Implement secure RBAC for transport key API

Add new system scope specific RBAC rules for the transport key API. The new rules tighten the policy to only allow system admins to add or delete transport keys. Change-Id: Icbe81724fb8b4f28fc4b5d24afe2618e759fcbad
2021-03-08 15:41:49 -05:00 · 2021-03-08 15:41:49 -05:00 · 9a16e9114f
commit 9a16e9114f
parent f02d81be2b
2 changed files with 16 additions and 4 deletions
--- a/barbican/common/policies/transportkeys.py
+++ b/barbican/common/policies/transportkeys.py
@ -13,6 +13,8 @@
 from oslo_policy import policy


+_SYSTEM_ADMIN = "role:admin and system_scope:all"
+
 rules = [
    policy.DocumentedRuleDefault(
        name='transport_key:get',
@ -28,8 +30,8 @@ rules = [
    ),
    policy.DocumentedRuleDefault(
        name='transport_key:delete',
-        check_str='rule:admin',
-        scope_types=[],
+        check_str=f'{_SYSTEM_ADMIN}',
+        scope_types=['system'],
        description='Delete a specific transport key.',
        operations=[
            {
@ -52,8 +54,8 @@ rules = [
    ),
    policy.DocumentedRuleDefault(
        name='transport_keys:post',
-        check_str='rule:admin',
-        scope_types=[],
+        check_str=f'{_SYSTEM_ADMIN}',
+        scope_types=['system'],
        description='Create a new transport key.',
        operations=[
            {
--- a/releasenotes/notes/secure-rbac-transportkey-policy-3e904787694f8471.yaml
+++ b/releasenotes/notes/secure-rbac-transportkey-policy-3e904787694f8471.yaml
@ -0,0 +1,10 @@
+---
+features:
+  - |
+    Implement secure-rbac for transportkeys resource.
+security:
+  - |
+    The current policy allows users with the admin role to add or delete
+    transport keys.  This interface was only ever intended to be used by
+    system admins, and so it has been restricted using the new policy
+    to the system admin only (admins with system_scope:all).