers
assert_status: 200
skip_reason: not updated for scope testing
# NOTE(TheJulia): Because we can't seem to get the uuid
# to load from an existing uuid, since we're not subsituting
@ -1273,15 +1254,13 @@ volume_targets_post_admin:
volume_type: iscsi
boot_index: 0
volume_id: 'test-id'
skip_reason: not updated for scope testing
volume_targets_post_member:
path: '/v1/volume/targets'
method: post
headers: *scoped_member_headers
assert_status: 403
assert_status: 400
body: *volume_target_body
skip_reason: not updated for scope testing
volume_targets_post_observer:
path: '/v1/volume/targets'
@ -1289,28 +1268,24 @@ volume_targets_post_observer:
headers: *observer_headers
assert_status: 403
body: *volume_target_body
skip_reason: not updated for scope testing
volume_volume_target_id_get_admin:
path: '/v1/volume/targets/{volume_target_ident}'
method: get
headers: *admin_headers
assert_status: 200
skip_reason: not updated for scope testing
volume_volume_target_id_get_member:
path: '/v1/volume/targets/{volume_target_ident}'
method: get
headers: *scoped_member_headers
assert_status: 403
skip_reason: not updated for scope testing
assert_status: 200
volume_volume_target_id_get_observer:
path: '/v1/volume/targets/{volume_target_ident}'
method: get
headers: *observer_headers
assert_status: 200
skip_reason: not updated for scope testing
# NOTE(TheJulia): This triggers a call to the conductor and
# thus will fail, but does not return a 403 which means success.
@ -1323,15 +1298,13 @@ volume_volume_target_id_patch_admin:
value: {'test': 'testing'}
headers: *admin_headers
assert_status: 503
skip_reason: not updated for scope testing
volume_volume_target_id_patch_admin:
path: '/v1/volume/targets/{volume_target_ident}'
method: patch
body: *volume_target_patch
headers: *scoped_member_headers
assert_status: 403
skip_reason: not updated for scope testing
assert_status: 503
volume_volume_target_id_patch_observer:
path: '/v1/volume/targets/{volume_target_ident}'
@ -1339,28 +1312,24 @@ volume_volume_target_id_patch_observer:
body: *volume_target_patch
headers: *observer_headers
assert_status: 403
skip_reason: not updated for scope testing
volume_volume_target_id_delete_admin:
path: '/v1/volume/targets/{volume_target_ident}'
method: delete
headers: *admin_headers
assert_status: 503
skip_reason: not updated for scope testing
volume_volume_target_id_delete_member:
path: '/v1/volume/targets/{volume_target_ident}'
method: delete
headers: *scoped_member_headers
assert_status: 403
skip_reason: not updated for scope testing
assert_status: 503
volume_volume_target_id_delete_observer:
path: '/v1/volume/targets/{volume_target_ident}'
method: delete
headers: *observer_headers
assert_status: 403
skip_reason: not updated for scope testing
# Get Volumes by Node - https://docs.openstack.org/api-ref/baremetal/#listing-volume-resources-by-node-nodes-volume
@ -1369,63 +1338,54 @@ nodes_volume_get_admin:
method: get
headers: *admin_headers
assert_status: 200
skip_reason: not updated for scope testing
nodes_volume_get_member:
path: '/v1/nodes/{node_ident}/volume'
method: get
headers: *scoped_member_headers
assert_status: 403
skip_reason: not updated for scope testing
assert_status: 200
nodes_volume_get_observer:
path: '/v1/nodes/{node_ident}/volume'
method: get
headers: *observer_headers
assert_status: 200
skip_reason: not updated for scope testing
nodes_volume_connectors_get_admin:
path: '/v1/nodes/{node_ident}/volume/connectors'
method: get
headers: *admin_headers
assert_status: 200
skip_reason: not updated for scope testing
nodes_volume_connectors_get_member:
path: '/v1/nodes/{node_ident}/volume/connectors'
method: get
headers: *scoped_member_headers
assert_status: 403
skip_reason: not updated for scope testing
assert_status: 200
nodes_volume_connectors_get_observer:
path: '/v1/nodes/{node_ident}/volume/connectors'
method: get
headers: *observer_headers
assert_status: 200
skip_reason: not updated for scope testing
nodes_volume_targets_get_admin:
path: '/v1/nodes/{node_ident}/volume/targets'
method: get
headers: *admin_headers
assert_status: 200
skip_reason: not updated for scope testing
nodes_volume_targets_get_member:
path: '/v1/nodes/{node_ident}/volume/targets'
method: get
headers: *scoped_member_headers
assert_status: 403
skip_reason: not updated for scope testing
assert_status: 200
nodes_volume_targets_get_observer:
path: '/v1/nodes/{node_ident}/volume/targets'
method: get
headers: *observer_headers
assert_status: 200
skip_reason: not updated for scope testing
# Drivers - https://docs.openstack.org/api-ref/baremetal/#drivers-drivers

3
releasenotes/notes/system-scoped-authentication-28e3651de250bea8.yaml

@ -3,7 +3,8 @@ features:
- |
The Baremetal API, provided by the ironic-api process, now supports use of
``system`` scoped ``keystone`` authentication for the following endpoints:
nodes, ports, portgroups, chassis, drivers, vendor passthru.
nodes, ports, portgroups, chassis, drivers, driver vendor passthru,
volume targets, volume connectors
upgrade:
- |
Deprecated policy rules are not expressed via a default policy file