From 0faf224610c73e3e2871b2b2a103b9d4a010601e Mon Sep 17 00:00:00 2001
From: Ade Lee <alee@redhat.com>
Date: Fri, 5 Mar 2021 16:13:37 -0500
Subject: [PATCH] Implement secure RBAC for containers API
Add new project scope specific RBAC rules for the containers API. The old
rules still apply, but eventually will be deprecated. The new
rules do include some changes to default policy, which are documented in
the release note.
Change-Id: I992e32832fee258ffb7b6397710f42759f28083d
---
barbican/common/policies/containers.py | 40 +++++++++++++------
...bac-container-policy-f7814e65dc2ab130.yaml | 13 ++++++
2 files changed, 41 insertions(+), 12 deletions(-)
create mode 100644 releasenotes/notes/secure-rbac-container-policy-f7814e65dc2ab130.yaml
diff --git a/barbican/common/policies/containers.py b/barbican/common/policies/containers.py
index 0636e81c2..d3e45ad27 100644
--- a/barbican/common/policies/containers.py
+++ b/barbican/common/policies/containers.py
@@ -13,11 +13,19 @@
from oslo_policy import policy
+_READER = "role:reader"
+_MEMBER = "role:member"
+_ADMIN = "role:admin"
+_PROJECT_MEMBER = f"{_MEMBER} and project_id:%(target.container.project_id)s"
+_PROJECT_ADMIN = f"{_ADMIN} and project_id:%(target.container.project_id)s"
+_CONTAINER_CREATOR = "user_id:%(target.container.creator_id)s"
+_CONTAINER_IS_NOT_PRIVATE = "True:%(target.container.read_project_access)s"
+
rules = [
policy.DocumentedRuleDefault(
name='containers:post',
- check_str='rule:admin_or_creator',
- scope_types=[],
+ check_str=f"rule:admin_or_creator or {_MEMBER}",
+ scope_types=['project'],
description='Creates a container.',
operations=[
{
@@ -28,8 +36,8 @@ rules = [
),
policy.DocumentedRuleDefault(
name='containers:get',
- check_str='rule:all_but_audit',
- scope_types=[],
+ check_str=f"rule:all_but_audit or {_MEMBER}",
+ scope_types=['project'],
description='Lists a projects containers.',
operations=[
{
@@ -43,8 +51,10 @@ rules = [
check_str='rule:container_non_private_read or ' +
'rule:container_project_creator or ' +
'rule:container_project_admin or ' +
- 'rule:container_acl_read',
- scope_types=[],
+ 'rule:container_acl_read or ' +
+ f"({_PROJECT_MEMBER} and ({_CONTAINER_CREATOR} or " +
+ f"{_CONTAINER_IS_NOT_PRIVATE})) or {_PROJECT_ADMIN}",
+ scope_types=['project'],
description='Retrieves a single container.',
operations=[
{
@@ -56,8 +66,10 @@ rules = [
policy.DocumentedRuleDefault(
name='container:delete',
check_str='rule:container_project_admin or ' +
- 'rule:container_project_creator',
- scope_types=[],
+ 'rule:container_project_creator or ' +
+ f"({_PROJECT_MEMBER} and ({_CONTAINER_CREATOR} or " +
+ f"{_CONTAINER_IS_NOT_PRIVATE})) or {_PROJECT_ADMIN}",
+ scope_types=['project'],
description='Deletes a container.',
operations=[
{
@@ -68,8 +80,10 @@ rules = [
),
policy.DocumentedRuleDefault(
name='container_secret:post',
- check_str='rule:admin',
- scope_types=[],
+ check_str='rule:admin or ' +
+ f"({_PROJECT_MEMBER} and ({_CONTAINER_CREATOR} or " +
+ f"{_CONTAINER_IS_NOT_PRIVATE})) or {_PROJECT_ADMIN}",
+ scope_types=['project'],
description='Add a secret to an existing container.',
operations=[
{
@@ -80,8 +94,10 @@ rules = [
),
policy.DocumentedRuleDefault(
name='container_secret:delete',
- check_str='rule:admin',
- scope_types=[],
+ check_str='rule:admin or ' +
+ f"({_PROJECT_MEMBER} and ({_CONTAINER_CREATOR} or " +
+ f"{_CONTAINER_IS_NOT_PRIVATE})) or {_PROJECT_ADMIN}",
+ scope_types=['project'],
description='Remove a secret from a container.',
operations=[
{
diff --git a/releasenotes/notes/secure-rbac-container-policy-f7814e65dc2ab130.yaml b/releasenotes/notes/secure-rbac-container-policy-f7814e65dc2ab130.yaml
new file mode 100644
index 000000000..485f3b834
--- /dev/null
+++ b/releasenotes/notes/secure-rbac-container-policy-f7814e65dc2ab130.yaml
@@ -0,0 +1,13 @@
+---
+features:
+ - |
+ Implement secure-rbac for containers resource.
+security:
+ - |
+ The new secure-rbac policy allows secrets to be added and removed from
+ containers by members. This is a change from the previous policy which
+ only allowed admins to add and remove secrets.
+ - |
+ The new secure-rbac policy allows for container deletion by members.
+ This is a change from the previous policy that only allowed deletion
+ by the creator or the project admin.