From 755a1503187a29f9b4f6ecbf369acb781c3e95e7 Mon Sep 17 00:00:00 2001 From: Goutham Pacha Ravi Date: Wed, 7 Sep 2022 22:29:18 -0700 Subject: [PATCH] [RBAC] Retain legacy admin behaviour The cross project effort around establishing secure default RBAC policies has transformed over the last release reacting to operator feedback. The intended change to use system scope breaks established workflows and requires a large effort to transition deployments: - https://etherpad.opendev.org/p/BER-2022-OPS-SRBAC - https://etherpad.opendev.org/p/rbac-operator-feedback So for now, all services are going to revert to only supporting project scoped users by default. This allows a legacy admin behavior to continue working as intended; and does not prevent operators overriding these defaults and using system scoped personas. https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html Signed-off-by: Goutham Pacha Ravi Change-Id: I5d3c1041738214ec8382edfd5494c10ff0be351a Signed-off-by: Goutham Pacha Ravi --- manila/policies/availability_zone.py | 8 +- manila/policies/base.py | 101 +++------- manila/policies/message.py | 14 +- manila/policies/quota_class_set.py | 10 +- manila/policies/quota_set.py | 44 ++--- manila/policies/scheduler_stats.py | 16 +- manila/policies/security_service.py | 40 ++-- manila/policies/service.py | 18 +- manila/policies/share_access.py | 10 +- manila/policies/share_access_metadata.py | 8 +- manila/policies/share_export_location.py | 8 +- manila/policies/share_group.py | 38 ++-- manila/policies/share_group_snapshot.py | 40 ++-- manila/policies/share_group_type.py | 38 ++-- manila/policies/share_group_types_spec.py | 20 +- manila/policies/share_instance.py | 18 +- .../share_instance_export_location.py | 11 +- manila/policies/share_network.py | 68 +++---- manila/policies/share_network_subnet.py | 18 +- manila/policies/share_replica.py | 38 ++-- .../policies/share_replica_export_location.py | 11 +- manila/policies/share_server.py | 60 +++--- manila/policies/share_snapshot.py | 58 +++--- .../share_snapshot_export_location.py | 10 +- manila/policies/share_snapshot_instance.py | 26 +-- ...share_snapshot_instance_export_location.py | 10 +- manila/policies/share_type.py | 42 ++-- manila/policies/share_types_extra_spec.py | 22 +-- manila/policies/shares.py | 185 +++++++++--------- ...bac-direction-change-2329bbf442b9a2da.yaml | 18 ++ 30 files changed, 454 insertions(+), 554 deletions(-) create mode 100644 releasenotes/notes/zed-secure-rbac-direction-change-2329bbf442b9a2da.yaml diff --git a/manila/policies/availability_zone.py b/manila/policies/availability_zone.py index 2b8fcbd336..a2e076ab5e 100644 --- a/manila/policies/availability_zone.py +++ b/manila/policies/availability_zone.py @@ -19,7 +19,7 @@ from manila.policies import base BASE_POLICY_NAME = 'availability_zone:%s' DEPRECATED_REASON = """ -The availability zone API now supports system scope and default roles. +The availability zone API now supports scope and default roles. """ deprecated_get_availability_zone = policy.DeprecatedRule( @@ -33,9 +33,9 @@ deprecated_get_availability_zone = policy.DeprecatedRule( availability_zone_policies = [ policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'index', - check_str=base.SYSTEM_OR_PROJECT_READER, - scope_types=['system', 'project'], - description=("Get all storage availability zones."), + check_str=base.ADMIN_OR_PROJECT_READER, + scope_types=['project'], + description="Get all storage availability zones.", operations=[ { 'method': 'GET', diff --git a/manila/policies/base.py b/manila/policies/base.py index 18a3ec261b..564c89c976 100644 --- a/manila/policies/base.py +++ b/manila/policies/base.py @@ -16,12 +16,39 @@ from oslo_log import versionutils from oslo_policy import policy + +# This check string is reserved for actions that require the highest level of +# authorization across projects to operate the deployment. They're allowed to +# create, read, update, or delete any system-wide resource such as +# share types, share group types, storage pools, etc. They can also operate on +# project-specific resources where applicable (e.g., cleaning up shares or +# snapshots). +ADMIN = 'rule:context_is_admin' + +# This check string is the primary use case for typical end-users, who are +# working with resources that belong within a project (e.g., managing shares or +# share replicas). These users don't require all the authorization that +# administrators typically have. +PROJECT_MEMBER = 'rule:project-member' + +# This check string should only be used to protect read-only project-specific +# resources. It should not be used to protect APIs that make writable changes +# (e.g., updating a share or snapshot). This persona is useful for someone who +# needs access for auditing or even support. +PROJECT_READER = 'rule:project-reader' + +ADMIN_OR_PROJECT_MEMBER = f'({ADMIN}) or ({PROJECT_MEMBER})' +ADMIN_OR_PROJECT_READER = f'({ADMIN}) or ({PROJECT_READER})' + +# Old, "unscoped", deprecated check strings to be removed. Do not use these +# in default RBAC any longer. These can be removed after "enforce_scope" +# defaults to True in oslo.policy RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner' RULE_ADMIN_API = 'rule:admin_api' RULE_DEFAULT = 'rule:default' deprecation_msg = ("The `context_is_admin` check is superseded by more " - "specific check strings that consume system and project " + "specific check strings that consume project " "scope attributes from keystone tokens.") DEPRECATED_CONTEXT_IS_ADMIN = policy.DeprecatedRule( name='context_is_admin', @@ -30,76 +57,8 @@ DEPRECATED_CONTEXT_IS_ADMIN = policy.DeprecatedRule( deprecated_since=versionutils.deprecated.WALLABY ) -# Generic policy check string for system administrators. These are the people -# who need the highest level of authorization to operate the deployment. -# They're allowed to create, read, update, or delete any system-specific -# resource. They can also operate on project-specific resources where -# applicable (e.g., cleaning up shares or snapshots). -SYSTEM_ADMIN = 'rule:system-admin' - -# Generic policy check string for system users who don't require all the -# authorization that system administrators typically have. This persona, or -# check string, typically isn't used by default, but it's existence it useful -# in the event a deployment wants to offload some administrative action from -# system administrator to system members. -SYSTEM_MEMBER = 'rule:system-member' - -# Generic policy check string for read-only access to system-level resources. -# This persona is useful for someone who needs access for auditing or even -# support. These uses are also able to view project-specific resources where -# applicable (e.g., listing all shares in the deployment, regardless of the -# project they belong to). -SYSTEM_READER = 'rule:system-reader' - -# This check string is reserved for actions that require the highest level of -# authorization on a project or resources within the project (e.g., resyncing a -# share replica). -PROJECT_ADMIN = 'rule:project-admin' - -# This check string is the primary use case for typical end-users, who are -# working with resources that belong to a project (e.g., managing shares or -# share replicas). -PROJECT_MEMBER = 'rule:project-member' - -# This check string should only be used to protect read-only project-specific -# resources. It should not be used to protect APIs that make writable changes -# (e.g., updating a share or snapshot). -PROJECT_READER = 'rule:project-reader' - -# The following are common composite check strings that are useful for -# protecting APIs designed to operate with multiple scopes (e.g., a system -# administrator should be able to delete any share in the deployment, a -# project member should only be able to delete shares in their project). -SYSTEM_ADMIN_OR_PROJECT_ADMIN = ( - '(' + SYSTEM_ADMIN + ') or (' + PROJECT_ADMIN + ')' -) -SYSTEM_ADMIN_OR_PROJECT_MEMBER = ( - '(' + SYSTEM_ADMIN + ') or (' + PROJECT_MEMBER + ')' -) -SYSTEM_OR_PROJECT_READER = ( - '(' + SYSTEM_READER + ') or (' + PROJECT_READER + ')' -) - rules = [ # ***Default OpenStack scoped personas*** # - policy.RuleDefault( - name='system-admin', - check_str='role:admin and ' - 'system_scope:all', - description='System scoped Administrator', - scope_types=['system']), - policy.RuleDefault( - name='system-member', - check_str='role:member and ' - 'system_scope:all', - description='System scoped Member', - scope_types=['system']), - policy.RuleDefault( - name='system-reader', - check_str='role:reader and ' - 'system_scope:all', - description='System scoped Reader', - scope_types=['system']), policy.RuleDefault( name='project-admin', check_str='role:admin and ' @@ -122,10 +81,10 @@ rules = [ # ***Special personas for Manila*** # policy.RuleDefault( name='context_is_admin', - check_str='rule:system-admin', + check_str='role:admin', description='Privileged users checked via "context.is_admin"', deprecated_rule=DEPRECATED_CONTEXT_IS_ADMIN, - scope_types=['system']), + scope_types=['project']), # ***Legacy/deprecated unscoped rules*** # # can be removed after "enforce_scope" defaults to True in oslo.policy diff --git a/manila/policies/message.py b/manila/policies/message.py index 3db1c03faf..00ad460b20 100644 --- a/manila/policies/message.py +++ b/manila/policies/message.py @@ -19,7 +19,7 @@ from manila.policies import base BASE_POLICY_NAME = 'message:%s' DEPRECATED_REASON = """ -The messages API now supports system scope and default roles. +The messages API now supports scope and default roles. """ deprecated_message_get = policy.DeprecatedRule( @@ -45,8 +45,8 @@ deprecated_message_delete = policy.DeprecatedRule( message_policies = [ policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'get', - check_str=base.SYSTEM_OR_PROJECT_READER, - scope_types=['system', 'project'], + check_str=base.ADMIN_OR_PROJECT_READER, + scope_types=['project'], description="Get details of a given message.", operations=[ { @@ -58,8 +58,8 @@ message_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'get_all', - check_str=base.SYSTEM_OR_PROJECT_READER, - scope_types=['system', 'project'], + check_str=base.ADMIN_OR_PROJECT_READER, + scope_types=['project'], description="Get all messages.", operations=[ { @@ -75,8 +75,8 @@ message_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'delete', - check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER, - scope_types=['system', 'project'], + check_str=base.ADMIN_OR_PROJECT_MEMBER, + scope_types=['project'], description="Delete a message.", operations=[ { diff --git a/manila/policies/quota_class_set.py b/manila/policies/quota_class_set.py index 651e792268..380aa521d3 100644 --- a/manila/policies/quota_class_set.py +++ b/manila/policies/quota_class_set.py @@ -19,7 +19,7 @@ from manila.policies import base BASE_POLICY_NAME = 'quota_class_set:%s' DEPRECATED_REASON = """ -The quota class API now supports system scope and default roles. +The quota class API now supports scope and default roles. """ deprecated_quota_class_update = policy.DeprecatedRule( @@ -39,8 +39,8 @@ deprecated_quota_class_show = policy.DeprecatedRule( quota_class_set_policies = [ policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'update', - check_str=base.SYSTEM_ADMIN, - scope_types=['system'], + check_str=base.ADMIN, + scope_types=['project'], description="Update quota class.", operations=[ { @@ -56,8 +56,8 @@ quota_class_set_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'show', - check_str=base.SYSTEM_OR_PROJECT_READER, - scope_types=['system', 'project'], + check_str=base.ADMIN_OR_PROJECT_READER, + scope_types=['project'], description="Get quota class.", operations=[ { diff --git a/manila/policies/quota_set.py b/manila/policies/quota_set.py index d6fdfd1bb8..3c1b1e0657 100644 --- a/manila/policies/quota_set.py +++ b/manila/policies/quota_set.py @@ -19,7 +19,7 @@ from manila.policies import base BASE_POLICY_NAME = 'quota_set:%s' DEPRECATED_REASON = """ -The quota API now supports system scope and default roles. +The quota API now supports scope and default roles. """ deprecated_quota_update = policy.DeprecatedRule( @@ -45,78 +45,78 @@ deprecated_quota_delete = policy.DeprecatedRule( quota_set_policies = [ policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'update', - check_str=base.SYSTEM_ADMIN, - scope_types=['system'], + check_str=base.ADMIN, + scope_types=['project'], description=("Update the quotas for a project/user and/or share " "type."), operations=[ { 'method': 'PUT', - 'path': '/quota-sets/{tenant_id}' + 'path': '/quota-sets/{project_id}' }, { 'method': 'PUT', - 'path': '/quota-sets/{tenant_id}?user_id={user_id}' + 'path': '/quota-sets/{project_id}?user_id={user_id}' }, { 'method': 'PUT', - 'path': '/quota-sets/{tenant_id}?share_type={share_type_id}' + 'path': '/quota-sets/{project_id}?share_type={share_type_id}' }, { 'method': 'PUT', - 'path': '/os-quota-sets/{tenant_id}' + 'path': '/os-quota-sets/{project_id}' }, { 'method': 'PUT', - 'path': '/os-quota-sets/{tenant_id}?user_id={user_id}' + 'path': '/os-quota-sets/{project_id}?user_id={user_id}' }, ], deprecated_rule=deprecated_quota_update ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'show', - check_str=base.SYSTEM_OR_PROJECT_READER, - scope_types=['system', 'project'], - description="List the quotas for a tenant/user.", + check_str=base.ADMIN_OR_PROJECT_READER, + scope_types=['project'], + description="List the quotas for a project/user.", operations=[ { 'method': 'GET', - 'path': '/quota-sets/{tenant_id}/defaults' + 'path': '/quota-sets/{project_id}/defaults' }, { 'method': 'GET', - 'path': '/os-quota-sets/{tenant_id}/defaults' + 'path': '/os-quota-sets/{project_id}/defaults' } ], deprecated_rule=deprecated_quota_show ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'delete', - check_str=base.SYSTEM_ADMIN, - scope_types=['system'], - description=("Delete quota for a tenant/user or " - "tenant/share-type. The quota will revert back to " + check_str=base.ADMIN, + scope_types=['project'], + description=("Delete quota for a project/user or " + "project/share-type. The quota will revert back to " "default (Admin only)."), operations=[ { 'method': 'DELETE', - 'path': '/quota-sets/{tenant_id}' + 'path': '/quota-sets/{project_id}' }, { 'method': 'DELETE', - 'path': '/quota-sets/{tenant_id}?user_id={user_id}' + 'path': '/quota-sets/{project_id}?user_id={user_id}' }, { 'method': 'DELETE', - 'path': '/quota-sets/{tenant_id}?share_type={share_type_id}' + 'path': '/quota-sets/{project_id}?share_type={share_type_id}' }, { 'method': 'DELETE', - 'path': '/os-quota-sets/{tenant_id}' + 'path': '/os-quota-sets/{project_id}' }, { 'method': 'DELETE', - 'path': '/os-quota-sets/{tenant_id}?user_id={user_id}' + 'path': '/os-quota-sets/{project_id}?user_id={user_id}' }, ], deprecated_rule=deprecated_quota_delete diff --git a/manila/policies/scheduler_stats.py b/manila/policies/scheduler_stats.py index 93d17dcbaf..04f1a306d0 100644 --- a/manila/policies/scheduler_stats.py +++ b/manila/policies/scheduler_stats.py @@ -39,15 +39,11 @@ deprecated_pool_detail = policy.DeprecatedRule( scheduler_stats_policies = [ policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'index', - check_str=base.SYSTEM_READER, - scope_types=['system'], + check_str=base.ADMIN, + scope_types=['project'], description="Get information regarding backends " "(and storage pools) known to the scheduler.", operations=[ - { - 'method': 'GET', - 'path': '/scheduler-stats/pools' - }, { 'method': 'GET', 'path': '/scheduler-stats/pools?{query}' @@ -57,8 +53,8 @@ scheduler_stats_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'detail', - check_str=base.SYSTEM_READER, - scope_types=['system'], + check_str=base.ADMIN, + scope_types=['project'], description="Get detailed information regarding backends " "(and storage pools) known to the scheduler.", operations=[ @@ -66,10 +62,6 @@ scheduler_stats_policies = [ 'method': 'GET', 'path': '/scheduler-stats/pools/detail?{query}' }, - { - 'method': 'GET', - 'path': '/scheduler-stats/pools/detail' - } ], deprecated_rule=deprecated_pool_detail ), diff --git a/manila/policies/security_service.py b/manila/policies/security_service.py index 7b3311fbaa..fd70479021 100644 --- a/manila/policies/security_service.py +++ b/manila/policies/security_service.py @@ -19,7 +19,7 @@ from manila.policies import base BASE_POLICY_NAME = 'security_service:%s' DEPRECATED_REASON = """ -The security service API now supports system scope and default roles. +The security service API now supports scope and default roles. """ deprecated_security_service_create = policy.DeprecatedRule( @@ -69,8 +69,8 @@ deprecated_security_service_get_all = policy.DeprecatedRule( security_service_policies = [ policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'create', - check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER, - scope_types=['system', 'project'], + check_str=base.ADMIN_OR_PROJECT_MEMBER, + scope_types=['project'], description="Create security service.", operations=[ { @@ -82,8 +82,8 @@ security_service_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'show', - check_str=base.SYSTEM_OR_PROJECT_READER, - scope_types=['system', 'project'], + check_str=base.ADMIN_OR_PROJECT_READER, + scope_types=['project'], description="Get details of a security service.", operations=[ { @@ -95,31 +95,23 @@ security_service_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'detail', - check_str=base.SYSTEM_OR_PROJECT_READER, - scope_types=['system', 'project'], + check_str=base.ADMIN_OR_PROJECT_READER, + scope_types=['project'], description="Get details of all security services.", operations=[ { 'method': 'GET', 'path': '/security-services/detail?{query}' }, - { - 'method': 'GET', - 'path': '/security-services/detail' - } ], deprecated_rule=deprecated_security_service_detail ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'index', - check_str=base.SYSTEM_OR_PROJECT_READER, - scope_types=['system', 'project'], - description="Get all security services.", + check_str=base.ADMIN_OR_PROJECT_READER, + scope_types=['project'], + description="Get all security services under a project.", operations=[ - { - 'method': 'GET', - 'path': '/security-services' - }, { 'method': 'GET', 'path': '/security-services?{query}' @@ -129,8 +121,8 @@ security_service_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'update', - check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER, - scope_types=['system', 'project'], + check_str=base.ADMIN_OR_PROJECT_MEMBER, + scope_types=['project'], description="Update a security service.", operations=[ { @@ -142,8 +134,8 @@ security_service_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'delete', - check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER, - scope_types=['system', 'project'], + check_str=base.ADMIN_OR_PROJECT_MEMBER, + scope_types=['project'], description="Delete a security service.", operations=[ { @@ -155,8 +147,8 @@ security_service_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'get_all_security_services', - check_str=base.SYSTEM_READER, - scope_types=['system'], + check_str=base.ADMIN, + scope_types=['project'], description="Get security services of all projects.", operations=[ { diff --git a/manila/policies/service.py b/manila/policies/service.py index cbd4c3fb05..f22772b13f 100644 --- a/manila/policies/service.py +++ b/manila/policies/service.py @@ -19,7 +19,7 @@ from manila.policies import base BASE_POLICY_NAME = 'service:%s' DEPRECATED_REASON = """ -The service API now supports system scope and default roles. +The service API now supports scope and default roles. """ deprecated_service_index = policy.DeprecatedRule( @@ -39,22 +39,14 @@ deprecated_service_update = policy.DeprecatedRule( service_policies = [ policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'index', - check_str=base.SYSTEM_READER, - scope_types=['system'], + check_str=base.ADMIN, + scope_types=['project'], description="Return a list of all running services.", operations=[ - { - 'method': 'GET', - 'path': '/os-services', - }, { 'method': 'GET', 'path': '/os-services?{query}', }, - { - 'method': 'GET', - 'path': '/services', - }, { 'method': 'GET', 'path': '/services?