From a017d238bc69a35a8a5f7d260222a58d1bdfef3c Mon Sep 17 00:00:00 2001
From: Lance Bragstad <lbragstad@gmail.com>
Date: Thu, 19 Nov 2020 20:15:29 +0000
Subject: [PATCH] Implement secure RBAC for share snapshot locations

This commit updates the policies for share snapshot locations to understand
scope checking and account for a read-only role. This is part of a broader
series of changes across OpenStack to provide a consistent RBAC experience and
improve security.

Change-Id: I6a7daaae66d103cf1435be275555777b51a251ab
---
 .../share_snapshot_export_location.py         | 32 ++++++++++++++++---
 1 file changed, 28 insertions(+), 4 deletions(-)

diff --git a/manila/policies/share_snapshot_export_location.py b/manila/policies/share_snapshot_export_location.py
index dea0610e9d..b830058575 100644
--- a/manila/policies/share_snapshot_export_location.py
+++ b/manila/policies/share_snapshot_export_location.py
@@ -10,6 +10,7 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+from oslo_log import versionutils
 from oslo_policy import policy
 
 from manila.policies import base
@@ -17,21 +18,40 @@ from manila.policies import base
 
 BASE_POLICY_NAME = 'share_snapshot_export_location:%s'
 
+DEPRECATED_REASON = """
+The share snapshot location API now supports system scope and default roles.
+"""
+
+deprecated_snapshot_location_index = policy.DeprecatedRule(
+    name=BASE_POLICY_NAME % 'index',
+    check_str=base.RULE_DEFAULT
+)
+deprecated_snapshot_location_show = policy.DeprecatedRule(
+    name=BASE_POLICY_NAME % 'show',
+    check_str=base.RULE_DEFAULT
+)
+
 
 share_snapshot_export_location_policies = [
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'index',
-        check_str=base.RULE_DEFAULT,
+        check_str=base.SYSTEM_OR_PROJECT_READER,
+        scope_types=['system', 'project'],
         description="List export locations of a share snapshot.",
         operations=[
             {
                 'method': 'GET',
                 'path': '/snapshots/{snapshot_id}/export-locations/',
             }
-        ]),
+        ],
+        deprecated_rule=deprecated_snapshot_location_index,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since=versionutils.deprecated.WALLABY
+    ),
     policy.DocumentedRuleDefault(
         name=BASE_POLICY_NAME % 'show',
-        check_str=base.RULE_DEFAULT,
+        check_str=base.SYSTEM_OR_PROJECT_READER,
+        scope_types=['system', 'project'],
         description="Get details of a specified export location of a "
                     "share snapshot.",
         operations=[
@@ -40,7 +60,11 @@ share_snapshot_export_location_policies = [
                 'path': ('/snapshots/{snapshot_id}/'
                           'export-locations/{export_location_id}'),
             }
-        ]),
+        ],
+        deprecated_rule=deprecated_snapshot_location_show,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since=versionutils.deprecated.WALLABY
+    ),
 ]