Implement secure RBAC for orders API

Add new project scope specific RBAC rules for the orders API. The old rules still apply, but eventually will be deprecated. The new rules do include some changes to default policy, which are documented in the release note. Change-Id: I8e6963d7ab788038102c7f4570b3f2c9a342eabf
takanattie · Mar 9, 2021 · 265908e · 265908e
1 parent e2c8e53
commit 265908e
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 10 deletions.
diff --git a/barbican/common/policies/orders.py b/barbican/common/policies/orders.py
@@ -12,12 +12,13 @@
 
 from oslo_policy import policy
 
+_MEMBER = "role:member"
 
 rules = [
     policy.DocumentedRuleDefault(
         name='orders:get',
-        check_str='rule:all_but_audit',
-        scope_types=[],
+        check_str=f'rule:all_but_audit or {_MEMBER}',
+        scope_types=['project'],
         description='Gets list of all orders associated with a project.',
         operations=[
             {
@@ -28,8 +29,8 @@
     ),
     policy.DocumentedRuleDefault(
         name='orders:post',
-        check_str='rule:admin_or_creator',
-        scope_types=[],
+        check_str=f'rule:admin_or_creator or {_MEMBER}',
+        scope_types=['project'],
         description='Creates an order.',
         operations=[
             {
@@ -40,8 +41,8 @@
     ),
     policy.DocumentedRuleDefault(
         name='orders:put',
-        check_str='rule:admin_or_creator',
-        scope_types=[],
+        check_str=f'rule:admin_or_creator or {_MEMBER}',
+        scope_types=['project'],
         description='Unsupported method for the orders API.',
         operations=[
             {
@@ -52,8 +53,8 @@
     ),
     policy.DocumentedRuleDefault(
         name='order:get',
-        check_str='rule:all_users',
-        scope_types=[],
+        check_str=f'rule:all_users or {_MEMBER}',
+        scope_types=['project'],
         description='Retrieves an orders metadata.',
         operations=[
             {
@@ -64,8 +65,8 @@
     ),
     policy.DocumentedRuleDefault(
         name='order:delete',
-        check_str='rule:admin',
-        scope_types=[],
+        check_str=f'rule:admin or {_MEMBER}',
+        scope_types=['project'],
         description='Deletes an order.',
         operations=[
             {

diff --git a/releasenotes/notes/secure-rbac-order-policy-2068c64cb6830c6c.yaml b/releasenotes/notes/secure-rbac-order-policy-2068c64cb6830c6c.yaml
@@ -0,0 +1,15 @@
+---
+features:
+  - |
+    Implement secure-rbac for orders resource.
+security:
+  - |
+    The current policy allows all users except those with the audit role to
+    list orders or retrieve an orders metadata.  The new desired policy will
+    restrict this to members.  For backwards compatibility, the old policies
+    remain in effect, but they are deprecated and will be removed in future,
+    leaving the more restrictive new policy.
+  - |
+    The new secure-rbac policy allows for secret deletion by members.  This is
+    a change from the previous policy that only allowed deletion by the
+    project admin.