openstack/aodh
Code Issues Proposed changes

RBAC Support for Ceilometer API Implementation

Browse Source 
This patch adds policy based Role Based Access Control
to the Ceilometer V2 APIs.

Validation/Enforcement of the policy is executed for the
different controllers and hence it is possible to
granularly control access.

Co-Authored-By: Fabio Giannetti <fabio.giannetti@hp.com>

Change-Id: I788b9b31c8cfba9f3caa19f1f6d465a3f81101ad
This commit is contained in:
Fabio Giannetti 2014-11-18 22:42:59 -08:00
parent a32d2ef26c
commit be42f2035a
5 changed files with 205 additions and 62 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
ceilometer/api/acl.py
View File

@ -1,50 +0,0 @@
#
# Copyright 2012 New Dream Network, LLC (DreamHost)
#
# Author: Doug Hellmann <doug.hellmann@dreamhost.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
"""Access Control Lists (ACL's) control access the API server."""
from ceilometer.openstack.common import policy
_ENFORCER = None
def get_limited_to(headers):
"""Return the user and project the request should be limited to.
:param headers: HTTP headers dictionary
:return: A tuple of (user, project), set to None if there's no limit on
one of these.
"""
global _ENFORCER
if not _ENFORCER:
_ENFORCER = policy.Enforcer()
if not _ENFORCER.enforce('context_is_admin',
{},
{'roles': headers.get('X-Roles', "").split(",")}):
return headers.get('X-User-Id'), headers.get('X-Project-Id')
return None, None
def get_limited_to_project(headers):
"""Return the project the request should be limited to.
:param headers: HTTP headers dictionary
:return: A project, or None if there's no limit on it.
"""
return get_limited_to(headers)[1]

