starlingx/nfv
Code Issues Proposed changes

Implement configurator role RBAC for sw-manager

Browse Source 
The new configurator role will have the same access as admin role
towards sw-manager, the policy rules are changed to provide
admin access to the configurator role

Test Cases:
PASS: verify that configurator,operator,reader role user can
      execute the following commands
	sw-manager fw-update-strategy show
	sw-manager kube-rootca-update-strategy show
	sw-manager kube-upgrade-strategy show
	sw-manager sw-deploy-strategy show
	sw-manager system-config-update-strategy show
PASS: Verify only configurator,admin role user can execute
      create,delete,apply,abort of sw-manager fw-update-strategy,
      kube-rootca-update-strategy,sw-deploy-strategy,
      system-config-update-strategy
PASS: verify operator,reader role user is denied access to all
      sw-manager create,delete,apply,abort commands

Story: 2011348
Task: 51960

Change-Id: If906d3475bffee255877030e74567927fc45458c
Signed-off-by: amantri <ayyappa.mantri@windriver.com>
This commit is contained in:
amantri 2025-04-10 12:38:48 -04:00
parent 6286b3122a
commit c7e2f62d2e
8 changed files with 38 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
nfv/nfv-vim/nfv_vim/api/acl/policies/base.py
View File

@ -1,4 +1,4 @@
# Copyright (c) 2022 Wind River Systems, Inc. # Copyright (c) 2022,2025 Wind River Systems, Inc.
# #
# Licensed under the Apache License, Version 2.0 (the "License"); you may # Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain # not use this file except in compliance with the License. You may obtain
@ -14,8 +14,8 @@
# #
# SPDX-License-Identifier: Apache-2.0 # SPDX-License-Identifier: Apache-2.0
ADMIN_IN_SYSTEM_PROJECTS = 'admin_in_system_projects' ADMIN_OR_CONFIGURATOR = 'admin_or_configurator'
READER_OR_OPERATOR_IN_SYSTEM_PROJECTS = 'reader_or_operator_in_system_projects' READER_OR_OPERATOR_OR_CONFIGURATOR = 'reader_or_operator_or_configurator'
class RuleDefault(object): class RuleDefault(object):
@ -35,19 +35,19 @@ base_rules = [
RuleDefault( RuleDefault(
name='default', name='default',
check_str='rule:admin_in_system_projects', check_str='rule:admin_in_system_projects',
description="Default. Admin in system projects, similar to the old behavior", description='Default. Admin in system projects, similar to the old behavior',
), ),
RuleDefault( RuleDefault(
name=ADMIN_IN_SYSTEM_PROJECTS, name=ADMIN_OR_CONFIGURATOR,
check_str='role:admin and (project_name:admin or ' + check_str='(role:admin or role:configurator) and ' +
'project_name:services)', '(project_name:admin or project_name:services)',
description="Generic rule for set-style requests", description='admin or configurator in system projects',
), ),
RuleDefault( RuleDefault(
name=READER_OR_OPERATOR_IN_SYSTEM_PROJECTS, name=READER_OR_OPERATOR_OR_CONFIGURATOR,
check_str='(role:reader or role:operator) and (project_name:admin or ' + check_str='(role:reader or role:operator or role:configurator) and ' +
'project_name:services)', '(project_name:admin or project_name:services)',
description="Generic rule for get-style requests", description='reader,operator,configurator in system projects',
) )
] ]

8
nfv/nfv-vim/nfv_vim/api/acl/policies/fw_update_strategy_policy.py
View File

@ -1,4 +1,4 @@
# Copyright (c) 2022 Wind River Systems, Inc. # Copyright (c) 2022,2025 Wind River Systems, Inc.
# #
# Licensed under the Apache License, Version 2.0 (the "License"); you may # Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain # not use this file except in compliance with the License. You may obtain
@ -22,17 +22,17 @@ POLICY_ROOT = 'nfv_api:fw_update_strategy:%s'
fw_update_strategy_rules = [ fw_update_strategy_rules = [
base.RuleDefault( base.RuleDefault(
name=POLICY_ROOT % 'add', name=POLICY_ROOT % 'add',
check_str='rule:' + base.ADMIN_IN_SYSTEM_PROJECTS, check_str='rule:' + base.ADMIN_OR_CONFIGURATOR,
description="Add a fw_update_strategy", description="Add a fw_update_strategy",
), ),
base.RuleDefault( base.RuleDefault(
name=POLICY_ROOT % 'delete', name=POLICY_ROOT % 'delete',
check_str='rule:' + base.ADMIN_IN_SYSTEM_PROJECTS, check_str='rule:' + base.ADMIN_OR_CONFIGURATOR,
description="Delete a fw_update_strategy", description="Delete a fw_update_strategy",
), ),
base.RuleDefault( base.RuleDefault(
name=POLICY_ROOT % 'get', name=POLICY_ROOT % 'get',
check_str='rule:' + base.READER_OR_OPERATOR_IN_SYSTEM_PROJECTS, check_str='rule:' + base.READER_OR_OPERATOR_OR_CONFIGURATOR,
description="Get a fw_update_strategy", description="Get a fw_update_strategy",
) )
] ]

