Merge "Implement configurator role RBAC for sw-manager"

nfv/nfv-vim/nfv_vim/api/acl/policies/base.py

@@ -1,4 +1,4 @@
-# Copyright (c) 2022 Wind River Systems, Inc.
+# Copyright (c) 2022,2025 Wind River Systems, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may
 # not use this file except in compliance with the License. You may obtain
@@ -14,8 +14,8 @@
 #
 # SPDX-License-Identifier: Apache-2.0
 
-ADMIN_IN_SYSTEM_PROJECTS = 'admin_in_system_projects'
+ADMIN_OR_CONFIGURATOR = 'admin_or_configurator'
-READER_OR_OPERATOR_IN_SYSTEM_PROJECTS = 'reader_or_operator_in_system_projects'
+READER_OR_OPERATOR_OR_CONFIGURATOR = 'reader_or_operator_or_configurator'
 
 
 class RuleDefault(object):
@@ -35,19 +35,19 @@ base_rules = [
     RuleDefault(
         name='default',
         check_str='rule:admin_in_system_projects',
-        description="Default. Admin in system projects, similar to the old behavior",
+        description='Default. Admin in system projects, similar to the old behavior',
     ),
     RuleDefault(
-        name=ADMIN_IN_SYSTEM_PROJECTS,
+        name=ADMIN_OR_CONFIGURATOR,
-        check_str='role:admin and (project_name:admin or ' +
+        check_str='(role:admin or role:configurator) and ' +
-                  'project_name:services)',
+                  '(project_name:admin or project_name:services)',
-        description="Generic rule for set-style requests",
+        description='admin or configurator in system projects',
     ),
     RuleDefault(
-        name=READER_OR_OPERATOR_IN_SYSTEM_PROJECTS,
+        name=READER_OR_OPERATOR_OR_CONFIGURATOR,
-        check_str='(role:reader or role:operator) and (project_name:admin or ' +
+        check_str='(role:reader or role:operator or role:configurator) and ' +
-                  'project_name:services)',
+                  '(project_name:admin or project_name:services)',
-        description="Generic rule for get-style requests",
+        description='reader,operator,configurator in system projects',
     )
 ]
 

nfv/nfv-vim/nfv_vim/api/acl/policies/fw_update_strategy_policy.py

@@ -1,4 +1,4 @@
-# Copyright (c) 2022 Wind River Systems, Inc.
+# Copyright (c) 2022,2025 Wind River Systems, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may
 # not use this file except in compliance with the License. You may obtain
@@ -22,17 +22,17 @@ POLICY_ROOT = 'nfv_api:fw_update_strategy:%s'
 fw_update_strategy_rules = [
     base.RuleDefault(
         name=POLICY_ROOT % 'add',
-        check_str='rule:' + base.ADMIN_IN_SYSTEM_PROJECTS,
+        check_str='rule:' + base.ADMIN_OR_CONFIGURATOR,
         description="Add a fw_update_strategy",
     ),
     base.RuleDefault(
         name=POLICY_ROOT % 'delete',
-        check_str='rule:' + base.ADMIN_IN_SYSTEM_PROJECTS,
+        check_str='rule:' + base.ADMIN_OR_CONFIGURATOR,
         description="Delete a fw_update_strategy",
     ),
     base.RuleDefault(
         name=POLICY_ROOT % 'get',
-        check_str='rule:' + base.READER_OR_OPERATOR_IN_SYSTEM_PROJECTS,
+        check_str='rule:' + base.READER_OR_OPERATOR_OR_CONFIGURATOR,
         description="Get a fw_update_strategy",
     )
 ]

