[S-RBAC] Allow admin user to do all API requests by default

By default ADMIN user in the new Secure RBAC policies should behave in the same way as in the legacy rules so basically every API operation for any project should be allowed for ADMIN user. In the new rules there are roles like PROJECT_MEMBER and PROJECT_READER and those personas don't inherits directly from ADMIN which means that if something is possible to e.g. PROJECT_MEMBER it isn't automatically also allowed to ADMIN and we need to explicitly allow ADMIN user to do such requests. It was done like that for many of API calls already but not for all of them (probably by mistake). This patch introduces new composite check ADMIN_OR_PROJECT_MEMBER and uses it in the check strings where ADMIN or PROJECT_MEMBER user is allowed to use the API. It also changes some of the check strings which used "policy_or" to combine ADMIN and PROJECT_MEMBER or PROJECT_READER so that those composite checks ADMIN_OR_PROJECT_MEMBER and ADMIN_OR_PROJECT_READER are used everywhere. Closes-Bug: #1997089 Change-Id: Iab5cd6c7aa07ca8527c5fa8396c9ed0da65b4fa7
openstack · Nov 24, 2022 · 6d8ada0 · 6d8ada0
1 parent a76b20d
commit 6d8ada0
Show file tree

Hide file tree

Showing 31 changed files with 435 additions and 273 deletions.
diff --git a/neutron/conf/policies/address_group.py b/neutron/conf/policies/address_group.py
@@ -32,7 +32,7 @@
     policy.DocumentedRuleDefault(
         name='get_address_group',
         check_str=base.policy_or(
-            base.PROJECT_READER,
+            base.ADMIN_OR_PROJECT_READER,
             'rule:shared_address_groups'),
         description='Get an address group',
         operations=[

diff --git a/neutron/conf/policies/address_scope.py b/neutron/conf/policies/address_scope.py
@@ -31,9 +31,7 @@
     ),
     policy.DocumentedRuleDefault(
         name='create_address_scope',
-        check_str=base.policy_or(
-            base.ADMIN,
-            base.PROJECT_MEMBER),
+        check_str=base.ADMIN_OR_PROJECT_MEMBER,
         description='Create an address scope',
         operations=[
             {
@@ -92,9 +90,7 @@
     ),
     policy.DocumentedRuleDefault(
         name='update_address_scope',
-        check_str=base.policy_or(
-            base.ADMIN,
-            base.PROJECT_MEMBER),
+        check_str=base.ADMIN_OR_PROJECT_MEMBER,
         description='Update an address scope',
         operations=[
             {
@@ -128,9 +124,7 @@
     ),
     policy.DocumentedRuleDefault(
         name='delete_address_scope',
-        check_str=base.policy_or(
-            base.ADMIN,
-            base.PROJECT_MEMBER),
+        check_str=base.ADMIN_OR_PROJECT_MEMBER,
         description='Delete an address scope',
         operations=[
             {

diff --git a/neutron/conf/policies/auto_allocated_topology.py b/neutron/conf/policies/auto_allocated_topology.py
@@ -25,7 +25,7 @@
 rules = [
     policy.DocumentedRuleDefault(
         name='get_auto_allocated_topology',
-        check_str=base.PROJECT_READER,
+        check_str=base.ADMIN_OR_PROJECT_READER,
         description="Get a project's auto-allocated topology",
         operations=[
             {
@@ -42,7 +42,7 @@
     ),
     policy.DocumentedRuleDefault(
         name='delete_auto_allocated_topology',
-        check_str=base.PROJECT_MEMBER,
+        check_str=base.ADMIN_OR_PROJECT_MEMBER,
         description="Delete a project's auto-allocated topology",
         operations=[
             {

diff --git a/neutron/conf/policies/base.py b/neutron/conf/policies/base.py
@@ -49,9 +49,11 @@ def policy_or(*args):
 PROJECT_READER = 'role:reader and project_id:%(project_id)s'
 
