From a0bc52c81a2cf4044105341c80fbcfb5b9ca6581 Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Tue, 9 Mar 2021 11:15:43 -0500 Subject: [PATCH] Implement secure RBAC for quota API Add new system scope specific RBAC rules for the quota API. Change-Id: I4fd1676e8ead673b91bad1cc9749147ac5d62d7f --- barbican/common/policies/quotas.py | 20 +++++++++++-------- ...e-rbac-quotas-policy-f725a2752d1ba3f4.yaml | 11 ++++++++++ 2 files changed, 23 insertions(+), 8 deletions(-) create mode 100644 releasenotes/notes/secure-rbac-quotas-policy-f725a2752d1ba3f4.yaml diff --git a/barbican/common/policies/quotas.py b/barbican/common/policies/quotas.py index 4a7c7eea3..fea49fd23 100644 --- a/barbican/common/policies/quotas.py +++ b/barbican/common/policies/quotas.py @@ -13,11 +13,15 @@ from oslo_policy import policy +_READER = "role:reader" +_SYSTEM_ADMIN = "role:admin and system_scope:all" +_SYSTEM_READER = "role:reader and system_scope:all" + rules = [ policy.DocumentedRuleDefault( name='quotas:get', - check_str='rule:all_users', - scope_types=[], + check_str=f'rule:all_users or {_READER}', + scope_types=['project'], description='List quotas for the project the user belongs to.', operations=[ { @@ -28,8 +32,8 @@ rules = [ ), policy.DocumentedRuleDefault( name='project_quotas:get', - check_str='rule:service_admin', - scope_types=[], + check_str=f'rule:service_admin or {_SYSTEM_READER}', + scope_types=['system'], description='List quotas for the specified project.', operations=[ { @@ -44,8 +48,8 @@ rules = [ ), policy.DocumentedRuleDefault( name='project_quotas:put', - check_str='rule:service_admin', - scope_types=[], + check_str=f'rule:service_admin or {_SYSTEM_ADMIN}', + scope_types=['system'], description='Create or update the configured project quotas for ' 'the project with the specified UUID.', operations=[ @@ -57,8 +61,8 @@ rules = [ ), policy.DocumentedRuleDefault( name='project_quotas:delete', - check_str='rule:service_admin', - scope_types=[], + check_str=f'rule:service_admin or {_SYSTEM_ADMIN}', + scope_types=['system'], description='Delete the project quotas configuration for the ' 'project with the requested UUID.', operations=[ diff --git a/releasenotes/notes/secure-rbac-quotas-policy-f725a2752d1ba3f4.yaml b/releasenotes/notes/secure-rbac-quotas-policy-f725a2752d1ba3f4.yaml new file mode 100644 index 000000000..0d811807d --- /dev/null +++ b/releasenotes/notes/secure-rbac-quotas-policy-f725a2752d1ba3f4.yaml @@ -0,0 +1,11 @@ +--- +features: + - | + Implement secure-rbac for quotas resource. +security: + - | + The current policy only allows users with the key-manager:service-admin + role to list, get, add, update or delete project quotas. The new + policy allows system readers to list quotas and get quotas for specific + projects and system admins (role:admin and system_scope:all) to add, + update and delete project quotas.