{query}', @@ -64,8 +56,8 @@ service_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'update', - check_str=base.SYSTEM_ADMIN, - scope_types=['system'], + check_str=base.ADMIN, + scope_types=['project'], description="Enable/Disable scheduling for a service.", operations=[ { diff --git a/manila/policies/share_access.py b/manila/policies/share_access.py index 82921aaed7..2976f5cbd8 100644 --- a/manila/policies/share_access.py +++ b/manila/policies/share_access.py @@ -22,7 +22,7 @@ from manila.policies import base BASE_POLICY_NAME = 'share_access_rule:%s' DEPRECATED_REASON = """ -The share access rule API now supports system scope and default roles. +The share access rule API now supports scope and default roles. """ deprecated_access_rule_get = policy.DeprecatedRule( @@ -42,8 +42,8 @@ deprecated_access_rule_index = policy.DeprecatedRule( share_access_rule_policies = [ policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'get', - check_str=base.SYSTEM_OR_PROJECT_READER, - scope_types=['system', 'project'], + check_str=base.ADMIN_OR_PROJECT_READER, + scope_types=['project'], description="Get details of a share access rule.", operations=[ { @@ -55,8 +55,8 @@ share_access_rule_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'index', - check_str=base.SYSTEM_OR_PROJECT_READER, - scope_types=['system', 'project'], + check_str=base.ADMIN_OR_PROJECT_READER, + scope_types=['project'], description="List access rules of a given share.", operations=[ { diff --git a/manila/policies/share_access_metadata.py b/manila/policies/share_access_metadata.py index 593fa34672..f2803968da 100644 --- a/manila/policies/share_access_metadata.py +++ b/manila/policies/share_access_metadata.py @@ -42,8 +42,8 @@ deprecated_access_metadata_delete = policy.DeprecatedRule( share_access_rule_metadata_policies = [ policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'update', - check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER, - scope_types=['system', 'project'], + check_str=base.ADMIN_OR_PROJECT_MEMBER, + scope_types=['project'], description="Set metadata for a share access rule.", operations=[ { @@ -55,8 +55,8 @@ share_access_rule_metadata_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'delete', - check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER, - scope_types=['system', 'project'], + check_str=base.ADMIN_OR_PROJECT_MEMBER, + scope_types=['project'], description="Delete metadata for a share access rule.", operations=[ { diff --git a/manila/policies/share_export_location.py b/manila/policies/share_export_location.py index ecbc33759c..498fa3097b 100644 --- a/manila/policies/share_export_location.py +++ b/manila/policies/share_export_location.py @@ -39,8 +39,8 @@ deprecated_export_location_show = policy.DeprecatedRule( share_export_location_policies = [ policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'index', - check_str=base.SYSTEM_OR_PROJECT_READER, - scope_types=['system', 'project'], + check_str=base.ADMIN_OR_PROJECT_READER, + scope_types=['project'], description="Get all export locations of a given share.", operations=[ { @@ -52,8 +52,8 @@ share_export_location_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'show', - check_str=base.SYSTEM_OR_PROJECT_READER, - scope_types=['system', 'project'], + check_str=base.ADMIN_OR_PROJECT_READER, + scope_types=['project'], description="Get details about the requested export location.", operations=[ { diff --git a/manila/policies/share_group.py b/manila/policies/share_group.py index f4f7d70445..004edbeb5a 100644 --- a/manila/policies/share_group.py +++ b/manila/policies/share_group.py @@ -19,7 +19,7 @@ from manila.policies import base BASE_POLICY_NAME = 'share_group:%s' DEPRECATED_REASON = """ -The share group API now supports system scope and default roles. +The share group API now supports scope and default roles. """ deprecated_share_group_create = policy.DeprecatedRule( @@ -69,8 +69,8 @@ deprecated_share_group_reset_status = policy.DeprecatedRule( share_group_policies = [ policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'create', - check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER, - scope_types=['system', 'project'], + check_str=base.ADMIN_OR_PROJECT_MEMBER, + scope_types=['project'], description="Create share group.", operations=[ { @@ -82,8 +82,8 @@ share_group_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'get', - check_str=base.SYSTEM_OR_PROJECT_READER, - scope_types=['system', 'project'], + check_str=base.ADMIN_OR_PROJECT_READER, + scope_types=['project'], description="Get details of a share group.", operations=[ { @@ -95,18 +95,10 @@ share_group_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'get_all', - check_str=base.SYSTEM_OR_PROJECT_READER, - scope_types=['system', 'project'], + check_str=base.ADMIN_OR_PROJECT_READER, + scope_types=['project'], description="Get all share groups.", operations=[ - { - 'method': 'GET', - 'path': '/share-groups' - }, - { - 'method': 'GET', - 'path': '/share-groups/detail' - }, { 'method': 'GET', 'path': '/share-groups?{query}' @@ -120,8 +112,8 @@ share_group_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'update', - check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER, - scope_types=['system', 'project'], + check_str=base.ADMIN_OR_PROJECT_MEMBER, + scope_types=['project'], description="Update share group.", operations=[ { @@ -133,8 +125,8 @@ share_group_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'delete', - check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER, - scope_types=['system', 'project'], + check_str=base.ADMIN_OR_PROJECT_MEMBER, + scope_types=['project'], description="Delete share group.", operations=[ { @@ -146,8 +138,8 @@ share_group_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'force_delete', - check_str=base.SYSTEM_ADMIN_OR_PROJECT_ADMIN, - scope_types=['system', 'project'], + check_str=base.ADMIN, + scope_types=['project'], description="Force delete a share group.", operations=[ { @@ -159,8 +151,8 @@ share_group_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'reset_status', - check_str=base.SYSTEM_ADMIN_OR_PROJECT_ADMIN, - scope_types=['system', 'project'], + check_str=base.ADMIN, + scope_types=['project'], description="Reset share group's status.", operations=[ { diff --git a/manila/policies/share_group_snapshot.py b/manila/policies/share_group_snapshot.py index 7f1e7b6734..2c3d80758a 100644 --- a/manila/policies/share_group_snapshot.py +++ b/manila/policies/share_group_snapshot.py @@ -19,7 +19,7 @@ from manila.policies import base BASE_POLICY_NAME = 'share_group_snapshot:%s' DEPRECATED_REASON = """ -The share group snapshots API now supports system scope and default roles. +The share group snapshots API now supports scope and default roles. """ deprecated_group_snapshot_create = policy.DeprecatedRule( @@ -69,8 +69,8 @@ deprecated_group_snapshot_reset_status = policy.DeprecatedRule( share_group_snapshot_policies = [ policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'create', - check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER, - scope_types=['system', 'project'], + check_str=base.ADMIN_OR_PROJECT_MEMBER, + scope_types=['project'], description="Create a new share group snapshot.", operations=[ { @@ -82,8 +82,8 @@ share_group_snapshot_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'get', - check_str=base.SYSTEM_OR_PROJECT_READER, - scope_types=['system', 'project'], + check_str=base.ADMIN_OR_PROJECT_READER, + scope_types=['project'], description="Get details of a share group snapshot.", operations=[ { @@ -95,21 +95,13 @@ share_group_snapshot_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'get_all', - check_str=base.SYSTEM_OR_PROJECT_READER, - scope_types=['system', 'project'], + check_str=base.ADMIN_OR_PROJECT_READER, + scope_types=['project'], description="Get all share group snapshots.", operations=[ { 'method': 'GET', - 'path': '/share-group-snapshots' - }, - { - 'method': 'GET', - 'path': '/share-group-snapshots/detail' - }, - { - 'method': 'GET', - 'path': '/share-group-snapshots/{query}' + 'path': '/share-group-snapshots?{query}' }, { 'method': 'GET', @@ -120,8 +112,8 @@ share_group_snapshot_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'update', - check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER, - scope_types=['system', 'project'], + check_str=base.ADMIN_OR_PROJECT_MEMBER, + scope_types=['project'], description="Update a share group snapshot.", operations=[ { @@ -133,8 +125,8 @@ share_group_snapshot_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'delete', - check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER, - scope_types=['system', 'project'], + check_str=base.ADMIN_OR_PROJECT_MEMBER, + scope_types=['project'], description="Delete a share group snapshot.", operations=[ { @@ -146,8 +138,8 @@ share_group_snapshot_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'force_delete', - check_str=base.SYSTEM_ADMIN_OR_PROJECT_ADMIN, - scope_types=['system', 'project'], + check_str=base.ADMIN, + scope_types=['project'], description="Force delete a share group snapshot.", operations=[ { @@ -160,8 +152,8 @@ share_group_snapshot_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'reset_status', - check_str=base.SYSTEM_ADMIN_OR_PROJECT_ADMIN, - scope_types=['system', 'project'], + check_str=base.ADMIN, + scope_types=['project'], description="Reset a share group snapshot's status.", operations=[ { diff --git a/manila/policies/share_group_type.py b/manila/policies/share_group_type.py index aa730e06de..a35ad1974e 100644 --- a/manila/policies/share_group_type.py +++ b/manila/policies/share_group_type.py @@ -19,7 +19,7 @@ from manila.policies import base BASE_POLICY_NAME = 'share_group_type:%s' DEPRECATED_REASON = """ -The share group type API now supports system scope and default roles. +The share group type API now supports scope and default roles. """ deprecated_share_group_type_create = policy.DeprecatedRule( @@ -75,8 +75,8 @@ deprecated_share_group_type_remove_project = policy.DeprecatedRule( share_group_type_policies = [ policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'create', - check_str=base.SYSTEM_ADMIN, - scope_types=['system'], + check_str=base.ADMIN, + scope_types=['project'], description="Create a new share group type.", operations=[ { @@ -88,14 +88,10 @@ share_group_type_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'index', - check_str=base.SYSTEM_OR_PROJECT_READER, - scope_types=['system', 'project'], + check_str=base.ADMIN_OR_PROJECT_READER, + scope_types=['project'], description="Get the list of