Merge pull request #112 from stackhpc/upstream/master-2025-02-24

Synchronise master with upstream

Author: priteau

cloudkitty/common/policies/base.py

@@ -19,6 +19,24 @@
 ROLE_ADMIN = 'role:admin'
 UNPROTECTED = ''
 
+DEPRECATED_REASON = """
+CloudKitty API policies are introducing new default roles with scope_type
+capabilities. Old policies are deprecated and silently going to be ignored
+in future release.
+"""
+
+DEPRECATED_ADMIN_OR_OWNER_POLICY = policy.DeprecatedRule(
+    name=RULE_ADMIN_OR_OWNER,
+    check_str='is_admin:True or '
+              '(role:admin and is_admin_project:True) or '
+              'project_id:%(project_id)s',
+    deprecated_reason=DEPRECATED_REASON,
+    deprecated_since='22.0.0'
+)
+
+PROJECT_MEMBER_OR_ADMIN = 'rule:project_member_or_admin'
+PROJECT_READER_OR_ADMIN = 'rule:project_reader_or_admin'
+
 rules = [
     policy.RuleDefault(
         name='context_is_admin',
@@ -27,10 +45,33 @@
         name='admin_or_owner',
         check_str='is_admin:True or '
                   '(role:admin and is_admin_project:True) or '
-                  'project_id:%(project_id)s'),
+                  'project_id:%(project_id)s',
+        deprecated_for_removal=True,
+        deprecated_reason=DEPRECATED_REASON,
+        deprecated_since='22.0.0'),
     policy.RuleDefault(
         name='default',
-        check_str=UNPROTECTED)
+        check_str=UNPROTECTED),
+    policy.RuleDefault(
+        "project_member_api",
+        "role:member and project_id:%(project_id)s",
+        "Default rule for Project level non admin APIs.",
+        deprecated_rule=DEPRECATED_ADMIN_OR_OWNER_POLICY),
+    policy.RuleDefault(
+        "project_reader_api",
+        "role:reader and project_id:%(project_id)s",
+        "Default rule for Project level read only APIs.",
+        deprecated_rule=DEPRECATED_ADMIN_OR_OWNER_POLICY),
+    policy.RuleDefault(
+        "project_member_or_admin",
+        "rule:project_member_api or rule:context_is_admin",
+        "Default rule for Project Member or admin APIs.",
+        deprecated_rule=DEPRECATED_ADMIN_OR_OWNER_POLICY),
+    policy.RuleDefault(
+        "project_reader_or_admin",
+        "rule:project_reader_api or rule:context_is_admin",
+        "Default rule for Project reader or admin APIs.",
+        deprecated_rule=DEPRECATED_ADMIN_OR_OWNER_POLICY)
 ]
 
 

cloudkitty/common/policies/v1/collector.py

@@ -23,33 +23,38 @@
         check_str=base.ROLE_ADMIN,
         description='Return the list of every services mapped to a collector.',
         operations=[{'path': '/v1/collector/mappings',
-                     'method': 'LIST'}]),
+                     'method': 'LIST'}],
+        scope_types=['project']),
     policy.DocumentedRuleDefault(
         name='collector:get_mapping',
         check_str=base.ROLE_ADMIN,
         description='Return a service to collector mapping.',
         operations=[{'path': '/v1/collector/mappings/{service_id}',
-                     'method': 'GET'}]),
+                     'method': 'GET'}],
+        scope_types=['project']),
     policy.DocumentedRuleDefault(
         name='collector:manage_mapping',
         check_str=base.ROLE_ADMIN,
         description='Manage a service to collector mapping.',
         operations=[{'path': '/v1/collector/mappings',
                      'method': 'POST'},
                     {'path': '/v1/collector/mappings/{service_id}',
-                     'method': 'DELETE'}]),
+                     'method': 'DELETE'}],
+        scope_types=['project']),
     policy.DocumentedRuleDefault(
         name='collector:get_state',
         check_str=base.ROLE_ADMIN,
         description='Query the enable state of a collector.',
         operations=[{'path': '/v1/collector/states/{collector_id}',
-                     'method': 'GET'}]),
+                     'method': 'GET'}],
+        scope_types=['project']),
     policy.DocumentedRuleDefault(
         name='collector:update_state',
         check_str=base.ROLE_ADMIN,
         description='Set the enable state of a collector.',
         operations=[{'path': '/v1/collector/states/{collector_id}',
-                     'method': 'PUT'}])
+                     'method': 'PUT'}],
+        scope_types=['project'])
 ]
 
