Introduce base personas for secure RBAC
This commit adds some really basic check strings that we can re-use in the existing policies. These checks strings implement a few of the most common and useful personas. We're also trying to implement them across OpenStack consistently, which will improve user experience and security. Change-Id: Ib46402414e8ed9b63f024313500aef85f0c47a41
This commit is contained in:
Lance Bragstad
parent
a10927c6be
commit
2a8aaf43ad
@ -19,6 +19,53 @@ RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner'
|
||||
RULE_ADMIN_API = 'rule:admin_api'
|
||||
RULE_DEFAULT = 'rule:default'
|
||||
|
||||
# Generic policy check string for system administrators. These are the people
|
||||
# who need the highest level of authorization to operate the deployment.
|
||||
# They're allowed to create, read, update, or delete any system-specific
|
||||
# resource. They can also operate on project-specific resources where
|
||||
# applicable (e.g., cleaning up shares or snapshots).
|
||||
SYSTEM_ADMIN = 'role:admin and system_scope:all'
|
||||
|
||||
# Generic policy check string for system users who don't require all the
|
||||
# authorization that system administrators typically have. This persona, or
|
||||
# check string, typically isn't used by default, but it's existence it useful
|
||||
# in the event a deployment wants to offload some administrative action from
|
||||
# system administrator to system members.
|
||||
SYSTEM_MEMBER = 'role:member and system_scope:all'
|
||||
|
||||
# Generic policy check string for read-only access to system-level resources.
|
||||
# This persona is useful for someone who needs access for auditing or even
|
||||
# support. These uses are also able to view project-specific resources where
|
||||
# applicable (e.g., listing all shares in the deployment, regardless of the
|
||||
# project they belong to).
|
||||
SYSTEM_READER = 'role:reader and system_scope:all'
|
||||
|
||||
# This check string is reserved for actions that require the highest level of
|
||||
# authorization on a project or resources within the project (e.g., resyncing a
|
||||
# share replica).
|
||||
PROJECT_ADMIN = 'role:admin and project_id:%(project_id)s'
|
||||
|
||||
# This check string is the primary use case for typical end-users, who are
|
||||
# working with resources that belong to a project (e.g., managing shares or
|
||||
# share replicas).
|
||||
PROJECT_MEMBER = 'role:member and project_id:%(project_id)s'
|
||||
|
||||
# This check string should only be used to protect read-only project-specific
|
||||
# resources. It should not be used to protect APIs that make writable changes
|
||||
# (e.g., updating a share or snapshot).
|
||||
PROJECT_READER = 'role:reader and project_id:%(project_id)s'
|
||||
|
||||
# The following are common composite check strings that are useful for
|
||||
# protecting APIs designed to operate with multiple scopes (e.g., a system
|
||||
# administrator should be able to delete any share in the deployment, a
|
||||
# project member should only be able to delete shares in their project).
|
||||
SYSTEM_ADMIN_OR_PROJECT_MEMBER = (
|
||||
'(' + SYSTEM_ADMIN + ') or (' + PROJECT_MEMBER + ')'
|
||||
)
|
||||
SYSTEM_OR_PROJECT_READER = (
|
||||
'(' + SYSTEM_READER + ') or (' + PROJECT_READER + ')'
|
||||
)
|
||||
|
||||
rules = [
|
||||
policy.RuleDefault(name='context_is_admin', check_str='role:admin'),
|
||||
policy.RuleDefault(
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user