86
ceilometer/api/controllers/v2.py
View File

@ -3,6 +3,7 @@
# Copyright 2013 IBM Corp. # Copyright 2013 IBM Corp.
# Copyright 2013 eNovance <licensing@enovance.com> # Copyright 2013 eNovance <licensing@enovance.com>
# Copyright Ericsson AB 2013. All rights reserved # Copyright Ericsson AB 2013. All rights reserved
# Copyright 2014 Hewlett-Packard Company
# #
# Authors: Doug Hellmann <doug.hellmann@dreamhost.com> # Authors: Doug Hellmann <doug.hellmann@dreamhost.com>
# Angus Salkeld <asalkeld@redhat.com> # Angus Salkeld <asalkeld@redhat.com>
@ -10,6 +11,7 @@
# Julien Danjou <julien@danjou.info> # Julien Danjou <julien@danjou.info>
# Ildiko Vancsa <ildiko.vancsa@ericsson.com> # Ildiko Vancsa <ildiko.vancsa@ericsson.com>
# Balazs Gibizer <balazs.gibizer@ericsson.com> # Balazs Gibizer <balazs.gibizer@ericsson.com>
# Fabio Giannetti <fabio.giannetti@hp.com>
# #
# Licensed under the Apache License, Version 2.0 (the "License"); you may # Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain # not use this file except in compliance with the License. You may obtain
@ -50,7 +52,7 @@ import wsmeext.pecan as wsme_pecan
import ceilometer import ceilometer
from ceilometer.alarm import service as alarm_service from ceilometer.alarm import service as alarm_service
from ceilometer.alarm.storage import models as alarm_models from ceilometer.alarm.storage import models as alarm_models
from ceilometer.api import acl from ceilometer.api import rbac
from ceilometer.event.storage import models as event_models from ceilometer.event.storage import models as event_models
from ceilometer import messaging from ceilometer import messaging
from ceilometer.openstack.common import context from ceilometer.openstack.common import context
@ -350,7 +352,7 @@ def _get_auth_project(on_behalf_of=None):
# hence for null auth_project (indicating admin-ness) we check if # hence for null auth_project (indicating admin-ness) we check if
# the creating tenant differs from the tenant on whose behalf the # the creating tenant differs from the tenant on whose behalf the
# alarm is being created # alarm is being created
auth_project = acl.get_limited_to_project(pecan.request.headers) auth_project = rbac.get_limited_to_project(pecan.request.headers)
created_by = pecan.request.headers.get('X-Project-Id') created_by = pecan.request.headers.get('X-Project-Id')
is_admin = auth_project is None is_admin = auth_project is None
@ -386,7 +388,7 @@ def _sanitize_query(query, db_func, on_behalf_of=None):
def _verify_query_segregation(query, auth_project=None): def _verify_query_segregation(query, auth_project=None):
"""Ensure non-admin queries are not constrained to another project.""" """Ensure non-admin queries are not constrained to another project."""
auth_project = (auth_project or auth_project = (auth_project or
acl.get_limited_to_project(pecan.request.headers)) rbac.get_limited_to_project(pecan.request.headers))
if not auth_project: if not auth_project:
return return
@ -896,6 +898,9 @@ class MeterController(rest.RestController):
:param q: Filter rules for the data to be returned. :param q: Filter rules for the data to be returned.
:param limit: Maximum number of samples to return. :param limit: Maximum number of samples to return.
""" """
rbac.enforce('get_samples', pecan.request)
q = q or [] q = q or []
if limit and limit < 0: if limit and limit < 0:
raise ClientSideError(_("Limit must be positive")) raise ClientSideError(_("Limit must be positive"))
@ -912,8 +917,11 @@ class MeterController(rest.RestController):
:param samples: a list of samples within the request body. :param samples: a list of samples within the request body.
""" """
rbac.enforce('create_samples', pecan.request)
now = timeutils.utcnow() now = timeutils.utcnow()
auth_project = acl.get_limited_to_project(pecan.request.headers) auth_project = rbac.get_limited_to_project(pecan.request.headers)
def_source = pecan.request.cfg.sample_source def_source = pecan.request.cfg.sample_source
def_project_id = pecan.request.headers.get('X-Project-Id') def_project_id = pecan.request.headers.get('X-Project-Id')
def_user_id = pecan.request.headers.get('X-User-Id') def_user_id = pecan.request.headers.get('X-User-Id')
@ -976,6 +984,9 @@ class MeterController(rest.RestController):
period long of that number of seconds. period long of that number of seconds.
:param aggregate: The selectable aggregation functions to be applied. :param aggregate: The selectable aggregation functions to be applied.
""" """
rbac.enforce('compute_statistics', pecan.request)
q = q or [] q = q or []
groupby = groupby or [] groupby = groupby or []
aggregate = aggregate or [] aggregate = aggregate or []
@ -1076,6 +1087,9 @@ class MetersController(rest.RestController):
:param q: Filter rules for the meters to be returned. :param q: Filter rules for the meters to be returned.
""" """
rbac.enforce('get_meters', pecan.request)
q = q or [] q = q or []
# Timestamp field is not supported for Meter queries # Timestamp field is not supported for Meter queries
@ -1167,6 +1181,9 @@ class SamplesController(rest.RestController):