 

cloudkitty/common/policies/v1/info.py

@@ -23,31 +23,36 @@
         check_str=base.UNPROTECTED,
         description='List available services information in Cloudkitty.',
         operations=[{'path': '/v1/info/services',
-                     'method': 'LIST'}]),
+                     'method': 'LIST'}],
+        scope_types=['project']),
     policy.DocumentedRuleDefault(
         name='info:get_service_info',
         check_str=base.UNPROTECTED,
         description='Get specified service information.',
         operations=[{'path': '/v1/info/services/{metric_id}',
-                     'method': 'GET'}]),
+                     'method': 'GET'}],
+        scope_types=['project']),
     policy.DocumentedRuleDefault(
         name='info:list_metrics_info',
         check_str=base.UNPROTECTED,
         description='List available metrics information in Cloudkitty.',
         operations=[{'path': '/v1/info/metrics',
-                     'method': 'LIST'}]),
+                     'method': 'LIST'}],
+        scope_types=['project']),
     policy.DocumentedRuleDefault(
         name='info:get_metric_info',
         check_str=base.UNPROTECTED,
         description='Get specified metric information.',
         operations=[{'path': '/v1/info/metrics/{metric_id}',
-                     'method': 'GET'}]),
+                     'method': 'GET'}],
+        scope_types=['project']),
     policy.DocumentedRuleDefault(
         name='info:get_config',
         check_str=base.UNPROTECTED,
         description='Get current configuration in Cloudkitty.',
         operations=[{'path': '/v1/info/config',
-                     'method': 'GET'}])
+                     'method': 'GET'}],
+        scope_types=['project'])
 ]
 
 

cloudkitty/common/policies/v1/rating.py

@@ -23,32 +23,37 @@
         check_str=base.ROLE_ADMIN,
         description='Return the list of loaded modules in Cloudkitty.',
         operations=[{'path': '/v1/rating/modules',
-                     'method': 'LIST'}]),
+                     'method': 'LIST'}],
+        scope_types=['project']),
     policy.DocumentedRuleDefault(
         name='rating:get_module',
         check_str=base.ROLE_ADMIN,
         description='Get specified module.',
         operations=[{'path': '/v1/rating/modules/{module_id}',
-                     'method': 'GET'}]),
+                     'method': 'GET'}],
+        scope_types=['project']),
     policy.DocumentedRuleDefault(
         name='rating:update_module',
         check_str=base.ROLE_ADMIN,
         description='Change the state and priority of a module.',
         operations=[{'path': '/v1/rating/modules/{module_id}',
-                     'method': 'PUT'}]),
+                     'method': 'PUT'}],
+        scope_types=['project']),
     policy.DocumentedRuleDefault(
         name='rating:quote',
         check_str=base.UNPROTECTED,
         description='Get an instant quote based on multiple resource '
                     'descriptions.',
         operations=[{'path': '/v1/rating/quote',
-                     'method': 'POST'}]),
+                     'method': 'POST'}],
+        scope_types=['project']),
     policy.DocumentedRuleDefault(
         name='rating:module_config',
         check_str=base.ROLE_ADMIN,
         description='Trigger a rating module list reload.',
         operations=[{'path': '/v1/rating/reload_modules',
-                     'method': 'GET'}])
+                     'method': 'GET'}],
+        scope_types=['project'])
 ]
 
 

cloudkitty/common/policies/v1/report.py

@@ -23,19 +23,22 @@
         check_str=base.ROLE_ADMIN,
         description='Return the list of rated tenants.',
         operations=[{'path': '/v1/report/tenants',
-                     'method': 'GET'}]),
+                     'method': 'GET'}],
+        scope_types=['project']),
     policy.DocumentedRuleDefault(
         name='report:get_summary',
-        check_str=base.RULE_ADMIN_OR_OWNER,
+        check_str=base.PROJECT_READER_OR_ADMIN,
         description='Return the summary to pay for a given period.',
         operations=[{'path': '/v1/report/summary',
-                     'method': 'GET'}]),
+                     'method': 'GET'}],
+        scope_types=['project']),
     policy.DocumentedRuleDefault(
         name='report:get_total',
-        check_str=base.RULE_ADMIN_OR_OWNER,
+        check_str=base.PROJECT_READER_OR_ADMIN,
         description='Return the amount to pay for a given period.',
         operations=[{'path': '/v1/report/total',
-                     'method': 'GET'}])
+                     'method': 'GET'}],
+        scope_types=['project'])
 ]
 
 

cloudkitty/common/policies/v1/storage.py

@@ -20,11 +20,12 @@
 storage_policies = [
     policy.DocumentedRuleDefault(
         name='storage:list_data_frames',
-        check_str=base.RULE_ADMIN_OR_OWNER,
+        check_str=base.PROJECT_READER_OR_ADMIN,
         description='Return a list of rated resources for a time period '
                     'and a tenant.',
         operations=[{'path': '/v1/storage/dataframes',
-                     'method': 'GET'}])
+                     'method': 'GET'}],
+        scope_types=['project'])
 ]
 
