starlingx/update
Code Issues Proposed changes
update/sw-patch/cgcs-patch/cgcs_patch/authapi/policy.py
Joao Victor Portal 790d7e5e2e Change access control in patching API 
The access control for patching API was changed to accept GET requests
from users with reader role and presence in either admin or services
project. For other requests, it is required from the user that it has
admin role and presence in either project admin or services.

As all default system users have admin role and are present in either
admin or services project, this change should not cause regressions.

Test Plan:

PASS: Successfully deploy an AIO-SX using a Debian image with this
change present and create user "readeruser" with reader role. Log in the
Horizon interface using "readeruser" user, access page "Admin" ->
"Software Management" with no errors (a GET patches list request is
executed successfully here), try to upload a patch and check that it
fails. Repeat the steps for user "admin" and check that the patch upload
succeeds.
PASS: Successfully deploy a DC with 1 subcloud using a Debian image with
this change present and create user "readeruser" with reader role. Log
in the Horizon interface using "readeruser" user, access page
"Distributed Cloud Admin" -> "Software Management" with no errors (a GET
patches list request is executed successfully here), try to upload a
patch and check that it fails. Repeat the steps for user "admin" and
check that the patch upload succeeds.

Story: 2010149
Task: 46561

Depends-on: https://review.opendev.org/c/starlingx/gui/+/860701
Signed-off-by: Joao Victor Portal <Joao.VictorPortal@windriver.com>
Change-Id: I1b0b06ebeaadc82cd14174a46bf148c564dc7c08
2022-10-13 16:30:11 -03:00

84 lines
3.3 KiB
Python
Executable File
Raw Blame History

#
# Copyright (c) 2011 OpenStack Foundation
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# Copyright (c) 2014-2022 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
"""Policy Engine For Patching."""
from oslo_config import cfg
from oslo_policy import policy
base_rules = [
policy.RuleDefault('admin_in_system_projects',
'role:admin and (project_name:admin or ' +
'project_name:services)',
description='Admin user in system projects.'),
policy.RuleDefault('reader_in_system_projects',
'role:reader and (project_name:admin or ' +
'project_name:services)',
description='Reader user in system projects.'),
policy.RuleDefault('default', 'rule:admin_in_system_projects',
description='Default rule.'),
]
CONF = cfg.CONF
_ENFORCER = None
def init(policy_file=None, rules=None,
default_rule=None, use_conf=True, overwrite=True):
"""Init an Enforcer class.
oslo policy supports change policy rule dynamically.
policy.enforce will reload the policy rules if it detects
the policy files have been touched.
:param policy_file: Custom policy file to use, if none is
specified, ``conf.policy_file`` will be
used.
:param rules: Default dictionary / Rules to use. It will be
considered just in the first instantiation. If
:meth:`load_rules` with ``force_reload=True``,
:meth:`clear` or :meth:`set_rules` with
``overwrite=True`` is called this will be overwritten.
:param default_rule: Default rule to use, conf.default_rule will
be used if none is specified.
:param use_conf: Whether to load rules from cache or config file.
:param overwrite: Whether to overwrite existing rules when reload rules
from config file.
"""
global _ENFORCER
if not _ENFORCER:
# https://docs.openstack.org/oslo.policy/latest/user/usage.html
_ENFORCER = policy.Enforcer(CONF,
policy_file=policy_file,
rules=rules,
default_rule=default_rule,
use_conf=use_conf,
overwrite=overwrite)
_ENFORCER.register_defaults(base_rules)
return _ENFORCER
def authorize(rule, target, creds, do_raise=True):
"""A wrapper around 'authorize' from 'oslo_policy.policy'."""
init()
return _ENFORCER.authorize(rule, target, creds, do_raise=do_raise)
View Git Blame Copy Permalink