"Fossies" - the Fresh Open Source Software Archive

Member "octavia-8.0.0/octavia/policies/base.py" (14 Apr 2021, 6861 Bytes) of package /linux/misc/openstack/octavia-8.0.0.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) Python source code syntax highlighting (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. For more information about "base.py" see the Fossies "Dox" file reference documentation and the latest Fossies "Diffs" side-by-side code changes report: 7.1.1_vs_8.0.0.

    1 #    Licensed under the Apache License, Version 2.0 (the "License"); you may
    2 #    not use this file except in compliance with the License. You may obtain
    3 #    a copy of the License at
    4 #
    5 #         http://www.apache.org/licenses/LICENSE-2.0
    6 #
    7 #    Unless required by applicable law or agreed to in writing, software
    8 #    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
    9 #    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
   10 #    License for the specific language governing permissions and limitations
   11 #    under the License.
   12 
   13 from oslo_log import versionutils
   14 from oslo_policy import policy
   15 
   16 from octavia.common import constants
   17 
   18 deprecated_context_is_admin = policy.DeprecatedRule(
   19     name='context_is_admin',
   20     check_str='role:admin or '
   21               'role:load-balancer_admin'
   22 )
   23 deprecated_observer_and_owner = policy.DeprecatedRule(
   24     name='load-balancer:observer_and_owner',
   25     check_str='role:load-balancer_observer and '
   26               'rule:load-balancer:owner'
   27 )
   28 deprecated_member_and_owner = policy.DeprecatedRule(
   29     name='load-balancer:member_and_owner',
   30     check_str='role:load-balancer_member and '
   31               'rule:load-balancer:owner'
   32 )
   33 
   34 rules = [
   35 
   36     # OpenStack wide scoped rules
   37 
   38     # System scoped Administrator
   39     policy.RuleDefault(
   40         name='system-admin',
   41         check_str='role:admin and '
   42                   'system_scope:all',
   43         scope_types=[constants.RBAC_SCOPE_SYSTEM]),
   44 
   45     # System scoped Reader
   46     policy.RuleDefault(
   47         name='system-reader',
   48         check_str='role:reader and '
   49                   'system_scope:all',
   50         scope_types=[constants.RBAC_SCOPE_SYSTEM]),
   51 
   52     # Project scoped Member
   53     policy.RuleDefault(
   54         name='project-member',
   55         check_str='role:member and '
   56                   'project_id:%(project_id)s',
   57         scope_types=[constants.RBAC_SCOPE_PROJECT]),
   58 
   59     # Project scoped Reader
   60     policy.RuleDefault(
   61         name='project-reader',
   62         check_str='role:reader and '
   63                   'project_id:%(project_id)s',
   64         scope_types=[constants.RBAC_SCOPE_PROJECT]),
   65 
   66     # Octavia specific Advanced RBAC rules
   67 
   68     # The default is to not allow access unless the auth_strategy is 'noauth'.
   69     # Users must be a member of one of the following roles to have access to
   70     # the load-balancer API:
   71     #
   72     # role:load-balancer_observer
   73     #     User has access to load-balancer read-only APIs
   74     # role:load-balancer_global_observer
   75     #     User has access to load-balancer read-only APIs including resources
   76     #     owned by others.
   77     # role:load-balancer_member
   78     #     User has access to load-balancer read and write APIs
   79     # role:load-balancer_admin
   80     #     User is considered an admin for all load-balancer APIs including
   81     #     resources owned by others.
   82     # role:admin and system_scope:all
   83     #     User is admin to all service APIs, including Octavia.
   84 
   85     policy.RuleDefault(
   86         name='context_is_admin',
   87         check_str='role:load-balancer_admin or '
   88                   'rule:system-admin',
   89         deprecated_rule=deprecated_context_is_admin,
   90         deprecated_reason=constants.RBAC_ROLES_DEPRECATED_REASON,
   91         deprecated_since=versionutils.deprecated.WALLABY,
   92         scope_types=[constants.RBAC_SCOPE_SYSTEM]),
   93 
   94     # Note: 'is_admin:True' is a policy rule that takes into account the
   95     # auth_strategy == noauth configuration setting.