share group types.", operations=[ - { - 'method': 'GET', - 'path': '/share-group-types', - }, { 'method': 'GET', 'path': '/share-group-types?is_public=all', @@ -105,8 +101,8 @@ share_group_type_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'show', - check_str=base.SYSTEM_OR_PROJECT_READER, - scope_types=['system', 'project'], + check_str=base.ADMIN_OR_PROJECT_READER, + scope_types=['project'], description="Get details regarding the specified share group type.", operations=[ { @@ -118,8 +114,8 @@ share_group_type_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'default', - check_str=base.SYSTEM_OR_PROJECT_READER, - scope_types=['system', 'project'], + check_str=base.ADMIN_OR_PROJECT_READER, + scope_types=['project'], description="Get the default share group type.", operations=[ { @@ -131,8 +127,8 @@ share_group_type_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'delete', - check_str=base.SYSTEM_ADMIN, - scope_types=['system'], + check_str=base.ADMIN, + scope_types=['project'], description="Delete an existing group type.", operations=[ { @@ -144,8 +140,8 @@ share_group_type_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'list_project_access', - check_str=base.SYSTEM_READER, - scope_types=['system'], + check_str=base.ADMIN, + scope_types=['project'], description="Get project access by share group type.", operations=[ { @@ -157,8 +153,8 @@ share_group_type_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'add_project_access', - check_str=base.SYSTEM_ADMIN, - scope_types=['system'], + check_str=base.ADMIN, + scope_types=['project'], description="Allow project to use the share group type.", operations=[ { @@ -170,8 +166,8 @@ share_group_type_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'remove_project_access', - check_str=base.SYSTEM_ADMIN, - scope_types=['system'], + check_str=base.ADMIN, + scope_types=['project'], description="Deny project access to use the share group type.", operations=[ { diff --git a/manila/policies/share_group_types_spec.py b/manila/policies/share_group_types_spec.py index f6b5693e55..c91313108a 100644 --- a/manila/policies/share_group_types_spec.py +++ b/manila/policies/share_group_types_spec.py @@ -57,8 +57,8 @@ deprecated_group_type_spec_delete = policy.DeprecatedRule( share_group_types_spec_policies = [ policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'create', - check_str=base.SYSTEM_ADMIN, - scope_types=['system'], + check_str=base.ADMIN, + scope_types=['project'], description="Create share group type specs.", operations=[ { @@ -70,8 +70,8 @@ share_group_types_spec_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'index', - check_str=base.SYSTEM_READER, - scope_types=['system'], + check_str=base.ADMIN, + scope_types=['project'], description="Get share group type specs.", operations=[ { @@ -83,8 +83,8 @@ share_group_types_spec_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'show', - check_str=base.SYSTEM_READER, - scope_types=['system'], + check_str=base.ADMIN, + scope_types=['project'], description="Get details of a share group type spec.", operations=[ { @@ -97,8 +97,8 @@ share_group_types_spec_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'update', - check_str=base.SYSTEM_ADMIN, - scope_types=['system'], + check_str=base.ADMIN, + scope_types=['project'], description="Update a share group type spec.", operations=[ { @@ -111,8 +111,8 @@ share_group_types_spec_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'delete', - check_str=base.SYSTEM_ADMIN, - scope_types=['system'], + check_str=base.ADMIN, + scope_types=['project'], description="Delete a share group type spec.", operations=[ { diff --git a/manila/policies/share_instance.py b/manila/policies/share_instance.py index 1b18706a09..ebce715127 100644 --- a/manila/policies/share_instance.py +++ b/manila/policies/share_instance.py @@ -19,7 +19,7 @@ from manila.policies import base BASE_POLICY_NAME = 'share_instance:%s' DEPRECATED_REASON = """ -The share instances API now supports system scope and default roles. +The share instances API now supports scope and default roles. """ deprecated_share_instances_index = policy.DeprecatedRule( @@ -51,8 +51,8 @@ deprecated_share_instance_reset_status = policy.DeprecatedRule( shares_policies = [ policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'index', - check_str=base.SYSTEM_READER, - scope_types=['system'], + check_str=base.ADMIN, + scope_types=['project'], description="Get all share instances.", operations=[ { @@ -68,8 +68,8 @@ shares_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'show', - check_str=base.SYSTEM_READER, - scope_types=['system'], + check_str=base.ADMIN, + scope_types=['project'], description="Get details of a share instance.", operations=[ { @@ -81,8 +81,8 @@ shares_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'force_delete', - check_str=base.SYSTEM_ADMIN, - scope_types=['system'], + check_str=base.ADMIN, + scope_types=['project'], description="Force delete a share instance.", operations=[ { @@ -94,8 +94,8 @@ shares_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'reset_status', - check_str=base.SYSTEM_ADMIN, - scope_types=['system'], + check_str=base.ADMIN, + scope_types=['project'], description="Reset share instance's status.", operations=[ { diff --git a/manila/policies/share_instance_export_location.py b/manila/policies/share_instance_export_location.py index a72d74ee2d..166430e6ff 100644 --- a/manila/policies/share_instance_export_location.py +++ b/manila/policies/share_instance_export_location.py @@ -22,8 +22,7 @@ from manila.policies import base BASE_POLICY_NAME = 'share_instance_export_location:%s' DEPRECATED_REASON = """ -The share instance export location API now supports system scope and default -roles. +The share instance export location API now supports scope and default roles. """ deprecated_instance_export_location_index = policy.DeprecatedRule( @@ -43,8 +42,8 @@ deprecated_instance_export_location_show = policy.DeprecatedRule( share_export_location_policies = [ policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'index', - check_str=base.SYSTEM_READER, - scope_types=['system'], + check_str=base.ADMIN, + scope_types=['project'], description='Return data about the requested export location.', operations=[ { @@ -57,8 +56,8 @@ share_export_location_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'show', - check_str=base.SYSTEM_READER, - scope_types=['system'], + check_str=base.ADMIN, + scope_types=['project'], description='Return data about the requested export location.', operations=[ { diff --git a/manila/policies/share_network.py b/manila/policies/share_network.py index 4985abe546..0c8a33487b 100644 --- a/manila/policies/share_network.py +++ b/manila/policies/share_network.py @@ -110,8 +110,8 @@ deprecated_share_network_subnet_create_check = policy.DeprecatedRule( share_network_policies = [ policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'create', - check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER, - scope_types=['system', 'project'], + check_str=base.ADMIN_OR_PROJECT_MEMBER, + scope_types=['project'], description="Create share network.", operations=[ { @@ -123,8 +123,8 @@ share_network_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'show', - check_str=base.SYSTEM_OR_PROJECT_READER, - scope_types=['system', 'project'], + check_str=base.ADMIN_OR_PROJECT_READER, + scope_types=['project'], description="Get details of a share network.", operations=[ { @@ -136,14 +136,10 @@ share_network_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'index', - check_str=base.SYSTEM_OR_PROJECT_READER, - scope_types=['system', 'project'], - description="Get all share networks.", + check_str=base.ADMIN_OR_PROJECT_READER, + scope_types=['project'], + description="Get all share networks under a project.", operations=[ - { - 'method': 'GET', - 'path': '/share-networks' - }, { 'method': 'GET', 'path': '/share-networks?{query}' @@ -153,25 +149,21 @@ share_network_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'detail', - check_str=base.SYSTEM_OR_PROJECT_READER, - scope_types=['system', 'project'], - description="Get details of share networks .", + check_str=base.ADMIN_OR_PROJECT_READER, + scope_types=['project'], + description="Get details of share networks under a project.", operations=[ { 'method': 'GET', 'path': '/share-networks/detail?{query}' }, - { - 'method': 'GET', - 'path': '/share-networks/detail' - }, ], deprecated_rule=deprecated_share_network_detail ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'update', - check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER, - scope_types=['system', 'project'], + check_str=base.ADMIN_OR_PROJECT_MEMBER, + scope_types=['project'], description="Update a share network.", operations=[ { @@ -183,8 +175,8 @@ share_network_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'delete', - check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER, - scope_types=['system', 'project'], + check_str=base.ADMIN_OR_PROJECT_MEMBER, + scope_types=['project'], description="Delete a share network.", operations=[ { @@ -196,8 +188,8 @@ share_network_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'add_security_service', - check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER, - scope_types=['system', 'project'], + check_str=base.ADMIN_OR_PROJECT_MEMBER, + scope_types=['project'], description="Add security service to share network.", operations=[ { @@ -209,8 +201,8 @@ share_network_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'add_security_service_check', - check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER, - scope_types=['system', 'project'], + check_str=base.ADMIN_OR_PROJECT_MEMBER, + scope_types=['project'], description="Check the feasibility of add security service to a share " "network.", operations=[ @@ -223,8 +215,8 @@ share_network_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'remove_security_service', - check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER, - scope_types=['system', 'project'], + check_str=base.ADMIN_OR_PROJECT_MEMBER, + scope_types=['project'], description="Remove security service from share network.", operations=[ { @@ -236,8 +228,8 @@ share_network_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'update_security_service', - check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER, - scope_types=['system', 'project'], + check_str=base.ADMIN_OR_PROJECT_MEMBER, + scope_types=['project'], description="Update security service from share network.", operations=[ { @@ -249,8 +241,8 @@ share_network_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'update_security_service_check', - check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER, - scope_types=['system', 'project'], + check_str=base.ADMIN_OR_PROJECT_MEMBER, + scope_types=['project'], description="Check the feasibility of update a security service from " "share network.", operations=[ @@ -263,8 +255,8 @@ share_network_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'reset_status', - check_str=base.SYSTEM_ADMIN_OR_PROJECT_ADMIN, - scope_types=['system', 'project'], + check_str=base.ADMIN, + scope_types=['project'], description="Reset share network`s status.", operations=[ { @@ -276,8 +268,8 @@ share_network_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'get_all_share_networks', - check_str=base.SYSTEM_READER, - scope_types=['system'], + check_str=base.ADMIN, + scope_types=['project'], description="Get share networks belonging to all projects.", operations=[ { @@ -293,8 +285,8 @@ share_network_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'subnet_create_check', - check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER, - scope_types=['system', 'project'], + check_str=base.ADMIN_OR_PROJECT_MEMBER, + scope_types=['project'], description="Check the feasibility of create a new share network " "subnet for share network.", operations=[ diff --git a/manila/policies/share_network_subnet.py b/manila/policies/share_network_subnet.py index dac51d7e97..df281ff9bc 100644 --- a/manila/policies/share_network_subnet.py +++ b/manila/policies/share_network_subnet.py @@ -21,7 +21,7 @@ from manila.policies import base BASE_POLICY_NAME = 'share_network_subnet:%s' DEPRECATED_REASON = """ -The share network subnet API now supports system scope and default roles. +The share network subnet API now supports scope and default roles. """ deprecated_subnet_create = policy.DeprecatedRule( @@ -53,8 +53,8 @@ deprecated_subnet_index = policy.DeprecatedRule( share_network_subnet_policies = [ policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'create', - check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER, - scope_types=['system', 'project'], + check_str=base.ADMIN_OR_PROJECT_MEMBER, + scope_types=['project'], description="Create a new share network subnet.", operations=[ { @@ -66,8 +66,8 @@ share_network_subnet_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'delete', - check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER, - scope_types=['system', 'project'], + check_str=base.ADMIN_OR_PROJECT_MEMBER, + scope_types=['project'], description="Delete a share network subnet.", operations=[ { @@ -80,8 +80,8 @@ share_network_subnet_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'show', - check_str=base.SYSTEM_OR_PROJECT_READER, - scope_types=['system', 'project'], + check_str=base.ADMIN_OR_PROJECT_READER, + scope_types=['project'], description="Shows a share network subnet.", operations=[ { @@ -94,8 +94,8 @@ share_network_subnet_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'index', - check_str=base.SYSTEM_OR_PROJECT_READER, - scope_types=['system', 'project'], + check_str=base.ADMIN_OR_PROJECT_READER, + scope_types=['project'], description="Get all share network subnets.", operations=[ { diff --git a/manila/policies/share_replica.py b/manila/policies/share_replica.py index 63b56a06b2..cf85faa3dc 100644 --- a/manila/policies/share_replica.py +++ b/manila/policies/share_replica.py @@ -19,7 +19,7 @@ from manila.policies import base BASE_POLICY_NAME = 'share_replica:%s' DEPRECATED_REASON = """ -The share replica API now supports system scope and default roles. +The share replica API now supports scope and default roles. """ deprecated_replica_create = policy.DeprecatedRule( @@ -81,8 +81,8 @@ deprecated_replica_reset_status = policy.DeprecatedRule( share_replica_policies = [ policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'create', - check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER, - scope_types=['system', 'project'], + check_str=base.ADMIN_OR_PROJECT_MEMBER, + scope_types=['project'], description="Create share replica.", operations=[ { @@ -94,8 +94,8 @@ share_replica_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'get_all', - check_str=base.SYSTEM_OR_PROJECT_READER, - scope_types=['system', 'project'], + check_str=base.ADMIN_OR_PROJECT_READER, + scope_types=['project'], description="Get all share replicas.", operations=[ { @@ -115,8 +115,8 @@ share_replica_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'show', - check_str=base.SYSTEM_OR_PROJECT_READER, - scope_types=['system', 'project'], + check_str=base.ADMIN_OR_PROJECT_READER, + scope_types=['project'], description="Get details of a share replica.", operations=[ { @@ -128,8 +128,8 @@ share_replica_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'delete', - check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER, - scope_types=['system', 'project'], + check_str=base.ADMIN_OR_PROJECT_MEMBER, + scope_types=['project'], description="Delete a share replica.", operations=[ { @@ -141,8 +141,8 @@ share_replica_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'force_delete', - check_str=base.SYSTEM_ADMIN_OR_PROJECT_ADMIN, - scope_types=['system', 'project'], + check_str=base.ADMIN, + scope_types=['project'], description="Force delete a share replica.", operations=[ { @@ -154,8 +154,8 @@ share_replica_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'promote', - check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER, - scope_types=['system', 'project'], + check_str=base.ADMIN_OR_PROJECT_MEMBER, + scope_types=['project'], description="Promote a non-active share replica to active.", operations=[ { @@ -167,8 +167,8 @@ share_replica_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'resync', - check_str=base.SYSTEM_ADMIN_OR_PROJECT_ADMIN, - scope_types=['system', 'project'], + check_str=base.ADMIN, + scope_types=['project'], description="Resync a share replica that is out of sync.", operations=[ { @@ -180,8 +180,8 @@ share_replica_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'reset_replica_state', - check_str=base.SYSTEM_ADMIN_OR_PROJECT_ADMIN, - scope_types=['system', 'project'], + check_str=base.ADMIN, + scope_types=['project'], description="Reset share replica's replica_state attribute.", operations=[ { @@ -193,8 +193,8 @@ share_replica_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'reset_status', - check_str=base.SYSTEM_ADMIN_OR_PROJECT_ADMIN, - scope_types=['system', 'project'], + check_str=base.ADMIN, + scope_types=['project'], description="Reset share replica's status.", operations=[ { diff --git a/manila/policies/share_replica_export_location.py b/manila/policies/share_replica_export_location.py index 0ec426e01f..1ff9c848e1 100644 --- a/manila/policies/share_replica_export_location.py +++ b/manila/policies/share_replica_export_location.py @@ -19,8 +19,7 @@ from manila.policies import base BASE_POLICY_NAME = 'share_replica_export_location:%s' DEPRECATED_REASON = """ -The share replica export location API now supports system scope and default -roles. +The share replica export location API now supports scope and default roles. """ deprecated_replica_location_index = policy.DeprecatedRule( @@ -40,8 +39,8 @@ deprecated_replica_location_show = policy.DeprecatedRule( share_replica_export_location_policies = [ policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'index', - check_str=base.SYSTEM_OR_PROJECT_READER, - scope_types=['system', 'project'], + check_str=base.ADMIN_OR_PROJECT_READER, + scope_types=['project'], description="Get all export locations of a given share replica.", operations=[ { @@ -53,8 +52,8 @@ share_replica_export_location_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'show', - check_str=base.SYSTEM_OR_PROJECT_READER, - scope_types=['system', 'project'], + check_str=base.ADMIN_OR_PROJECT_READER, + scope_types=['project'], description="Get details about the requested share replica export " "location.", operations=[ diff --git a/manila/policies/share_server.py b/manila/policies/share_server.py index 0a7cf3933f..42dbf39f7f 100644 --- a/manila/policies/share_server.py +++ b/manila/policies/share_server.py @@ -19,7 +19,7 @@ from manila.policies import base BASE_POLICY_NAME = 'share_server:%s' DEPRECATED_REASON = """ -The share server API now supports system scope and default roles. +The share server API now supports scope and default roles. """ deprecated_server_index = policy.DeprecatedRule( @@ -105,14 +105,10 @@ deprecated_server_reset_task_state = policy.DeprecatedRule( share_server_policies = [ policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'index', - check_str=base.SYSTEM_READER, - scope_types=['system'], + check_str=base.ADMIN, + scope_types=['project'], description="Get share servers.", operations=[ - { - 'method': 'GET', - 'path': '/share-servers', - }, { 'method': 'GET', 'path': '/share-servers?