From e77d1b553aedd69d68fdedd43b842e252fd39439 Mon Sep 17 00:00:00 2001 From: Lance Bragstad Date: Wed, 18 Nov 2020 20:09:04 +0000 Subject: [PATCH] Introduce common personas for secure RBAC This commit lays down some common personas we're trying to introduce across OpenStack services. Later commits will use these personas in ironic's existing policies. This will help use improve the security posture of OpenStack as a whole and provide a more consistent experience operators and end users. Change-Id: I2960d0f808949582dc964f4f5688a462d397de9e --- ironic/common/policy.py | 50 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) diff --git a/ironic/common/policy.py b/ironic/common/policy.py index efb92c5a55..80fd47c1c4 100644 --- a/ironic/common/policy.py +++ b/ironic/common/policy.py @@ -37,6 +37,55 @@ LOG = log.getLogger(__name__) DEFAULT_POLICY_FILE = 'policy.yaml' opts.set_defaults(cfg.CONF, DEFAULT_POLICY_FILE) +# Generic policy check string for system administrators. These are the people +# who need the highest level of authorization to operate the deployment. +# They're allowed to create, read, update, or delete any system-specific +# resource. They can also operate on project-specific resources where +# applicable (e.g., cleaning up baremetal hosts) +SYSTEM_ADMIN = 'role:admin and system_scope:all' + +# Generic policy check string for system users who don't require all the +# authorization that system administrators typically have. This persona, or +# check string, typically isn't used by default, but it's existence it useful +# in the event a deployment wants to offload some administrative action from +# system administrator to system members +SYSTEM_MEMBER = 'role:member and system_scope:all' + +# Generic policy check string for read-only access to system-level resources. +# This persona is useful for someone who needs access for auditing or even +# support. These uses are also able to view project-specific resources where +# applicable (e.g., listing all volumes in the deployment, regardless of the +# project they belong to). +SYSTEM_READER = 'role:reader and system_scope:all' + +# This check string is reserved for actions that require the highest level of +# authorization on a project or resources within the project (e.g., setting the +# default volume type for a project) +PROJECT_ADMIN = ('role:admin and ' + 'project_id:%(node.owner)s') +# This check string is the primary use case for typical end-users, who are +# working with resources that belong to a project (e.g., creating volumes and +# backups). +PROJECT_MEMBER = ('role:member and ' + '(project_id:%(node.owner)s or project_id:%(node.lessee)s)') + +# This check string should only be used to protect read-only project-specific +# resources. It should not be used to protect APIs that make writable changes +# (e.g., updating a volume or deleting a backup). +PROJECT_READER = ('role:reader and ' + '(project_id:%(node.owner)s or project_id:%(node.lessee)s)') + +# The following are common composite check strings that are useful for +# protecting APIs designed to operate with multiple scopes (e.g., a system +# administrator should be able to delete any baremetal host in the deployment, +# a project member should only be able to delete hosts in their project). +SYSTEM_ADMIN_OR_PROJECT_MEMBER = ( + '(' + SYSTEM_ADMIN + ') or (' + PROJECT_MEMBER + ')' +) +SYSTEM_OR_PROJECT_READER = ( + '(' + SYSTEM_READER + ') or (' + PROJECT_READER + ')' +) + default_policies = [ # Legacy setting, don't remove. Likely to be overridden by operators who # forget to update their policy.json configuration file. @@ -62,6 +111,7 @@ default_policies = [ '!', description='Show or mask secrets within instance information in API responses'), # noqa # Roles likely to be overridden by operator + # TODO(TheJulia): Lets nuke demo from high orbit. policy.RuleDefault('is_member', '(project_domain_id:default or project_domain_id:None) and (project_name:demo or project_name:baremetal)', # noqa description='May be used to restrict access to specific projects'), # noqa