nfv/nfv-vim/nfv_vim/api/acl/policies/kube_rootca_update_strategy_policy.py

@@ -1,4 +1,4 @@
-# Copyright (c) 2022 Wind River Systems, Inc.
+# Copyright (c) 2022,2025 Wind River Systems, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may
 # not use this file except in compliance with the License. You may obtain
@@ -22,17 +22,17 @@ POLICY_ROOT = 'nfv_api:kube_rootca_update_strategy:%s'
 kube_rootca_update_strategy_rules = [
     base.RuleDefault(
         name=POLICY_ROOT % 'add',
-        check_str='rule:' + base.ADMIN_IN_SYSTEM_PROJECTS,
+        check_str='rule:' + base.ADMIN_OR_CONFIGURATOR,
         description="Add a kube_rootca_update_strategy",
     ),
     base.RuleDefault(
         name=POLICY_ROOT % 'delete',
-        check_str='rule:' + base.ADMIN_IN_SYSTEM_PROJECTS,
+        check_str='rule:' + base.ADMIN_OR_CONFIGURATOR,
         description="Delete a kube_rootca_update_strategy",
     ),
     base.RuleDefault(
         name=POLICY_ROOT % 'get',
-        check_str='rule:' + base.READER_OR_OPERATOR_IN_SYSTEM_PROJECTS,
+        check_str='rule:' + base.READER_OR_OPERATOR_OR_CONFIGURATOR,
         description="Get a kube_rootca_update_strategy",
     )
 ]

nfv/nfv-vim/nfv_vim/api/acl/policies/kube_upgrade_strategy_policy.py

@@ -1,4 +1,4 @@
-# Copyright (c) 2022 Wind River Systems, Inc.
+# Copyright (c) 2022,2025 Wind River Systems, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may
 # not use this file except in compliance with the License. You may obtain
@@ -22,17 +22,17 @@ POLICY_ROOT = 'nfv_api:kube_upgrade_strategy:%s'
 kube_upgrade_strategy_rules = [
     base.RuleDefault(
         name=POLICY_ROOT % 'add',
-        check_str='rule:' + base.ADMIN_IN_SYSTEM_PROJECTS,
+        check_str='rule:' + base.ADMIN_OR_CONFIGURATOR,
         description="Add a kube_upgrade_strategy",
     ),
     base.RuleDefault(
         name=POLICY_ROOT % 'delete',
-        check_str='rule:' + base.ADMIN_IN_SYSTEM_PROJECTS,
+        check_str='rule:' + base.ADMIN_OR_CONFIGURATOR,
         description="Delete a kube_upgrade_strategy",
     ),
     base.RuleDefault(
         name=POLICY_ROOT % 'get',
-        check_str='rule:' + base.READER_OR_OPERATOR_IN_SYSTEM_PROJECTS,
+        check_str='rule:' + base.READER_OR_OPERATOR_OR_CONFIGURATOR,
         description="Get a kube_upgrade_strategy",
     )
 ]

nfv/nfv-vim/nfv_vim/api/acl/policies/sw_patch_strategy_policy.py

@@ -1,4 +1,4 @@
-# Copyright (c) 2022 Wind River Systems, Inc.
+# Copyright (c) 2022,2025 Wind River Systems, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may
 # not use this file except in compliance with the License. You may obtain
@@ -22,17 +22,17 @@ POLICY_ROOT = 'nfv_api:sw_patch_strategy:%s'
 sw_patch_strategy_rules = [
     base.RuleDefault(
         name=POLICY_ROOT % 'add',
-        check_str='rule:' + base.ADMIN_IN_SYSTEM_PROJECTS,
+        check_str='rule:' + base.ADMIN_OR_CONFIGURATOR,
         description="Add a sw_patch_strategy",
     ),
     base.RuleDefault(
         name=POLICY_ROOT % 'delete',
-        check_str='rule:' + base.ADMIN_IN_SYSTEM_PROJECTS,
+        check_str='rule:' + base.ADMIN_OR_CONFIGURATOR,
         description="Delete a sw_patch_strategy",
     ),
     base.RuleDefault(
         name=POLICY_ROOT % 'get',
-        check_str='rule:' + base.READER_OR_OPERATOR_IN_SYSTEM_PROJECTS,
+        check_str='rule:' + base.READER_OR_OPERATOR_OR_CONFIGURATOR,
         description="Get a sw_patch_strategy",
     )
 ]