{query}', @@ -122,8 +118,8 @@ share_server_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'show', - check_str=base.SYSTEM_READER, - scope_types=['system'], + check_str=base.ADMIN, + scope_types=['project'], description="Show share server.", operations=[ { @@ -135,8 +131,8 @@ share_server_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'details', - check_str=base.SYSTEM_READER, - scope_types=['system'], + check_str=base.ADMIN, + scope_types=['project'], description="Get share server details.", operations=[ { @@ -148,8 +144,8 @@ share_server_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'delete', - check_str=base.SYSTEM_ADMIN, - scope_types=['system'], + check_str=base.ADMIN, + scope_types=['project'], description="Delete share server.", operations=[ { @@ -161,8 +157,8 @@ share_server_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'manage_share_server', - check_str=base.SYSTEM_ADMIN, - scope_types=['system'], + check_str=base.ADMIN, + scope_types=['project'], description="Manage share server.", operations=[ { @@ -174,8 +170,8 @@ share_server_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'unmanage_share_server', - check_str=base.SYSTEM_ADMIN, - scope_types=['system'], + check_str=base.ADMIN, + scope_types=['project'], description="Unmanage share server.", operations=[ { @@ -187,8 +183,8 @@ share_server_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'reset_status', - check_str=base.SYSTEM_ADMIN, - scope_types=['system'], + check_str=base.ADMIN, + scope_types=['project'], description="Reset the status of a share server.", operations=[ { @@ -200,8 +196,8 @@ share_server_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'share_server_migration_start', - check_str=base.SYSTEM_ADMIN, - scope_types=['system'], + check_str=base.ADMIN, + scope_types=['project'], description="Migrates a share server to the specified host.", operations=[ { @@ -213,8 +209,8 @@ share_server_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'share_server_migration_check', - check_str=base.SYSTEM_READER, - scope_types=['system'], + check_str=base.ADMIN, + scope_types=['project'], description="Check if can migrates a share server to the specified " "host.", operations=[ @@ -227,8 +223,8 @@ share_server_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'share_server_migration_complete', - check_str=base.SYSTEM_ADMIN, - scope_types=['system'], + check_str=base.ADMIN, + scope_types=['project'], description="Invokes the 2nd phase of share server migration.", operations=[ { @@ -240,8 +236,8 @@ share_server_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'share_server_migration_cancel', - check_str=base.SYSTEM_ADMIN, - scope_types=['system'], + check_str=base.ADMIN, + scope_types=['project'], description="Attempts to cancel share server migration.", operations=[ { @@ -253,8 +249,8 @@ share_server_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'share_server_migration_get_progress', - check_str=base.SYSTEM_READER, - scope_types=['system'], + check_str=base.ADMIN, + scope_types=['project'], description=("Retrieves the share server migration progress for a " "given share server."), operations=[ @@ -267,9 +263,9 @@ share_server_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'share_server_reset_task_state', - check_str=base.SYSTEM_ADMIN, - scope_types=['system'], - description=("Resets task state."), + check_str=base.ADMIN, + scope_types=['project'], + description="Resets task state.", operations=[ { 'method': 'POST', diff --git a/manila/policies/share_snapshot.py b/manila/policies/share_snapshot.py index 731781b33e..49633ad504 100644 --- a/manila/policies/share_snapshot.py +++ b/manila/policies/share_snapshot.py @@ -19,7 +19,7 @@ from manila.policies import base BASE_POLICY_NAME = 'share_snapshot:%s' DEPRECATED_REASON = """ -The share snapshot API now supports system scope and default roles. +The share snapshot API now supports scope and default roles. """ deprecated_snapshot_get = policy.DeprecatedRule( @@ -99,8 +99,8 @@ deprecated_get_snapshot_metadata = policy.DeprecatedRule( share_snapshot_policies = [ policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'get_snapshot', - check_str=base.SYSTEM_OR_PROJECT_READER, - scope_types=['system', 'project'], + check_str=base.ADMIN_OR_PROJECT_READER, + scope_types=['project'], description="Get share snapshot.", operations=[ { @@ -112,18 +112,10 @@ share_snapshot_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'get_all_snapshots', - check_str=base.SYSTEM_OR_PROJECT_READER, - scope_types=['system', 'project'], + check_str=base.ADMIN_OR_PROJECT_READER, + scope_types=['project'], description="Get all share snapshots.", operations=[ - { - 'method': 'GET', - 'path': '/snapshots' - }, - { - 'method': 'GET', - 'path': '/snapshots/detail' - }, { 'method': 'GET', 'path': '/snapshots?{query}' @@ -137,8 +129,8 @@ share_snapshot_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'force_delete', - check_str=base.SYSTEM_ADMIN_OR_PROJECT_ADMIN, - scope_types=['system', 'project'], + check_str=base.ADMIN, + scope_types=['project'], description="Force Delete a share snapshot.", operations=[ { @@ -150,8 +142,8 @@ share_snapshot_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'manage_snapshot', - check_str=base.SYSTEM_ADMIN, - scope_types=['system'], + check_str=base.ADMIN, + scope_types=['project'], description="Manage share snapshot.", operations=[ { @@ -163,8 +155,8 @@ share_snapshot_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'unmanage_snapshot', - check_str=base.SYSTEM_ADMIN, - scope_types=['system'], + check_str=base.ADMIN, + scope_types=['project'], description="Unmanage share snapshot.", operations=[ { @@ -176,8 +168,8 @@ share_snapshot_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'reset_status', - check_str=base.SYSTEM_ADMIN_OR_PROJECT_ADMIN, - scope_types=['system', 'project'], + check_str=base.ADMIN, + scope_types=['project'], description="Reset status.", operations=[ { @@ -189,8 +181,8 @@ share_snapshot_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'access_list', - check_str=base.SYSTEM_OR_PROJECT_READER, - scope_types=['system', 'project'], + check_str=base.ADMIN_OR_PROJECT_READER, + scope_types=['project'], description="List access rules of a share snapshot.", operations=[ { @@ -202,8 +194,8 @@ share_snapshot_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'allow_access', - check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER, - scope_types=['system', 'project'], + check_str=base.ADMIN_OR_PROJECT_MEMBER, + scope_types=['project'], description="Allow access to a share snapshot.", operations=[ { @@ -215,8 +207,8 @@ share_snapshot_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'deny_access', - check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER, - scope_types=['system', 'project'], + check_str=base.ADMIN_OR_PROJECT_MEMBER, + scope_types=['project'], description="Deny access to a share snapshot.", operations=[ { @@ -228,8 +220,8 @@ share_snapshot_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'update_metadata', - check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER, - scope_types=['system', 'project'], + check_str=base.ADMIN_OR_PROJECT_MEMBER, + scope_types=['project'], description="Update snapshot metadata.", operations=[ { @@ -249,8 +241,8 @@ share_snapshot_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'delete_metadata', - check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER, - scope_types=['system', 'project'], + check_str=base.ADMIN_OR_PROJECT_MEMBER, + scope_types=['project'], description="Delete snapshot metadata.", operations=[ { @@ -262,8 +254,8 @@ share_snapshot_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'get_metadata', - check_str=base.SYSTEM_OR_PROJECT_READER, - scope_types=['system', 'project'], + check_str=base.ADMIN_OR_PROJECT_READER, + scope_types=['project'], description="Get snapshot metadata.", operations=[ { diff --git a/manila/policies/share_snapshot_export_location.py b/manila/policies/share_snapshot_export_location.py index ba8768ef88..c7b12a3952 100644 --- a/manila/policies/share_snapshot_export_location.py +++ b/manila/policies/share_snapshot_export_location.py @@ -19,7 +19,7 @@ from manila.policies import base BASE_POLICY_NAME = 'share_snapshot_export_location:%s' DEPRECATED_REASON = """ -The share snapshot location API now supports system scope and default roles. +The share snapshot location API now supports scope and default roles. """ deprecated_snapshot_location_index = policy.DeprecatedRule( @@ -39,8 +39,8 @@ deprecated_snapshot_location_show = policy.DeprecatedRule( share_snapshot_export_location_policies = [ policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'index', - check_str=base.SYSTEM_OR_PROJECT_READER, - scope_types=['system', 'project'], + check_str=base.ADMIN_OR_PROJECT_READER, + scope_types=['project'], description="List export locations of a share snapshot.", operations=[ { @@ -52,8 +52,8 @@ share_snapshot_export_location_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'show', - check_str=base.SYSTEM_OR_PROJECT_READER, - scope_types=['system', 'project'], + check_str=base.ADMIN_OR_PROJECT_READER, + scope_types=['project'], description="Get details of a specified export location of a " "share snapshot.", operations=[ diff --git a/manila/policies/share_snapshot_instance.py b/manila/policies/share_snapshot_instance.py index 26641fbad4..d20c1a0936 100644 --- a/manila/policies/share_snapshot_instance.py +++ b/manila/policies/share_snapshot_instance.py @@ -19,7 +19,7 @@ from manila.policies import base BASE_POLICY_NAME = 'share_snapshot_instance:%s' DEPRECATED_REASON = """ -The share snapshot instance API now supports system scope and default roles. +The share snapshot instance API now supports scope and default roles. """ deprecated_snapshot_instance_show = policy.DeprecatedRule( @@ -51,8 +51,8 @@ deprecated_snapshot_instance_reset_status = policy.DeprecatedRule( share_snapshot_instance_policies = [ policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'show', - check_str=base.SYSTEM_READER, - scope_types=['system'], + check_str=base.ADMIN, + scope_types=['project'], description="Get share snapshot instance.", operations=[ { @@ -64,14 +64,10 @@ share_snapshot_instance_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'index', - check_str=base.SYSTEM_READER, - scope_types=['system'], + check_str=base.ADMIN, + scope_types=['project'], description="Get all share snapshot instances.", operations=[ - { - 'method': 'GET', - 'path': '/snapshot-instances', - }, { 'method': 'GET', 'path': '/snapshot-instances?{query}', @@ -81,14 +77,10 @@ share_snapshot_instance_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'detail', - check_str=base.SYSTEM_READER, - scope_types=['system'], + check_str=base.ADMIN, + scope_types=['project'], description="Get details of share snapshot instances.", operations=[ - { - 'method': 'GET', - 'path': '/snapshot-instances/detail', - }, { 'method': 'GET', 'path': '/snapshot-instances/detail?