"Fossies" - the Fresh Open Source Software Archive

Member "glance-24.1.0/glance/policies/base.py" (8 Jun 2022, 5673 Bytes) of package /linux/misc/openstack/glance-24.1.0.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) Python source code syntax highlighting (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. For more information about "base.py" see the Fossies "Dox" file reference documentation and the last Fossies "Diffs" side-by-side code changes report: 21.0.0_vs_22.0.0.

    1 #    Licensed under the Apache License, Version 2.0 (the "License"); you may
    2 #    not use this file except in compliance with the License. You may obtain
    3 #    a copy of the License at
    4 #
    5 #         http://www.apache.org/licenses/LICENSE-2.0
    6 #
    7 #    Unless required by applicable law or agreed to in writing, software
    8 #    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
    9 #    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
   10 #    License for the specific language governing permissions and limitations
   11 #    under the License.
   12 
   13 from oslo_policy import policy
   14 
   15 # Generic check string for checking if a user is authorized on a particular
   16 # project, specifically with the member role.
   17 PROJECT_MEMBER = 'role:member and project_id:%(project_id)s'
   18 # Generic check string for checking if a user is authorized on a particular
   19 # project but with read-only access. For example, this persona would be able to
   20 # list private images owned by a project but cannot make any writeable changes
   21 # to those images.
   22 PROJECT_READER = 'role:reader and project_id:%(project_id)s'
   23 
   24 # Make sure the member_id of the supplied target matches the project_id from
   25 # the context object, which is derived from keystone tokens.
   26 IMAGE_MEMBER_CHECK = 'project_id:%(member_id)s'
   27 # Check if the visibility of the image supplied in the target matches
   28 # "community"
   29 COMMUNITY_VISIBILITY_CHECK = "'community':%(visibility)s"
   30 # Check if the visibility of the resource supplied in the target matches
   31 # "public"
   32 PUBLIC_VISIBILITY_CHECK = "'public':%(visibility)s"
   33 # Check if the visibility of the image supplied in the target matches "shared"
   34 SHARED_VISIBILITY_CHECK = "'shared':%(visibility)s"
   35 
   36 PROJECT_MEMBER_OR_IMAGE_MEMBER_OR_COMMUNITY_OR_PUBLIC_OR_SHARED = (
   37     f'role:member and (project_id:%(project_id)s or {IMAGE_MEMBER_CHECK} '
   38     f'or {COMMUNITY_VISIBILITY_CHECK} or {PUBLIC_VISIBILITY_CHECK} '
   39     f'or {SHARED_VISIBILITY_CHECK})'
   40 )
   41 PROJECT_READER_OR_IMAGE_MEMBER_OR_COMMUNITY_OR_PUBLIC_OR_SHARED = (
   42     f'role:reader and (project_id:%(project_id)s or {IMAGE_MEMBER_CHECK} '
   43     f'or {COMMUNITY_VISIBILITY_CHECK} or {PUBLIC_VISIBILITY_CHECK} '
   44     f'or {SHARED_VISIBILITY_CHECK})'
   45 )
   46 PROJECT_READER_OR_PUBLIC_NAMESPACE = (
   47     f'role:reader and (project_id:%(project_id)s or {PUBLIC_VISIBILITY_CHECK})'
   48 )
   49 
   50 
   51 # FIXME(lbragstad): These are composite check strings that represents glance's
   52 # authorization code, some of which is implemented in the authorization wrapper
   53 # and some is in the database driver.
   54 #
   55 # These check strings do not support tenancy with the `admin` role. This means
   56 # anyone with the `admin` role on any project can execute a policy, which is
   57 # typical in OpenStack services. Eventually, these check strings will be
   58 # superseded by check strings that implement scope checking and system-scope
   59 # for applicable APIs (e.g., making an image public). But, we have a lot of
   60 # cleanup to do in different parts of glance to sweep all the authorization
   61 # code into a single layer before we can safely consume system-scope and
   62 # implement scope checking. This refactoring also needs significant API testing
   63 # to ensure we don't leave doors open to unintended users, or expose
   64 # authoritative regressions. In the mean time, we can use the following check
   65 # strings to offer formal support for project membership and a read-only
   66 # variant consistent with other OpenStack services.
   67 ADMIN_OR_PROJECT_MEMBER = f'role:admin or ({PROJECT_MEMBER})'
   68 ADMIN_OR_PROJECT_READER = f'role:admin or ({PROJECT_READER})'
   69 ADMIN_OR_PROJECT_READER_GET_IMAGE = (
   70     f'role:admin or '
   71     f'({PROJECT_READER_OR_IMAGE_MEMBER_OR_COMMUNITY_OR_PUBLIC_OR_SHARED})'
   72 )
   73 ADMIN_OR_PROJECT_MEMBER_DOWNLOAD_IMAGE = (
   74     f'role:admin or '
   75     f'({PROJECT_MEMBER_OR_IMAGE_MEMBER_OR_COMMUNITY_OR_PUBLIC_OR_SHARED})'
   76 )
   77 ADMIN_OR_PROJECT_MEMBER_CREATE_IMAGE = (
   78     f'role:admin or ({PROJECT_MEMBER} and project_id:%(owner)s)'
   79 )
   80 ADMIN_OR_PROJECT_READER_GET_NAMESPACE = (
   81     f'role:admin or ({PROJECT_READER_OR_PUBLIC_NAMESPACE})'
   82 )
   83 
   84 
   85 ADMIN_OR_SHARED_MEMBER = (
   86     f'role:admin or (role:member and {IMAGE_MEMBER_CHECK})'
   87 )
   88 ADMIN_OR_PROJECT_READER_OR_SHARED_MEMBER = (
   89     f'role:admin or '
   90     f'role:reader and (project_id:%(project_id)s or {IMAGE_MEMBER_CHECK})'
   91 )
   92 
   93 ADMIN = f'role:admin'
   94 
   95 rules = [
   96     policy.RuleDefault(name='default', check_str='',
   97                        description='Defines the default rule used for '
   98                                    'policies that historically had an empty '
   99                                    'policy in the supplied policy.json file.',
  100                        deprecated_rule=policy.DeprecatedRule(
  101                            name='default',
  102                            check_str='role:admin',
  103                            deprecated_reason='In order to allow operators to '
  104                            'accept the default policies from code by not '
  105                            'defining them in the policy file, while still '
  106                            'working with old policy files that rely on the '
  107                            '``default`` rule for policies that are '
  108                            'not specified in the policy file, the ``default`` '
  109                            'rule must now be explicitly set to '
  110                            '``"role:admin"`` when that is the desired default '
  111                            'for unspecified rules.',
  112                            deprecated_since='Ussuri')),
  113     policy.RuleDefault(name='context_is_admin', check_str='role:admin',
  114                        description='Defines the rule for the is_admin:True '
  115                                    'check.'),
  116 ]
  117 
  118 
  119 def list_rules():
  120     return rules