 # The following are common composite check strings that are useful for
-# protecting APIs designed to operate with multiple scopes (e.g., a system
-# administrator should be able to delete any router in the deployment, a
+# protecting APIs designed to operate with multiple scopes (e.g.,
+# an administrator should be able to delete any router in the deployment, a
 # project member should only be able to delete routers in their project).
+ADMIN_OR_PROJECT_MEMBER = (
+    '(' + ADMIN + ') or (' + PROJECT_MEMBER + ')')
 ADMIN_OR_PROJECT_READER = (
     '(' + ADMIN + ') or (' + PROJECT_READER + ')')
 

diff --git a/neutron/conf/policies/floatingip.py b/neutron/conf/policies/floatingip.py
@@ -25,9 +25,7 @@
 rules = [
     policy.DocumentedRuleDefault(
         name='create_floatingip',
-        check_str=base.policy_or(
-            base.ADMIN,
-            base.PROJECT_MEMBER),
+        check_str=base.ADMIN_OR_PROJECT_MEMBER,
         description='Create a floating IP',
         operations=[
             {
@@ -61,9 +59,7 @@
     ),
     policy.DocumentedRuleDefault(
         name='get_floatingip',
-        check_str=base.policy_or(
-            base.ADMIN,
-            base.PROJECT_READER),
+        check_str=base.ADMIN_OR_PROJECT_READER,
         description='Get a floating IP',
         operations=[
             {
@@ -84,9 +80,7 @@
     ),
     policy.DocumentedRuleDefault(
         name='update_floatingip',
-        check_str=base.policy_or(
-            base.ADMIN,
-            base.PROJECT_MEMBER),
+        check_str=base.ADMIN_OR_PROJECT_MEMBER,
         description='Update a floating IP',
         operations=[
             {
@@ -103,9 +97,7 @@
     ),
     policy.DocumentedRuleDefault(
         name='delete_floatingip',
-        check_str=base.policy_or(
-            base.ADMIN,
-            base.PROJECT_MEMBER),
+        check_str=base.ADMIN_OR_PROJECT_MEMBER,
         description='Delete a floating IP',
         operations=[
             {

diff --git a/neutron/conf/policies/floatingip_pools.py b/neutron/conf/policies/floatingip_pools.py
@@ -21,7 +21,7 @@
 rules = [
     policy.DocumentedRuleDefault(
         name='get_floatingip_pool',
-        check_str=base.PROJECT_READER,
+        check_str=base.ADMIN_OR_PROJECT_READER,
         description='Get floating IP pools',
         operations=[
             {

diff --git a/neutron/conf/policies/floatingip_port_forwarding.py b/neutron/conf/policies/floatingip_port_forwarding.py
@@ -30,7 +30,7 @@
     policy.DocumentedRuleDefault(
         name='create_floatingip_port_forwarding',
         check_str=base.policy_or(
-            base.PROJECT_MEMBER,
+            base.ADMIN_OR_PROJECT_MEMBER,
             base.RULE_PARENT_OWNER),
         scope_types=['project'],
         description='Create a floating IP port forwarding',
@@ -49,7 +49,7 @@
     policy.DocumentedRuleDefault(
         name='get_floatingip_port_forwarding',
         check_str=base.policy_or(
-            base.PROJECT_READER,
+            base.ADMIN_OR_PROJECT_READER,
             base.RULE_PARENT_OWNER),
         scope_types=['project'],
         description='Get a floating IP port forwarding',
@@ -72,7 +72,7 @@
     policy.DocumentedRuleDefault(
         name='update_floatingip_port_forwarding',
         check_str=base.policy_or(
-            base.PROJECT_MEMBER,
+            base.ADMIN_OR_PROJECT_MEMBER,
             base.RULE_PARENT_OWNER),
         scope_types=['project'],
         description='Update a floating IP port forwarding',
@@ -91,7 +91,7 @@
     policy.DocumentedRuleDefault(
         name='delete_floatingip_port_forwarding',
         check_str=base.policy_or(
-            base.PROJECT_MEMBER,
+            base.ADMIN_OR_PROJECT_MEMBER,
             base.RULE_PARENT_OWNER),
         scope_types=['project'],
         description='Delete a floating IP port forwarding',