:param q: Filter rules for the samples to be returned. :param q: Filter rules for the samples to be returned.
:param limit: Maximum number of samples to be returned. :param limit: Maximum number of samples to be returned.
""" """
rbac.enforce('get_samples', pecan.request)
q = q or [] q = q or []
if limit and limit < 0: if limit and limit < 0:
@ -1182,6 +1199,9 @@ class SamplesController(rest.RestController):
:param sample_id: the id of the sample. :param sample_id: the id of the sample.
""" """
rbac.enforce('get_sample', pecan.request)
f = storage.SampleFilter(message_id=sample_id) f = storage.SampleFilter(message_id=sample_id)
samples = list(pecan.request.storage_conn.get_samples(f)) samples = list(pecan.request.storage_conn.get_samples(f))
@ -1417,7 +1437,7 @@ class ValidatedComplexQuery(object):
If the tenant is not admin insert an extra If the tenant is not admin insert an extra
"and <visibility_field>=<tenant's project_id>" clause to the query. "and <visibility_field>=<tenant's project_id>" clause to the query.
""" """
authorized_project = acl.get_limited_to_project(pecan.request.headers) authorized_project = rbac.get_limited_to_project(pecan.request.headers)
is_admin = authorized_project is None is_admin = authorized_project is None
if not is_admin: if not is_admin:
self._restrict_to_project(authorized_project, visibility_field) self._restrict_to_project(authorized_project, visibility_field)
@ -1553,7 +1573,10 @@ class ResourcesController(rest.RestController):
:param resource_id: The UUID of the resource. :param resource_id: The UUID of the resource.
""" """
authorized_project = acl.get_limited_to_project(pecan.request.headers)
rbac.enforce('get_resource', pecan.request)
authorized_project = rbac.get_limited_to_project(pecan.request.headers)
resources = list(pecan.request.storage_conn.get_resources( resources = list(pecan.request.storage_conn.get_resources(
resource=resource_id, project=authorized_project)) resource=resource_id, project=authorized_project))
if not resources: if not resources:
@ -1568,6 +1591,9 @@ class ResourcesController(rest.RestController):
:param q: Filter rules for the resources to be returned. :param q: Filter rules for the resources to be returned.
:param meter_links: option to include related meter links :param meter_links: option to include related meter links
""" """
rbac.enforce('get_resources', pecan.request)
q = q or [] q = q or []
kwargs = _query_to_kwargs(q, pecan.request.storage_conn.get_resources) kwargs = _query_to_kwargs(q, pecan.request.storage_conn.get_resources)
resources = [ resources = [
@ -1983,7 +2009,7 @@ class AlarmController(rest.RestController):
def _alarm(self): def _alarm(self):
self.conn = pecan.request.alarm_storage_conn self.conn = pecan.request.alarm_storage_conn
auth_project = acl.get_limited_to_project(pecan.request.headers) auth_project = rbac.get_limited_to_project(pecan.request.headers)
alarms = list(self.conn.get_alarms(alarm_id=self._id, alarms = list(self.conn.get_alarms(alarm_id=self._id,
project=auth_project)) project=auth_project))
if not alarms: if not alarms:
@ -2020,6 +2046,9 @@ class AlarmController(rest.RestController):
@wsme_pecan.wsexpose(Alarm) @wsme_pecan.wsexpose(Alarm)
def get(self): def get(self):
"""Return this alarm.""" """Return this alarm."""
rbac.enforce('get_alarm', pecan.request)
return Alarm.from_db_model(self._alarm()) return Alarm.from_db_model(self._alarm())
@wsme_pecan.wsexpose(Alarm, body=Alarm) @wsme_pecan.wsexpose(Alarm, body=Alarm)
@ -2028,13 +2057,16 @@ class AlarmController(rest.RestController):
:param data: an alarm within the request body. :param data: an alarm within the request body.
""" """
rbac.enforce('change_alarm', pecan.request)
# Ensure alarm exists # Ensure alarm exists
alarm_in = self._alarm() alarm_in = self._alarm()
now = timeutils.utcnow() now = timeutils.utcnow()
data.alarm_id = self._id data.alarm_id = self._id
user, project = acl.get_limited_to(pecan.request.headers) user, project = rbac.get_limited_to(pecan.request.headers)
if user: if user:
data.user_id = user data.user_id = user
elif data.user_id == wtypes.Unset: elif data.user_id == wtypes.Unset:
@ -2084,6 +2116,9 @@ class AlarmController(rest.RestController):
@wsme_pecan.wsexpose(None, status_code=204) @wsme_pecan.wsexpose(None, status_code=204)
def delete(self): def delete(self):
"""Delete this alarm.""" """Delete this alarm."""
rbac.enforce('delete_alarm', pecan.request)
# ensure alarm exists before deleting # ensure alarm exists before deleting
alarm = self._alarm() alarm = self._alarm()
self.conn.delete_alarm(alarm.alarm_id) self.conn.delete_alarm(alarm.alarm_id)
@ -2100,11 +2135,14 @@ class AlarmController(rest.RestController):
:param q: Filter rules for the changes to be described. :param q: Filter rules for the changes to be described.
""" """
rbac.enforce('alarm_history', pecan.request)
q = q or [] q = q or []
