Coverage for manila/policies/base.py: 100%

4# Licensed under the Apache License, Version 2.0 (the "License"); you may

5# not use this file except in compliance with the License. You may obtain

6# a copy of the License at

8# http://www.apache.org/licenses/LICENSE-2.0

10# Unless required by applicable law or agreed to in writing, software

11# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT

12# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the

13# License for the specific language governing permissions and limitations

14# under the License.

16from oslo_log import versionutils

17from oslo_policy import policy

20# This check string is reserved for actions that require the highest level of

21# authorization across projects to operate the deployment. They're allowed to

22# create, read, update, or delete any system-wide resource such as

23# share types, share group types, storage pools, etc. They can also operate on

24# project-specific resources where applicable (e.g., cleaning up shares or

25# snapshots).

26ADMIN = 'rule:context_is_admin'

28# This check string is reserved for actions performed by a "service" or the

29# "admin" super user. Service users act on behalf of other users and can

30# perform privileged service-specific actions.

31ADMIN_OR_SERVICE = 'rule:admin_or_service_api'

34# This check string is the primary use case for typical end-users, who are

35# working with resources that belong within a project (e.g., managing shares or

36# share replicas). These users don't require all the authorization that

37# administrators typically have.

38PROJECT_MEMBER = 'rule:project-member'

40# This check string should only be used to protect read-only project-specific

41# resources. It should not be used to protect APIs that make writable changes

42# (e.g., updating a share or snapshot). This persona is useful for someone who

43# needs access for auditing or even support.

44PROJECT_READER = 'rule:project-reader'

46# This check string should used to protect user specific resources such as

47# resource locks, or access rule restrictions. Users are expendable

48# resources, so ensure that other resources can also perform actions to

49# avoid orphan resources when users are decommissioned.

50OWNER_USER = 'rule:owner-user'

52ADMIN_OR_PROJECT_MEMBER = f'({ADMIN}) or ({PROJECT_MEMBER})'

53ADMIN_OR_PROJECT_READER = f'({ADMIN}) or ({PROJECT_READER})'

54ADMIN_OR_SERVICE_OR_PROJECT_READER = (f'({ADMIN_OR_SERVICE}) or '

55 f'({PROJECT_READER})')

56ADMIN_OR_SERVICE_OR_PROJECT_MEMBER = (f'({ADMIN_OR_SERVICE}) or '

57 f'({PROJECT_MEMBER})')

58ADMIN_OR_SERVICE_OR_OWNER_USER = f'({OWNER_USER} or {ADMIN_OR_SERVICE})'

60# Old, "unscoped", deprecated check strings to be removed. Do not use these

61# in default RBAC any longer. These can be removed after "enforce_scope"

62# defaults to True in oslo.policy

63RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner'

64RULE_ADMIN_OR_OWNER_USER = 'rule:admin_or_owner_user'

65RULE_ADMIN_API = 'rule:admin_api'

66RULE_DEFAULT = 'rule:default'

68deprecation_msg = ("The `context_is_admin` check is superseded by more "

69 "specific check strings that consume project "

70 "scope attributes from keystone tokens.")

71DEPRECATED_CONTEXT_IS_ADMIN = policy.DeprecatedRule(

72 name='context_is_admin',

73 check_str='role:admin',

74 deprecated_reason=deprecation_msg,

75 deprecated_since=versionutils.deprecated.WALLABY

76)

78rules = [

79 # ***Default OpenStack scoped personas*** #

80 policy.RuleDefault(

81 name='project-admin',

82 check_str='role:admin and '

83 'project_id:%(project_id)s',

84 description='Project scoped Administrator',

85 scope_types=['project']),

86 policy.RuleDefault(

87 name='project-member',

88 check_str='role:member and '

89 'project_id:%(project_id)s',

90 description='Project scoped Member',

91 scope_types=['project']),

92 policy.RuleDefault(

93 name='project-reader',

94 check_str='role:reader and '

95 'project_id:%(project_id)s',

96 description='Project scoped Reader',

97 scope_types=['project']),

98 policy.RuleDefault(

99 name='owner-user',

100 check_str='user_id:%(user_id)s and '

101 'project_id:%(project_id)s',

102 description='Project scoped user that owns a user specific resource',

103 scope_types=['project']),

104 policy.RuleDefault(

105 "admin_or_service_api",

106 "role:admin or role:service",

107 description="A service user or an administrator user.",

108 scope_types=['project'],

109 ),

110

111 # ***Special personas for Manila*** #

112 policy.RuleDefault(

113 name='context_is_admin',

114 check_str='role:admin',

115 description='Privileged users checked via "context.is_admin"',

116 deprecated_rule=DEPRECATED_CONTEXT_IS_ADMIN,

117 scope_types=['project']),

118

119 policy.RuleDefault(

120 name='context_is_host_admin',

121 check_str='role:admin and '

122 'project_id:%(project_id)s',

123 description='Privileged user who can select host during scheduling',

124 scope_types=['project']),

125

126 # ***Legacy/deprecated unscoped rules*** #

127 # can be removed after "enforce_scope" defaults to True in oslo.policy

128 policy.RuleDefault(

129 name='admin_or_owner',

130 check_str='is_admin:True or project_id:%(project_id)s',

131 description='Administrator or Member of the project'),

132 policy.RuleDefault(

133 name='admin_or_owner_user',

134 check_str='is_admin:True or '

135 'project_id:%(project_id)s and user_id:%(user_id)s',

136 description='Administrator or owner user of a resource'),

137 policy.RuleDefault(

138 name='default',

139 check_str=RULE_ADMIN_OR_OWNER,

140 description='Default rule for most non-Admin APIs'),

141 policy.RuleDefault(

142 name='admin_api',

143 check_str='is_admin:True',

144 description='Default rule for most Admin APIs.'),

145]

146

147

148def list_rules():

149 return rules