Coverage for nova/policies/base.py: 100%

16 statements  

« prev     ^ index     » next       coverage.py v7.6.12, created at 2025-04-24 11:16 +0000

1# Licensed under the Apache License, Version 2.0 (the "License"); you may 

2# not use this file except in compliance with the License. You may obtain 

3# a copy of the License at 

4# 

5# http://www.apache.org/licenses/LICENSE-2.0 

6# 

7# Unless required by applicable law or agreed to in writing, software 

8# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 

9# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 

10# License for the specific language governing permissions and limitations 

11# under the License. 

12 

13from oslo_policy import policy 

14 

15RULE_ADMIN_OR_OWNER = 'rule:admin_or_owner' # Admins or owners of the resource 

16RULE_ADMIN_API = 'rule:admin_api' # Allow only users with the admin role 

17RULE_ANY = '@' # Any user is allowed to perform the action. 

18RULE_NOBODY = '!' # No users are allowed to perform the action. 

19 

20DEPRECATED_REASON = """ 

21Nova API policies are introducing new default roles with scope_type 

22capabilities. Old policies are deprecated and silently going to be ignored 

23in nova 23.0.0 release. 

24""" 

25 

26DEPRECATED_ADMIN_POLICY = policy.DeprecatedRule( 

27 name=RULE_ADMIN_API, 

28 check_str='is_admin:True', 

29 deprecated_reason=DEPRECATED_REASON, 

30 deprecated_since='21.0.0' 

31) 

32 

33DEPRECATED_ADMIN_OR_OWNER_POLICY = policy.DeprecatedRule( 

34 name=RULE_ADMIN_OR_OWNER, 

35 check_str='is_admin:True or project_id:%(project_id)s', 

36 deprecated_reason=DEPRECATED_REASON, 

37 deprecated_since='21.0.0' 

38) 

39 

40ADMIN = 'rule:context_is_admin' 

41PROJECT_MEMBER = 'rule:project_member_api' 

42PROJECT_READER = 'rule:project_reader_api' 

43PROJECT_MEMBER_OR_ADMIN = 'rule:project_member_or_admin' 

44PROJECT_READER_OR_ADMIN = 'rule:project_reader_or_admin' 

45 

46# NOTE(gmann): Below is the mapping of new roles with legacy roles:: 

47 

48# Legacy Rule | New Rules |Operation |scope_type| 

49# -------------------+---------------------------+----------------+----------- 

50# RULE_ADMIN_API |-> ADMIN |Global resource | [project] 

51# | |Write & Read | 

52# -------------------+---------------------------+----------------+----------- 

53# |-> ADMIN |Project admin | [project] 

54# | |level operation | 

55# RULE_ADMIN_OR_OWNER|-> PROJECT_MEMBER_OR_ADMIN |Project resource| [project] 

56# | |Write | 

57# |-> PROJECT_READER_OR_ADMIN |Project resource| [project] 

58# | |Read | 

59 

60# NOTE(johngarbutt) The base rules here affect so many APIs the list 

61# of related API operations has not been populated. It would be 

62# crazy hard to manually maintain such a list. 

63 

64# NOTE(gmann): Keystone already support implied roles means assignment 

65# of one role implies the assignment of another. New defaults roles 

66# `reader`, `member` also has been added in bootstrap. If the bootstrap 

67# process is re-run, and a `reader`, `member`, or `admin` role already 

68# exists, a role implication chain will be created: `admin` implies 

69# `member` implies `reader`. 

70# For example: If we give access to 'reader' it means the 'admin' and 

71# 'member' also get access. 

72rules = [ 

73 policy.RuleDefault( 

74 "context_is_admin", 

75 "role:admin", 

76 "Decides what is required for the 'is_admin:True' check to succeed.", 

77 deprecated_rule=DEPRECATED_ADMIN_POLICY), 

78 policy.RuleDefault( 

79 "admin_or_owner", 

80 "is_admin:True or project_id:%(project_id)s", 

81 "Default rule for most non-Admin APIs.", 

82 deprecated_for_removal=True, 

83 deprecated_reason=DEPRECATED_REASON, 

84 deprecated_since='21.0.0'), 

85 policy.RuleDefault( 

86 "admin_api", 

87 "is_admin:True", 

88 "Default rule for most Admin APIs.", 

89 deprecated_for_removal=True, 

90 deprecated_reason=DEPRECATED_REASON, 

91 deprecated_since='21.0.0'), 

92 policy.RuleDefault( 

93 "project_member_api", 

94 "role:member and project_id:%(project_id)s", 

95 "Default rule for Project level non admin APIs.", 

96 deprecated_rule=DEPRECATED_ADMIN_OR_OWNER_POLICY), 

97 policy.RuleDefault( 

98 "project_reader_api", 

99 "role:reader and project_id:%(project_id)s", 

100 "Default rule for Project level read only APIs.", 

101 deprecated_rule=DEPRECATED_ADMIN_OR_OWNER_POLICY), 

102 policy.RuleDefault( 

103 "project_member_or_admin", 

104 "rule:project_member_api or rule:context_is_admin", 

105 "Default rule for Project Member or admin APIs.", 

106 deprecated_rule=DEPRECATED_ADMIN_OR_OWNER_POLICY), 

107 policy.RuleDefault( 

108 "project_reader_or_admin", 

109 "rule:project_reader_api or rule:context_is_admin", 

110 "Default rule for Project reader or admin APIs.", 

111 deprecated_rule=DEPRECATED_ADMIN_OR_OWNER_POLICY) 

112] 

113 

114 

115def list_rules(): 

116 return rules