# allow history to be returned for deleted alarms, but scope changes # allow history to be returned for deleted alarms, but scope changes
# returned to those carried out on behalf of the auth'd tenant, to # returned to those carried out on behalf of the auth'd tenant, to
# avoid inappropriate cross-tenant visibility of alarm history # avoid inappropriate cross-tenant visibility of alarm history
auth_project = acl.get_limited_to_project(pecan.request.headers) auth_project = rbac.get_limited_to_project(pecan.request.headers)
conn = pecan.request.alarm_storage_conn conn = pecan.request.alarm_storage_conn
kwargs = _query_to_kwargs(q, conn.get_alarm_changes, ['on_behalf_of', kwargs = _query_to_kwargs(q, conn.get_alarm_changes, ['on_behalf_of',
'alarm_id']) 'alarm_id'])
@ -2119,6 +2157,9 @@ class AlarmController(rest.RestController):
:param state: an alarm state within the request body. :param state: an alarm state within the request body.
""" """
rbac.enforce('change_alarm_state', pecan.request)
# note(sileht): body are not validated by wsme # note(sileht): body are not validated by wsme
# Workaround for https://bugs.launchpad.net/wsme/+bug/1227229 # Workaround for https://bugs.launchpad.net/wsme/+bug/1227229
if state not in state_kind: if state not in state_kind:
@ -2136,6 +2177,9 @@ class AlarmController(rest.RestController):
@wsme_pecan.wsexpose(state_kind_enum) @wsme_pecan.wsexpose(state_kind_enum)
def get_state(self): def get_state(self):
"""Get the state of this alarm.""" """Get the state of this alarm."""
rbac.enforce('get_alarm_state', pecan.request)
alarm = self._alarm() alarm = self._alarm()
return alarm.state return alarm.state
@ -2179,11 +2223,14 @@ class AlarmsController(rest.RestController):
:param data: an alarm within the request body. :param data: an alarm within the request body.
""" """
rbac.enforce('create_alarm', pecan.request)
conn = pecan.request.alarm_storage_conn conn = pecan.request.alarm_storage_conn
now = timeutils.utcnow() now = timeutils.utcnow()
data.alarm_id = str(uuid.uuid4()) data.alarm_id = str(uuid.uuid4())
user_limit, project_limit = acl.get_limited_to(pecan.request.headers) user_limit, project_limit = rbac.get_limited_to(pecan.request.headers)
def _set_ownership(aspect, owner_limitation, header): def _set_ownership(aspect, owner_limitation, header):
attr = '%s_id' % aspect attr = '%s_id' % aspect
@ -2234,6 +2281,9 @@ class AlarmsController(rest.RestController):
:param q: Filter rules for the alarms to be returned. :param q: Filter rules for the alarms to be returned.
""" """
rbac.enforce('get_alarms', pecan.request)
q = q or [] q = q or []
# Timestamp is not supported field for Simple Alarm queries # Timestamp is not supported field for Simple Alarm queries
kwargs = _query_to_kwargs(q, kwargs = _query_to_kwargs(q,
@ -2348,11 +2398,16 @@ class Event(_Base):
) )
# TODO(fabiog): this decorator should disappear and have a more unified
# way of controlling access and scope. Before messing with this, though
# I feel this file should be re-factored in smaller chunks one for each
# controller (e.g. meters, alarms and so on ...). Right now its size is
# overwhelming.
def requires_admin(func): def requires_admin(func):
@functools.wraps(func) @functools.wraps(func)
def wrapped(*args, **kwargs): def wrapped(*args, **kwargs):
usr_limit, proj_limit = acl.get_limited_to(pecan.request.headers) usr_limit, proj_limit = rbac.get_limited_to(pecan.request.headers)
# If User and Project are None, you have full access. # If User and Project are None, you have full access.
if usr_limit and proj_limit: if usr_limit and proj_limit:
# since this decorator get's called out of wsme context # since this decorator get's called out of wsme context
@ -2488,6 +2543,9 @@ class QuerySamplesController(rest.RestController):
:param body: Query rules for the samples to be returned. :param body: Query rules for the samples to be returned.
""" """
rbac.enforce('query_sample', pecan.request)
sample_name_mapping = {"resource": "resource_id", sample_name_mapping = {"resource": "resource_id",
"meter": "counter_name", "meter": "counter_name",
"type": "counter_type", "type": "counter_type",
@ -2514,6 +2572,9 @@ class QueryAlarmHistoryController(rest.RestController):
:param body: Query rules for the alarm history to be returned. :param body: Query rules for the alarm history to be returned.
""" """
rbac.enforce('query_alarm_history', pecan.request)
query = ValidatedComplexQuery(body, query = ValidatedComplexQuery(body,
alarm_models.AlarmChange) alarm_models.AlarmChange)
query.validate(visibility_field="on_behalf_of") query.validate(visibility_field="on_behalf_of")
@ -2534,6 +2595,9 @@ class QueryAlarmsController(rest.RestController):
:param body: Query rules for the alarms to be returned. :param body: Query rules for the alarms to be returned.
""" """
rbac.enforce('query_alarm', pecan.request)
query = ValidatedComplexQuery(body, query = ValidatedComplexQuery(body,
alarm_models.Alarm) alarm_models.Alarm)
query.validate(visibility_field="project_id") query.validate(visibility_field="project_id")