8
nfv/nfv-vim/nfv_vim/api/acl/policies/kube_rootca_update_strategy_policy.py
View File

@ -1,4 +1,4 @@
# Copyright (c) 2022 Wind River Systems, Inc. # Copyright (c) 2022,2025 Wind River Systems, Inc.
# #
# Licensed under the Apache License, Version 2.0 (the "License"); you may # Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain # not use this file except in compliance with the License. You may obtain
@ -22,17 +22,17 @@ POLICY_ROOT = 'nfv_api:kube_rootca_update_strategy:%s'
kube_rootca_update_strategy_rules = [ kube_rootca_update_strategy_rules = [
base.RuleDefault( base.RuleDefault(
name=POLICY_ROOT % 'add', name=POLICY_ROOT % 'add',
check_str='rule:' + base.ADMIN_IN_SYSTEM_PROJECTS, check_str='rule:' + base.ADMIN_OR_CONFIGURATOR,
description="Add a kube_rootca_update_strategy", description="Add a kube_rootca_update_strategy",
), ),
base.RuleDefault( base.RuleDefault(
name=POLICY_ROOT % 'delete', name=POLICY_ROOT % 'delete',
check_str='rule:' + base.ADMIN_IN_SYSTEM_PROJECTS, check_str='rule:' + base.ADMIN_OR_CONFIGURATOR,
description="Delete a kube_rootca_update_strategy", description="Delete a kube_rootca_update_strategy",
), ),
base.RuleDefault( base.RuleDefault(
name=POLICY_ROOT % 'get', name=POLICY_ROOT % 'get',
check_str='rule:' + base.READER_OR_OPERATOR_IN_SYSTEM_PROJECTS, check_str='rule:' + base.READER_OR_OPERATOR_OR_CONFIGURATOR,
description="Get a kube_rootca_update_strategy", description="Get a kube_rootca_update_strategy",
) )
] ]

8
nfv/nfv-vim/nfv_vim/api/acl/policies/kube_upgrade_strategy_policy.py
View File

@ -1,4 +1,4 @@
# Copyright (c) 2022 Wind River Systems, Inc. # Copyright (c) 2022,2025 Wind River Systems, Inc.
# #
# Licensed under the Apache License, Version 2.0 (the "License"); you may # Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain # not use this file except in compliance with the License. You may obtain
@ -22,17 +22,17 @@ POLICY_ROOT = 'nfv_api:kube_upgrade_strategy:%s'
kube_upgrade_strategy_rules = [ kube_upgrade_strategy_rules = [
base.RuleDefault( base.RuleDefault(
name=POLICY_ROOT % 'add', name=POLICY_ROOT % 'add',
check_str='rule:' + base.ADMIN_IN_SYSTEM_PROJECTS, check_str='rule:' + base.ADMIN_OR_CONFIGURATOR,
description="Add a kube_upgrade_strategy", description="Add a kube_upgrade_strategy",
), ),
base.RuleDefault( base.RuleDefault(
name=POLICY_ROOT % 'delete', name=POLICY_ROOT % 'delete',
check_str='rule:' + base.ADMIN_IN_SYSTEM_PROJECTS, check_str='rule:' + base.ADMIN_OR_CONFIGURATOR,
description="Delete a kube_upgrade_strategy", description="Delete a kube_upgrade_strategy",
), ),
base.RuleDefault( base.RuleDefault(
name=POLICY_ROOT % 'get', name=POLICY_ROOT % 'get',
check_str='rule:' + base.READER_OR_OPERATOR_IN_SYSTEM_PROJECTS, check_str='rule:' + base.READER_OR_OPERATOR_OR_CONFIGURATOR,
description="Get a kube_upgrade_strategy", description="Get a kube_upgrade_strategy",
) )
] ]

8
nfv/nfv-vim/nfv_vim/api/acl/policies/sw_patch_strategy_policy.py
View File

@ -1,4 +1,4 @@
# Copyright (c) 2022 Wind River Systems, Inc. # Copyright (c) 2022,2025 Wind River Systems, Inc.
# #
# Licensed under the Apache License, Version 2.0 (the "License"); you may # Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain # not use this file except in compliance with the License. You may obtain
@ -22,17 +22,17 @@ POLICY_ROOT = 'nfv_api:sw_patch_strategy:%s'
sw_patch_strategy_rules = [ sw_patch_strategy_rules = [
base.RuleDefault( base.RuleDefault(
name=POLICY_ROOT % 'add', name=POLICY_ROOT % 'add',
check_str='rule:' + base.ADMIN_IN_SYSTEM_PROJECTS, check_str='rule:' + base.ADMIN_OR_CONFIGURATOR,
description="Add a sw_patch_strategy", description="Add a sw_patch_strategy",
), ),
base.RuleDefault( base.RuleDefault(
name=POLICY_ROOT % 'delete', name=POLICY_ROOT % 'delete',
check_str='rule:' + base.ADMIN_IN_SYSTEM_PROJECTS, check_str='rule:' + base.ADMIN_OR_CONFIGURATOR,
description="Delete a sw_patch_strategy", description="Delete a sw_patch_strategy",
), ),
base.RuleDefault( base.RuleDefault(
name=POLICY_ROOT % 'get', name=POLICY_ROOT % 'get',
check_str='rule:' + base.READER_OR_OPERATOR_IN_SYSTEM_PROJECTS, check_str='rule:' + base.READER_OR_OPERATOR_OR_CONFIGURATOR,
description="Get a sw_patch_strategy", description="Get a sw_patch_strategy",
) )
] ]