diff --git a/neutron/conf/policies/l3_conntrack_helper.py b/neutron/conf/policies/l3_conntrack_helper.py
@@ -30,7 +30,7 @@
     policy.DocumentedRuleDefault(
         name='create_router_conntrack_helper',
         check_str=base.policy_or(
-            base.PROJECT_MEMBER,
+            base.ADMIN_OR_PROJECT_MEMBER,
             base.RULE_PARENT_OWNER),
         scope_types=['project'],
         description='Create a router conntrack helper',
@@ -49,7 +49,7 @@
     policy.DocumentedRuleDefault(
         name='get_router_conntrack_helper',
         check_str=base.policy_or(
-            base.PROJECT_READER,
+            base.ADMIN_OR_PROJECT_READER,
             base.RULE_PARENT_OWNER),
         scope_types=['project'],
         description='Get a router conntrack helper',
@@ -72,7 +72,7 @@
     policy.DocumentedRuleDefault(
         name='update_router_conntrack_helper',
         check_str=base.policy_or(
-            base.PROJECT_MEMBER,
+            base.ADMIN_OR_PROJECT_MEMBER,
             base.RULE_PARENT_OWNER),
         scope_types=['project'],
         description='Update a router conntrack helper',
@@ -91,7 +91,7 @@
     policy.DocumentedRuleDefault(
         name='delete_router_conntrack_helper',
         check_str=base.policy_or(
-            base.PROJECT_MEMBER,
+            base.ADMIN_OR_PROJECT_MEMBER,
             base.RULE_PARENT_OWNER),
         scope_types=['project'],
         description='Delete a router conntrack helper',

diff --git a/neutron/conf/policies/local_ip.py b/neutron/conf/policies/local_ip.py
@@ -25,7 +25,7 @@
 rules = [
     policy.DocumentedRuleDefault(
         name='create_local_ip',
-        check_str=base.PROJECT_MEMBER,
+        check_str=base.ADMIN_OR_PROJECT_MEMBER,
         description='Create a Local IP',
         operations=[
             {
@@ -42,7 +42,7 @@
     ),
     policy.DocumentedRuleDefault(
         name='get_local_ip',
-        check_str=base.PROJECT_READER,
+        check_str=base.ADMIN_OR_PROJECT_READER,
         description='Get a Local IP',
         operations=[
             {
@@ -63,7 +63,7 @@
     ),
     policy.DocumentedRuleDefault(
         name='update_local_ip',
-        check_str=base.PROJECT_MEMBER,
+        check_str=base.ADMIN_OR_PROJECT_MEMBER,
         description='Update a Local IP',
         operations=[
             {
@@ -80,7 +80,7 @@
     ),
     policy.DocumentedRuleDefault(
         name='delete_local_ip',
-        check_str=base.PROJECT_MEMBER,
+        check_str=base.ADMIN_OR_PROJECT_MEMBER,
         description='Delete a Local IP',
         operations=[
             {

diff --git a/neutron/conf/policies/local_ip_association.py b/neutron/conf/policies/local_ip_association.py
@@ -27,7 +27,7 @@
     policy.DocumentedRuleDefault(
         name='create_local_ip_port_association',
         check_str=base.policy_or(
-            base.PROJECT_MEMBER,
+            base.ADMIN_OR_PROJECT_MEMBER,
             base.RULE_PARENT_OWNER),
         scope_types=['project'],
         description='Create a Local IP port association',
@@ -46,7 +46,7 @@
     policy.DocumentedRuleDefault(
         name='get_local_ip_port_association',
         check_str=base.policy_or(
-            base.PROJECT_READER,
+            base.ADMIN_OR_PROJECT_READER,
             base.RULE_PARENT_OWNER),
         scope_types=['project'],
         description='Get a Local IP port association',
@@ -69,7 +69,7 @@
     policy.DocumentedRuleDefault(
         name='delete_local_ip_port_association',
         check_str=base.policy_or(
-            base.PROJECT_MEMBER,
+            base.ADMIN_OR_PROJECT_MEMBER,
             base.RULE_PARENT_OWNER),
         scope_types=['project'],
         description='Delete a Local IP port association',