95
ceilometer/api/rbac.py Normal file
View File

@ -0,0 +1,95 @@
#
# Copyright 2012 New Dream Network, LLC (DreamHost)
# Copyright 2014 Hewlett-Packard Company
#
# Author: Doug Hellmann <doug.hellmann@dreamhost.com>
# Fabio Giannetti <fabio.giannetti@hp.com>
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
"""Access Control Lists (ACL's) control access the API server."""
import pecan
from ceilometer.openstack.common import policy
_ENFORCER = None
def enforce(policy_name, request):
"""Return the user and project the request should be limited to.
:param request: HTTP request
:param policy_name: the policy name to validate authz against.
"""
global _ENFORCER
if not _ENFORCER:
_ENFORCER = policy.Enforcer()
_ENFORCER.load_rules()
rule_method = "telemetry:" + policy_name
headers = request.headers
policy_dict = dict()
policy_dict['roles'] = headers.get('X-Roles', "").split(",")
policy_dict['target.user_id'] = (headers.get('X-User-Id'))
policy_dict['target.project_id'] = (headers.get('X-Project-Id'))
for rule_name in _ENFORCER.rules.keys():
if rule_method == rule_name:
if not _ENFORCER.enforce(
rule_name,
{},
policy_dict):
pecan.core.abort(status_code=403,
detail='RBAC Authorization Failed')
# TODO(fabiog): these methods are still used because the scoping part is really
# convoluted and difficult to separate out.
def get_limited_to(headers):
"""Return the user and project the request should be limited to.
:param headers: HTTP headers dictionary
:return: A tuple of (user, project), set to None if there's no limit on
one of these.
"""
global _ENFORCER
if not _ENFORCER:
_ENFORCER = policy.Enforcer()
_ENFORCER.load_rules()
policy_dict = dict()
policy_dict['roles'] = headers.get('X-Roles', "").split(",")
policy_dict['target.user_id'] = (headers.get('X-User-Id'))
policy_dict['target.project_id'] = (headers.get('X-Project-Id'))
if not _ENFORCER.enforce('segregation',
{},
policy_dict):
return headers.get('X-User-Id'), headers.get('X-Project-Id')
return None, None
def get_limited_to_project(headers):
"""Return the project the request should be limited to.
:param headers: HTTP headers dictionary
:return: A project, or None if there's no limit on it.
"""
return get_limited_to(headers)[1]

5
etc/ceilometer/policy.json
View File

@ -1,3 +1,6 @@
{ {
"context_is_admin": [["role:admin"]] "context_is_admin": "role:admin",
"context_is_project": "project_id:%(target.project_id)s",
"context_is_owner": "user_id:%(target.user_id)s",
"segregation": "rule:context_is_admin"
} }

31
etc/ceilometer/policy.json.sample Normal file
View File

@ -0,0 +1,31 @@
{
"context_is_admin": "role:admin",
"context_is_project": "project_id:%(target.project_id)s",
"context_is_owner": "user_id:%(target.user_id)s",
"segregation": "rule:context_is_admin",
"service_role": "role:service",
"iaas_role": "role:iaas",
"telemetry:get_samples": "rule:service_role or rule:iaas_role",
"telemetry:get_sample": "rule:context_is_project",
"telemetry:query_sample": "rule:context_is_admin",
"telemetry:create_samples": "rule:context_is_admin",
"telemetry:compute_statistics": "rule:context_is_admin",
"telemetry:get_meters": "rule:context_is_admin",
"telemetry:get_resource": "rule:context_is_admin",
"telemetry:get_resources": "rule:context_is_admin",
"telemetry:get_alarm": "rule:context_is_admin",
"telemetry:query_alarm": "rule:context_is_admin",
"telemetry:get_alarm_state": "rule:context_is_admin",
"telemetry:get_alarms": "rule:context_is_admin",
"telemetry:create_alarm": "rule:context_is_admin",
"telemetry:set_alarm": "rule:context_is_admin",
"telemetry:delete_alarm": "rule:context_is_admin",
"telemetry:alarm_history": "rule:context_is_admin",
"telemetry:change_alarm_state": "rule:context_is_admin",
"telemetry:query_alarm_history": "rule:context_is_admin"
}