{query}', @@ -98,8 +90,8 @@ share_snapshot_instance_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'reset_status', - check_str=base.SYSTEM_ADMIN, - scope_types=['system'], + check_str=base.ADMIN, + scope_types=['project'], description="Reset share snapshot instance's status.", operations=[ { diff --git a/manila/policies/share_snapshot_instance_export_location.py b/manila/policies/share_snapshot_instance_export_location.py index 5968940696..c66a850542 100644 --- a/manila/policies/share_snapshot_instance_export_location.py +++ b/manila/policies/share_snapshot_instance_export_location.py @@ -19,7 +19,7 @@ from manila.policies import base BASE_POLICY_NAME = 'share_snapshot_instance_export_location:%s' DEPRECATED_REASON = """ -The share snapshot instance export location API now supports system scope and +The share snapshot instance export location API now supports scope and default roles. """ @@ -40,8 +40,8 @@ deprecated_snapshot_instance_show = policy.DeprecatedRule( share_snapshot_instance_export_location_policies = [ policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'index', - check_str=base.SYSTEM_READER, - scope_types=['system'], + check_str=base.ADMIN, + scope_types=['project'], description="List export locations of a share snapshot instance.", operations=[ { @@ -54,8 +54,8 @@ share_snapshot_instance_export_location_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'show', - check_str=base.SYSTEM_READER, - scope_types=['system'], + check_str=base.ADMIN, + scope_types=['project'], description="Show details of a specified export location of a share " "snapshot instance.", operations=[ diff --git a/manila/policies/share_type.py b/manila/policies/share_type.py index 964a5a8c07..df8f50f9dd 100644 --- a/manila/policies/share_type.py +++ b/manila/policies/share_type.py @@ -22,7 +22,7 @@ from manila.policies import base BASE_POLICY_NAME = 'share_type:%s' DEPRECATED_REASON = """ -The share type API now supports system scope and default roles. +The share type API now supports scope and default roles. """ deprecated_share_type_create = policy.DeprecatedRule( @@ -84,8 +84,8 @@ deprecated_share_type_remove_project_access = policy.DeprecatedRule( share_type_policies = [ policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'create', - check_str=base.SYSTEM_ADMIN, - scope_types=['system'], + check_str=base.ADMIN, + scope_types=['project'], description='Create share type.', operations=[ { @@ -97,8 +97,8 @@ share_type_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'update', - check_str=base.SYSTEM_ADMIN, - scope_types=['system'], + check_str=base.ADMIN, + scope_types=['project'], description='Update share type.', operations=[ { @@ -110,8 +110,8 @@ share_type_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'show', - check_str=base.SYSTEM_OR_PROJECT_READER, - scope_types=['system', 'project'], + check_str=base.ADMIN_OR_PROJECT_READER, + scope_types=['project'], description='Get share type.', operations=[ { @@ -123,14 +123,10 @@ share_type_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'index', - check_str=base.SYSTEM_OR_PROJECT_READER, - scope_types=['system', 'project'], + check_str=base.ADMIN_OR_PROJECT_READER, + scope_types=['project'], description='List share types.', operations=[ - { - 'method': 'GET', - 'path': '/types', - }, { 'method': 'GET', 'path': '/types?is_public=all', @@ -140,8 +136,8 @@ share_type_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'default', - check_str=base.SYSTEM_OR_PROJECT_READER, - scope_types=['system', 'project'], + check_str=base.ADMIN_OR_PROJECT_READER, + scope_types=['project'], description='Get default share type.', operations=[ { @@ -153,8 +149,8 @@ share_type_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'delete', - check_str=base.SYSTEM_ADMIN, - scope_types=['system'], + check_str=base.ADMIN, + scope_types=['project'], description='Delete share type.', operations=[ { @@ -166,8 +162,8 @@ share_type_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'list_project_access', - check_str=base.SYSTEM_READER, - scope_types=['system'], + check_str=base.ADMIN, + scope_types=['project'], description='List share type project access.', operations=[ { @@ -179,8 +175,8 @@ share_type_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'add_project_access', - check_str=base.SYSTEM_ADMIN, - scope_types=['system'], + check_str=base.ADMIN, + scope_types=['project'], description='Add share type to project.', operations=[ { @@ -192,8 +188,8 @@ share_type_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'remove_project_access', - check_str=base.SYSTEM_ADMIN, - scope_types=['system'], + check_str=base.ADMIN, + scope_types=['project'], description='Remove share type from project.', operations=[ { diff --git a/manila/policies/share_types_extra_spec.py b/manila/policies/share_types_extra_spec.py index e55cf7e8f9..5964cc5ff1 100644 --- a/manila/policies/share_types_extra_spec.py +++ b/manila/policies/share_types_extra_spec.py @@ -19,7 +19,7 @@ from manila.policies import base BASE_POLICY_NAME = 'share_types_extra_spec:%s' DEPRECATED_REASON = """ -The share types extra specs API now supports system scope and default roles. +The share types extra specs API now supports scope and default roles. """ deprecated_extra_spec_create = policy.DeprecatedRule( @@ -57,8 +57,8 @@ deprecated_extra_spec_delete = policy.DeprecatedRule( share_types_extra_spec_policies = [ policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'create', - check_str=base.SYSTEM_ADMIN, - scope_types=['system'], + check_str=base.ADMIN, + scope_types=['project'], description="Create share type extra spec.", operations=[ { @@ -70,8 +70,8 @@ share_types_extra_spec_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'show', - check_str=base.SYSTEM_READER, - scope_types=['system'], + check_str=base.ADMIN, + scope_types=['project'], description="Get share type extra specs of a given share type.", operations=[ { @@ -83,8 +83,8 @@ share_types_extra_spec_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'index', - check_str=base.SYSTEM_READER, - scope_types=['system'], + check_str=base.ADMIN, + scope_types=['project'], description="Get details of a share type extra spec.", operations=[ { @@ -96,8 +96,8 @@ share_types_extra_spec_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'update', - check_str=base.SYSTEM_ADMIN, - scope_types=['system'], + check_str=base.ADMIN, + scope_types=['project'], description="Update share type extra spec.", operations=[ { @@ -109,8 +109,8 @@ share_types_extra_spec_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'delete', - check_str=base.SYSTEM_ADMIN, - scope_types=['system'], + check_str=base.ADMIN, + scope_types=['project'], description="Delete share type extra spec.", operations=[ { diff --git a/manila/policies/shares.py b/manila/policies/shares.py index d7d1e9d4cf..f9ad324c86 100644 --- a/manila/policies/shares.py +++ b/manila/policies/shares.py @@ -19,7 +19,7 @@ from manila.policies import base BASE_POLICY_NAME = 'share:%s' DEPRECATED_REASON = """ -The share API now supports system scope and default roles. +The share API now supports scope and default roles. """ # Deprecated share policies @@ -222,8 +222,8 @@ deprecated_update_admin_only_metadata = policy.DeprecatedRule( shares_policies = [ policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'create', - check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER, - scope_types=['system', 'project'], + check_str=base.ADMIN_OR_PROJECT_MEMBER, + scope_types=['project'], description="Create share.", operations=[ { @@ -235,8 +235,8 @@ shares_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'create_public_share', - check_str=base.SYSTEM_ADMIN, - scope_types=['system'], + check_str=base.ADMIN, + scope_types=['project'], description="Create shares visible across all projects in the cloud.", operations=[ { @@ -248,8 +248,8 @@ shares_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'get', - check_str=base.SYSTEM_OR_PROJECT_READER, - scope_types=['system', 'project'], + check_str=base.ADMIN_OR_PROJECT_READER, + scope_types=['project'], description="Get share.", operations=[ { @@ -261,52 +261,52 @@ shares_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'get_all', - check_str=base.SYSTEM_OR_PROJECT_READER, - scope_types=['system', 'project'], + check_str=base.ADMIN_OR_PROJECT_READER, + scope_types=['project'], description="List shares.", operations=[ { 'method': 'GET', - 'path': '/shares', + 'path': '/shares?{query}', }, { 'method': 'GET', - 'path': '/shares/detail', + 'path': '/shares/detail?{query}', } ], deprecated_rule=deprecated_share_get_all ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'update', - check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER, - scope_types=['system', 'project'], - description="Update share.", + check_str=base.ADMIN_OR_PROJECT_MEMBER, + scope_types=['project'], + description="Update a share.", operations=[ { 'method': 'PUT', - 'path': '/shares', + 'path': '/shares/{share_id}', } ], deprecated_rule=deprecated_share_update ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'set_public_share', - check_str=base.SYSTEM_ADMIN, - scope_types=['system'], - description="Update shares to be visible across all projects in the " + check_str=base.ADMIN, + scope_types=['project'], + description="Update a share to be visible across all projects in the " "cloud.", operations=[ { 'method': 'PUT', - 'path': '/shares', + 'path': '/shares/{share_id}', } ], deprecated_rule=deprecated_share_set_public ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'delete', - check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER, - scope_types=['system', 'project'], + check_str=base.ADMIN_OR_PROJECT_MEMBER, + scope_types=['project'], description="Delete share.", operations=[ { @@ -318,8 +318,8 @@ shares_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'soft_delete', - check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER, - scope_types=['system', 'project'], + check_str=base.ADMIN_OR_PROJECT_MEMBER, + scope_types=['project'], description="Soft Delete a share.", operations=[ { @@ -330,8 +330,8 @@ shares_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'restore', - check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER, - scope_types=['system', 'project'], + check_str=base.ADMIN_OR_PROJECT_MEMBER, + scope_types=['project'], description="Restore a share.", operations=[ { @@ -342,8 +342,8 @@ shares_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'force_delete', - check_str=base.SYSTEM_ADMIN_OR_PROJECT_ADMIN, - scope_types=['system', 