diff --git a/neutron/conf/policies/metering.py b/neutron/conf/policies/metering.py
@@ -46,9 +46,7 @@
     ),
     policy.DocumentedRuleDefault(
         name='get_metering_label',
-        check_str=base.policy_or(
-            base.ADMIN,
-            base.PROJECT_READER),
+        check_str=base.ADMIN_OR_PROJECT_READER,
         scope_types=['project'],
         description='Get a metering label',
         operations=[
@@ -103,9 +101,7 @@
     ),
     policy.DocumentedRuleDefault(
         name='get_metering_label_rule',
-        check_str=base.policy_or(
-            base.ADMIN,
-            base.PROJECT_READER),
+        check_str=base.ADMIN_OR_PROJECT_READER,
         scope_types=['project'],
         description='Get a metering label rule',
         operations=[

diff --git a/neutron/conf/policies/ndp_proxy.py b/neutron/conf/policies/ndp_proxy.py
@@ -25,7 +25,7 @@
 rules = [
     policy.DocumentedRuleDefault(
         name='create_ndp_proxy',
-        check_str=base.PROJECT_MEMBER,
+        check_str=base.ADMIN_OR_PROJECT_MEMBER,
         description='Create a ndp proxy',
         operations=[
             {
@@ -42,7 +42,7 @@
     ),
     policy.DocumentedRuleDefault(
         name='get_ndp_proxy',
-        check_str=base.PROJECT_READER,
+        check_str=base.ADMIN_OR_PROJECT_READER,
         description='Get a ndp proxy',
         operations=[
             {
@@ -63,7 +63,7 @@
     ),
     policy.DocumentedRuleDefault(
         name='update_ndp_proxy',
-        check_str=base.PROJECT_MEMBER,
+        check_str=base.ADMIN_OR_PROJECT_MEMBER,
         description='Update a ndp proxy',
         operations=[
             {
@@ -80,7 +80,7 @@
     ),
     policy.DocumentedRuleDefault(
         name='delete_ndp_proxy',
-        check_str=base.PROJECT_MEMBER,
+        check_str=base.ADMIN_OR_PROJECT_MEMBER,
         description='Delete a ndp proxy',
         operations=[
             {

diff --git a/neutron/conf/policies/network.py b/neutron/conf/policies/network.py
@@ -45,9 +45,7 @@
 
     policy.DocumentedRuleDefault(
         name='create_network',
-        check_str=base.policy_or(
-            base.ADMIN,
-            base.PROJECT_MEMBER),
+        check_str=base.ADMIN_OR_PROJECT_MEMBER,
         scope_types=['project'],
         description='Create a network',
         operations=ACTION_POST,
@@ -95,9 +93,7 @@
     ),
     policy.DocumentedRuleDefault(
         name='create_network:port_security_enabled',
-        check_str=base.policy_or(
-            base.ADMIN,
-            base.PROJECT_MEMBER),
+        check_str=base.ADMIN_OR_PROJECT_MEMBER,
         scope_types=['project'],
         description=(
             'Specify ``port_security_enabled`` '
@@ -170,8 +166,7 @@
     policy.DocumentedRuleDefault(
         name='get_network',
         check_str=base.policy_or(
-            base.ADMIN,
-            base.PROJECT_READER,
+            base.ADMIN_OR_PROJECT_READER,
             'rule:shared',
             'rule:external',
             base.RULE_ADVSVC
@@ -240,9 +235,7 @@
 
     policy.DocumentedRuleDefault(
         name='update_network',
-        check_str=base.policy_or(
-            base.ADMIN,
-            base.PROJECT_MEMBER),
+        check_str=base.ADMIN_OR_PROJECT_MEMBER,
         scope_types=['project'],
         description='Update a network',
         operations=ACTION_PUT,
@@ -344,9 +337,7 @@
     ),
     policy.DocumentedRuleDefault(
         name='update_network:port_security_enabled',
-        check_str=base.policy_or(
-            base.ADMIN,
-            base.PROJECT_MEMBER),
+        check_str=base.ADMIN_OR_PROJECT_MEMBER,
         scope_types=['project'],
         description='Update ``port_security_enabled`` attribute of a network',
         operations=ACTION_PUT,
@@ -359,9 +350,7 @@
 
     policy.DocumentedRuleDefault(
         name='delete_network',
-        check_str=base.policy_or(
-            base.ADMIN,
-            base.PROJECT_MEMBER),
+        check_str=base.ADMIN_OR_PROJECT_MEMBER,
         scope_types=['project'],
         description='Delete a network',
         operations=ACTION_DELETE,