nfv/nfv-vim/nfv_vim/api/acl/policies/sw_update_strategy_policy.py

@@ -1,4 +1,4 @@
-# Copyright (c) 2022 Wind River Systems, Inc.
+# Copyright (c) 2022,2025 Wind River Systems, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may
 # not use this file except in compliance with the License. You may obtain
@@ -41,7 +41,7 @@ sw_update_strategy_rules = [
     # comes into the controller as 'post' requests.
     base.RuleDefault(
         name=POLICY_ROOT % 'post',
-        check_str='rule:' + base.ADMIN_IN_SYSTEM_PROJECTS,
+        check_str='rule:' + base.ADMIN_OR_CONFIGURATOR,
         description="Apply sw_update_strategy",
     )
 ]

nfv/nfv-vim/nfv_vim/api/acl/policies/sw_upgrade_strategy_policy.py

@@ -1,4 +1,4 @@
-# Copyright (c) 2022 Wind River Systems, Inc.
+# Copyright (c) 2022,2025 Wind River Systems, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may
 # not use this file except in compliance with the License. You may obtain
@@ -22,17 +22,17 @@ POLICY_ROOT = 'nfv_api:sw_upgrade_strategy:%s'
 sw_upgrade_strategy_rules = [
     base.RuleDefault(
         name=POLICY_ROOT % 'add',
-        check_str='rule:' + base.ADMIN_IN_SYSTEM_PROJECTS,
+        check_str='rule:' + base.ADMIN_OR_CONFIGURATOR,
         description="Add a sw_upgrade_strategy",
     ),
     base.RuleDefault(
         name=POLICY_ROOT % 'delete',
-        check_str='rule:' + base.ADMIN_IN_SYSTEM_PROJECTS,
+        check_str='rule:' + base.ADMIN_OR_CONFIGURATOR,
         description="Delete a sw_upgrade_strategy",
     ),
     base.RuleDefault(
         name=POLICY_ROOT % 'get',
-        check_str='rule:' + base.READER_OR_OPERATOR_IN_SYSTEM_PROJECTS,
+        check_str='rule:' + base.READER_OR_OPERATOR_OR_CONFIGURATOR,
         description="Get a sw_upgrade_strategy",
     )
 ]

nfv/nfv-vim/nfv_vim/api/acl/policies/system_config_update_strategy_policy.py

@@ -1,4 +1,4 @@
-# Copyright (c) 2023 Wind River Systems, Inc.
+# Copyright (c) 2023,2025 Wind River Systems, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may
 # not use this file except in compliance with the License. You may obtain
@@ -22,17 +22,17 @@ POLICY_ROOT = 'nfv_api:system_config_update_strategy:%s'
 system_config_update_strategy_rules = [
     base.RuleDefault(
         name=POLICY_ROOT % 'add',
-        check_str='rule:' + base.ADMIN_IN_SYSTEM_PROJECTS,
+        check_str='rule:' + base.ADMIN_OR_CONFIGURATOR,
         description="Add a system_config_update_strategy",
     ),
     base.RuleDefault(
         name=POLICY_ROOT % 'delete',
-        check_str='rule:' + base.ADMIN_IN_SYSTEM_PROJECTS,
+        check_str='rule:' + base.ADMIN_OR_CONFIGURATOR,
         description="Delete a system_config_update_strategy",
     ),
     base.RuleDefault(
         name=POLICY_ROOT % 'get',
-        check_str='rule:' + base.READER_OR_OPERATOR_IN_SYSTEM_PROJECTS,
+        check_str='rule:' + base.READER_OR_OPERATOR_OR_CONFIGURATOR,
         description="Get a system_config_update_strategy",
     )
 ]