4
nfv/nfv-vim/nfv_vim/api/acl/policies/sw_update_strategy_policy.py
View File

@ -1,4 +1,4 @@
# Copyright (c) 2022 Wind River Systems, Inc. # Copyright (c) 2022,2025 Wind River Systems, Inc.
# #
# Licensed under the Apache License, Version 2.0 (the "License"); you may # Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain # not use this file except in compliance with the License. You may obtain
@ -41,7 +41,7 @@ sw_update_strategy_rules = [
# comes into the controller as 'post' requests. # comes into the controller as 'post' requests.
base.RuleDefault( base.RuleDefault(
name=POLICY_ROOT % 'post', name=POLICY_ROOT % 'post',
check_str='rule:' + base.ADMIN_IN_SYSTEM_PROJECTS, check_str='rule:' + base.ADMIN_OR_CONFIGURATOR,
description="Apply sw_update_strategy", description="Apply sw_update_strategy",
) )
] ]

8
nfv/nfv-vim/nfv_vim/api/acl/policies/sw_upgrade_strategy_policy.py
View File

@ -1,4 +1,4 @@
# Copyright (c) 2022 Wind River Systems, Inc. # Copyright (c) 2022,2025 Wind River Systems, Inc.
# #
# Licensed under the Apache License, Version 2.0 (the "License"); you may # Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain # not use this file except in compliance with the License. You may obtain
@ -22,17 +22,17 @@ POLICY_ROOT = 'nfv_api:sw_upgrade_strategy:%s'
sw_upgrade_strategy_rules = [ sw_upgrade_strategy_rules = [
base.RuleDefault( base.RuleDefault(
name=POLICY_ROOT % 'add', name=POLICY_ROOT % 'add',
check_str='rule:' + base.ADMIN_IN_SYSTEM_PROJECTS, check_str='rule:' + base.ADMIN_OR_CONFIGURATOR,
description="Add a sw_upgrade_strategy", description="Add a sw_upgrade_strategy",
), ),
base.RuleDefault( base.RuleDefault(
name=POLICY_ROOT % 'delete', name=POLICY_ROOT % 'delete',
check_str='rule:' + base.ADMIN_IN_SYSTEM_PROJECTS, check_str='rule:' + base.ADMIN_OR_CONFIGURATOR,
description="Delete a sw_upgrade_strategy", description="Delete a sw_upgrade_strategy",
), ),
base.RuleDefault( base.RuleDefault(
name=POLICY_ROOT % 'get', name=POLICY_ROOT % 'get',
check_str='rule:' + base.READER_OR_OPERATOR_IN_SYSTEM_PROJECTS, check_str='rule:' + base.READER_OR_OPERATOR_OR_CONFIGURATOR,
description="Get a sw_upgrade_strategy", description="Get a sw_upgrade_strategy",
) )
] ]

8
nfv/nfv-vim/nfv_vim/api/acl/policies/system_config_update_strategy_policy.py
View File

@ -1,4 +1,4 @@
# Copyright (c) 2023 Wind River Systems, Inc. # Copyright (c) 2023,2025 Wind River Systems, Inc.
# #
# Licensed under the Apache License, Version 2.0 (the "License"); you may # Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain # not use this file except in compliance with the License. You may obtain
@ -22,17 +22,17 @@ POLICY_ROOT = 'nfv_api:system_config_update_strategy:%s'
system_config_update_strategy_rules = [ system_config_update_strategy_rules = [
base.RuleDefault( base.RuleDefault(
name=POLICY_ROOT % 'add', name=POLICY_ROOT % 'add',
check_str='rule:' + base.ADMIN_IN_SYSTEM_PROJECTS, check_str='rule:' + base.ADMIN_OR_CONFIGURATOR,
description="Add a system_config_update_strategy", description="Add a system_config_update_strategy",
), ),
base.RuleDefault( base.RuleDefault(
name=POLICY_ROOT % 'delete', name=POLICY_ROOT % 'delete',
check_str='rule:' + base.ADMIN_IN_SYSTEM_PROJECTS, check_str='rule:' + base.ADMIN_OR_CONFIGURATOR,
description="Delete a system_config_update_strategy", description="Delete a system_config_update_strategy",
), ),
base.RuleDefault( base.RuleDefault(
name=POLICY_ROOT % 'get', name=POLICY_ROOT % 'get',
check_str='rule:' + base.READER_OR_OPERATOR_IN_SYSTEM_PROJECTS, check_str='rule:' + base.READER_OR_OPERATOR_OR_CONFIGURATOR,
description="Get a system_config_update_strategy", description="Get a system_config_update_strategy",
) )
] ]