   96     # It is equivalent to 'rule:context_is_admin or {auth_strategy == noauth}'
   97 
   98     policy.RuleDefault(
   99         name='load-balancer:owner',
  100         check_str='project_id:%(project_id)s',
  101         scope_types=[constants.RBAC_SCOPE_PROJECT]),
  102 
  103     # API access roles
  104     policy.RuleDefault(
  105         name='load-balancer:observer_and_owner',
  106         check_str='role:load-balancer_observer and '
  107                   'rule:project-reader',
  108         deprecated_rule=deprecated_observer_and_owner,
  109         deprecated_reason=constants.RBAC_ROLES_DEPRECATED_REASON,
  110         deprecated_since=versionutils.deprecated.WALLABY,
  111         scope_types=[constants.RBAC_SCOPE_PROJECT]),
  112 
  113     policy.RuleDefault(
  114         name='load-balancer:global_observer',
  115         check_str='role:load-balancer_global_observer or '
  116                   'rule:system-reader',
  117         scope_types=[constants.RBAC_SCOPE_SYSTEM]),
  118 
  119     policy.RuleDefault(
  120         name='load-balancer:member_and_owner',
  121         check_str='role:load-balancer_member and '
  122                   'rule:project-member',
  123         deprecated_rule=deprecated_member_and_owner,
  124         deprecated_reason=constants.RBAC_ROLES_DEPRECATED_REASON,
  125         deprecated_since=versionutils.deprecated.WALLABY,
  126         scope_types=[constants.RBAC_SCOPE_PROJECT]),
  127 
  128     # API access methods
  129 
  130     policy.RuleDefault(
  131         name='load-balancer:admin',
  132         check_str='is_admin:True or '
  133                   'role:load-balancer_admin or '
  134                   'rule:system-admin',
  135         scope_types=[constants.RBAC_SCOPE_SYSTEM]),
  136 
  137     policy.RuleDefault(
  138         name='load-balancer:read',
  139         check_str='rule:load-balancer:observer_and_owner or '
  140                   'rule:load-balancer:global_observer or '
  141                   'rule:load-balancer:member_and_owner or '
  142                   'rule:load-balancer:admin',
  143         scope_types=[constants.RBAC_SCOPE_PROJECT,
  144                      constants.RBAC_SCOPE_SYSTEM]),
  145 
  146     policy.RuleDefault(
  147         name='load-balancer:read-global',
  148         check_str='rule:load-balancer:global_observer or '
  149                   'rule:load-balancer:admin',
  150         scope_types=[constants.RBAC_SCOPE_SYSTEM]),
  151 
  152     policy.RuleDefault(
  153         name='load-balancer:write',
  154         check_str='rule:load-balancer:member_and_owner or '
  155                   'rule:load-balancer:admin',
  156         scope_types=[constants.RBAC_SCOPE_PROJECT,
  157                      constants.RBAC_SCOPE_SYSTEM]),
  158 
  159     policy.RuleDefault(
  160         name='load-balancer:read-quota',
  161         check_str='rule:load-balancer:observer_and_owner or '
  162                   'rule:load-balancer:global_observer or '
  163                   'rule:load-balancer:member_and_owner or '
  164                   'role:load-balancer_quota_admin or '
  165                   'rule:load-balancer:admin',
  166         scope_types=[constants.RBAC_SCOPE_PROJECT,
  167                      constants.RBAC_SCOPE_SYSTEM]),
  168 
  169     policy.RuleDefault(
  170         name='load-balancer:read-quota-global',
  171         check_str='rule:load-balancer:global_observer or '
  172                   'role:load-balancer_quota_admin or '
  173                   'rule:load-balancer:admin',
  174         scope_types=[constants.RBAC_SCOPE_SYSTEM]),
  175 
  176     policy.RuleDefault(
  177         name='load-balancer:write-quota',
  178         check_str='role:load-balancer_quota_admin or '
  179                   'rule:load-balancer:admin',
  180         scope_types=[constants.RBAC_SCOPE_SYSTEM]),
  181 ]
  182 
  183 
  184 def list_rules():
  185     return rules