'project'], + check_str=base.ADMIN, + scope_types=['project'], description="Force Delete a share.", operations=[ { @@ -355,8 +355,8 @@ shares_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'manage', - check_str=base.SYSTEM_ADMIN, - scope_types=['system'], + check_str=base.ADMIN, + scope_types=['project'], description="Manage share.", operations=[ { @@ -368,8 +368,8 @@ shares_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'unmanage', - check_str=base.SYSTEM_ADMIN, - scope_types=['system'], + check_str=base.ADMIN, + scope_types=['project'], description="Unmanage share.", operations=[ { @@ -381,43 +381,43 @@ shares_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'list_by_host', - check_str=base.SYSTEM_READER, - scope_types=['system'], + check_str=base.ADMIN, + scope_types=['project'], description="List share by host.", operations=[ { 'method': 'GET', - 'path': '/shares', + 'path': '/shares?host={host}', }, { 'method': 'GET', - 'path': '/shares/detail', + 'path': '/shares/detail?host={host}', } ], deprecated_rule=deprecated_share_list_by_host ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'list_by_share_server_id', - check_str=base.SYSTEM_READER, - scope_types=['system'], + check_str=base.ADMIN, + scope_types=['project'], description="List share by server id.", operations=[ { 'method': 'GET', - 'path': '/shares' + 'path': '/shares?share_server_id={share_server_id}' }, { 'method': 'GET', - 'path': '/shares/detail', + 'path': '/shares/detail?share_server_id={share_server_id}', } ], deprecated_rule=deprecated_share_list_by_server_id ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'access_get', - check_str=base.SYSTEM_OR_PROJECT_READER, - scope_types=['system', 'project'], - description="Get share access rule, it under deny access operation.", + check_str=base.ADMIN_OR_PROJECT_READER, + scope_types=['project'], + description="Get share access rule (deprecated in API version 2.45).", operations=[ { 'method': 'POST', @@ -428,9 +428,10 @@ shares_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'access_get_all', - check_str=base.SYSTEM_OR_PROJECT_READER, - scope_types=['system', 'project'], - description="List share access rules.", + check_str=base.ADMIN_OR_PROJECT_READER, + scope_types=['project'], + description=("List share access rules (deprecated in API " + "version 2.45)."), operations=[ { 'method': 'GET', @@ -441,8 +442,8 @@ shares_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'extend', - check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER, - scope_types=['system', 'project'], + check_str=base.ADMIN_OR_PROJECT_MEMBER, + scope_types=['project'], description="Extend share.", operations=[ { @@ -454,8 +455,8 @@ shares_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'force_extend', - check_str=base.SYSTEM_ADMIN_OR_PROJECT_ADMIN, - scope_types=['system', 'project'], + check_str=base.ADMIN, + scope_types=['project'], description="Force extend share.", operations=[ { @@ -465,8 +466,8 @@ shares_policies = [ ]), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'shrink', - check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER, - scope_types=['system', 'project'], + check_str=base.ADMIN_OR_PROJECT_MEMBER, + scope_types=['project'], description="Shrink share.", operations=[ { @@ -478,8 +479,8 @@ shares_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'migration_start', - check_str=base.SYSTEM_ADMIN, - scope_types=['system'], + check_str=base.ADMIN, + scope_types=['project'], description="Migrate a share to the specified host.", operations=[ { @@ -491,9 +492,9 @@ shares_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'migration_complete', - check_str=base.SYSTEM_ADMIN, - scope_types=['system'], - description="Invokes 2nd phase of share migration.", + check_str=base.ADMIN, + scope_types=['project'], + description="Invoke 2nd phase of share migration.", operations=[ { 'method': 'POST', @@ -504,9 +505,9 @@ shares_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'migration_cancel', - check_str=base.SYSTEM_ADMIN, - scope_types=['system'], - description="Attempts to cancel share migration.", + check_str=base.ADMIN, + scope_types=['project'], + description="Attempt to cancel share migration.", operations=[ { 'method': 'POST', @@ -517,8 +518,8 @@ shares_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'migration_get_progress', - check_str=base.SYSTEM_READER, - scope_types=['system'], + check_str=base.ADMIN, + scope_types=['project'], description=("Retrieve share migration progress for a given " "share."), operations=[ @@ -531,9 +532,9 @@ shares_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'reset_task_state', - check_str=base.SYSTEM_ADMIN_OR_PROJECT_ADMIN, - scope_types=['system', 'project'], - description=("Reset task state."), + check_str=base.ADMIN, + scope_types=['project'], + description="Reset task state.", operations=[ { 'method': 'POST', @@ -544,9 +545,9 @@ shares_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'reset_status', - check_str=base.SYSTEM_ADMIN_OR_PROJECT_ADMIN, - scope_types=['system', 'project'], - description=("Reset status."), + check_str=base.ADMIN, + scope_types=['project'], + description="Reset status.", operations=[ { 'method': 'POST', @@ -557,9 +558,9 @@ shares_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'revert_to_snapshot', - check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER, - scope_types=['system', 'project'], - description=("Revert a share to a snapshot."), + check_str=base.ADMIN_OR_PROJECT_MEMBER, + scope_types=['project'], + description="Revert a share to a snapshot.", operations=[ { 'method': 'POST', @@ -570,9 +571,9 @@ shares_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'allow_access', - check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER, - scope_types=['system', 'project'], - description=("Add share access rule."), + check_str=base.ADMIN_OR_PROJECT_MEMBER, + scope_types=['project'], + description="Add share access rule.", operations=[ { 'method': 'POST', @@ -583,9 +584,9 @@ shares_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'deny_access', - check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER, - scope_types=['system', 'project'], - description=("Remove share access rule."), + check_str=base.ADMIN_OR_PROJECT_MEMBER, + scope_types=['project'], + description="Remove share access rule.", operations=[ { 'method': 'POST', @@ -596,8 +597,8 @@ shares_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'update_share_metadata', - check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER, - scope_types=['system', 'project'], + check_str=base.ADMIN_OR_PROJECT_MEMBER, + scope_types=['project'], description="Update share metadata.", operations=[ { @@ -617,8 +618,8 @@ shares_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'delete_share_metadata', - check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER, - scope_types=['system', 'project'], + check_str=base.ADMIN_OR_PROJECT_MEMBER, + scope_types=['project'], description="Delete share metadata.", operations=[ { @@ -630,8 +631,8 @@ shares_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'get_share_metadata', - check_str=base.SYSTEM_OR_PROJECT_READER, - scope_types=['system', 'project'], + check_str=base.ADMIN_OR_PROJECT_READER, + scope_types=['project'], description="Get share metadata.", operations=[ { @@ -653,8 +654,8 @@ shares_policies = [ base_snapshot_policies = [ policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'create_snapshot', - check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER, - scope_types=['system', 'project'], + check_str=base.ADMIN_OR_PROJECT_MEMBER, + scope_types=['project'], description="Create share snapshot.", operations=[ { @@ -666,9 +667,9 @@ base_snapshot_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'delete_snapshot', - check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER, - scope_types=['system', 'project'], - description=("Delete share snapshot."), + check_str=base.ADMIN_OR_PROJECT_MEMBER, + scope_types=['project'], + description="Delete share snapshot.", operations=[ { 'method': 'DELETE', @@ -679,9 +680,9 @@ base_snapshot_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'snapshot_update', - check_str=base.SYSTEM_ADMIN_OR_PROJECT_MEMBER, - scope_types=['system', 'project'], - description=("Update share snapshot."), + check_str=base.ADMIN_OR_PROJECT_MEMBER, + scope_types=['project'], + description="Update share snapshot.", operations=[ { 'method': 'PUT', @@ -692,8 +693,8 @@ base_snapshot_policies = [ ), policy.DocumentedRuleDefault( name=BASE_POLICY_NAME % 'update_admin_only_metadata', - check_str=base.SYSTEM_ADMIN_OR_PROJECT_ADMIN, - scope_types=['system', 'project'], + check_str=base.ADMIN, + scope_types=['project'], description=( "Update metadata items that are considered \"admin only\" " "by the service."), diff --git a/releasenotes/notes/zed-secure-rbac-direction-change-2329bbf442b9a2da.yaml b/releasenotes/notes/zed-secure-rbac-direction-change-2329bbf442b9a2da.yaml new file mode 100644 index 0000000000..a7d08ff587 --- /dev/null +++ b/releasenotes/notes/zed-secure-rbac-direction-change-2329bbf442b9a2da.yaml @@ -0,0 +1,18 @@ +--- +prelude: > + RBAC defaults of all Shared File System service (manila) APIs have been + updated to remove "system" scope personas. This is being done in concert + with other OpenStack services, and in reaction to operator feedback that + the use of system "scope" introduces backwards incompatibility in existing + workflows. The new defaults support the use of "scope", however, no RBAC + rule by default includes "system" scope. At this time, we do not recommend + the use of system scoped personas to interact with the Shared File + Systems service (manila) APIs since it is largely un-tested. "reader" + role from the OpenStack Identity service (keystone) is fully supported + with this release. Currently, these new "defaults" are available as + "opt-in" only to prevent breaking existing deployments. To enforce default + RBAC rules, set ``[oslo_policy]/enforce_new_defaults`` to True in your + deployment. This option will be set to True by default in a future + release. See `the OpenStack TC Secure RBAC goal `_ for more + information regarding these changes.