 

cloudkitty/common/policies/v2/dataframes.py

@@ -23,13 +23,15 @@
         check_str=base.ROLE_ADMIN,
         description='Add one or several DataFrames',
         operations=[{'path': '/v2/dataframes',
-                     'method': 'POST'}]),
+                     'method': 'POST'}],
+        scope_types=['project']),
     policy.DocumentedRuleDefault(
         name='dataframes:get',
-        check_str=base.RULE_ADMIN_OR_OWNER,
+        check_str=base.PROJECT_READER_OR_ADMIN,
         description='Get DataFrames',
         operations=[{'path': '/v2/dataframes',
-                     'method': 'GET'}]),
+                     'method': 'GET'}],
+        scope_types=['project']),
 ]
 
 

cloudkitty/common/policies/v2/rating.py

@@ -23,19 +23,22 @@
         check_str=base.ROLE_ADMIN,
         description='Returns the list of loaded modules in Cloudkitty.',
         operations=[{'path': '/v2/rating/modules',
-                     'method': 'GET'}]),
+                     'method': 'GET'}],
+        scope_types=['project']),
     policy.DocumentedRuleDefault(
         name='v2_rating:get_module',
         check_str=base.ROLE_ADMIN,
         description='Get specified module.',
         operations=[{'path': '/v2/rating/modules/{module_id}',
-                     'method': 'GET'}]),
+                     'method': 'GET'}],
+        scope_types=['project']),
     policy.DocumentedRuleDefault(
         name='v2_rating:update_module',
         check_str=base.ROLE_ADMIN,
         description='Change the state and priority of a module.',
         operations=[{'path': '/v2/rating/modules/{module_id}',
-                     'method': 'PUT'}])
+                     'method': 'PUT'}],
+        scope_types=['project'])
 ]
 
 

cloudkitty/common/policies/v2/scope.py

@@ -23,25 +23,29 @@
         check_str=base.ROLE_ADMIN,
         description='Get the state of one or several scopes',
         operations=[{'path': '/v2/scope',
-                     'method': 'GET'}]),
+                     'method': 'GET'}],
+        scope_types=['project']),
     policy.DocumentedRuleDefault(
         name='scope:reset_state',
         check_str=base.ROLE_ADMIN,
         description='Reset the state of one or several scopes',
         operations=[{'path': '/v2/scope',
-                     'method': 'PUT'}]),
+                     'method': 'PUT'}],
+        scope_types=['project']),
     policy.DocumentedRuleDefault(
         name='scope:patch_state',
         check_str=base.ROLE_ADMIN,
         description='Enables operators to patch a storage scope',
         operations=[{'path': '/v2/scope',
-                     'method': 'PATCH'}]),
+                     'method': 'PATCH'}],
+        scope_types=['project']),
     policy.DocumentedRuleDefault(
         name='scope:post_state',
         check_str=base.ROLE_ADMIN,
         description='Enables operators to create a storage scope',
         operations=[{'path': '/v2/scope',
-                     'method': 'POST'}]),
+                     'method': 'POST'}],
+        scope_types=['project']),
 ]
 
 

cloudkitty/common/policies/v2/summary.py

@@ -19,10 +19,11 @@
 example_policies = [
     policy.DocumentedRuleDefault(
         name='summary:get_summary',
-        check_str=base.RULE_ADMIN_OR_OWNER,
+        check_str=base.PROJECT_READER_OR_ADMIN,
         description='Get a rating summary',
         operations=[{'path': '/v2/summary',
-                     'method': 'GET'}]),
+                     'method': 'GET'}],
+        scope_types=['project']),
 ]
 
 

cloudkitty/common/policies/v2/tasks.py

@@ -22,13 +22,15 @@
         check_str=base.ROLE_ADMIN,
         description='Schedule a scope for reprocessing',
         operations=[{'path': '/v2/task/reprocesses',
-                     'method': 'POST'}]),
+                     'method': 'POST'}],
+        scope_types=['project']),
     policy.DocumentedRuleDefault(
         name='schedule:get_task_reprocesses',
         check_str=base.ROLE_ADMIN,
         description='Get reprocessing schedule tasks for scopes.',
         operations=[{'path': '/v2/task/reprocesses',
-                     'method': 'GET'}]),
+                     'method': 'GET'}],
+        scope_types=['project']),
 ]
 
 

releasenotes/notes/secure-rbac-defaults-5bb903323634a94c.yaml

@@ -0,0 +1,17 @@
+---
+features:
+  - |
+    The CloudKitty policies implemented the scope concept and new default roles
+    (``admin``, ``member``, and ``reader``) provided by keystone.
+upgrade:
+  - |
+    All the policies implement the ``scope_type`` and new defaults.
+
+    * **Scope**
+
+      Each policy is protected with ``project`` ``scope_type``.
+
+    * **New Defaults (Admin, Member and Reader)**
+
+      Policies are default to Admin, Member and Reader roles. Old roles are
+      also supported. There is no change in the legacy admin access.