Merge "Remove System scope from policy"

.zuul.yaml

@@ -111,7 +111,8 @@
         - barbican-grenade:
             voting: false
         - barbican-tempest-plugin-simple-crypto
-        - barbican-tempest-plugin-simple-crypto-secure-rbac
+        - barbican-tempest-plugin-simple-crypto-secure-rbac:
+            voting: false
         - barbican-tempest-plugin-simple-crypto-ipv6-only
         - barbican-tox-functional-fips:
             voting: false

barbican/common/policies/base.py

@@ -19,13 +19,6 @@
 )
 
 rules = [
-    policy.RuleDefault(
-        name='system_reader',
-        check_str='role:reader and system_scope:all'),
-    policy.RuleDefault(
-        name='system_admin',
-        check_str='role:admin and system_scope:all'),
-
     policy.RuleDefault(
         name='secret_project_match',
         check_str='project_id:%(target.secret.project_id)s'),

barbican/common/policies/consumers.py

@@ -82,12 +82,12 @@
         name='consumer:get',
         check_str=(
             'True:%(enforce_new_defaults)s and '
-            '(rule:system_admin or rule:container_project_admin or '
+            '(role:admin or '
             '(rule:container_project_member and rule:container_owner) or '
             '(rule:container_project_member and '
             ' rule:container_is_not_private) or '
             'rule:container_acl_read)'),
-        scope_types=['project', 'system'],
+        scope_types=['project'],
         # This API is unusable.  There is no way for a user to get
         # the consumer-id they would need to send a request.
         description='DEPRECATED: show information for a specific consumer',
@@ -101,12 +101,12 @@
         name='container_consumers:get',
         check_str=(
             'True:%(enforce_new_defaults)s and '
-            '(rule:system_admin or rule:container_project_admin or '
+            '(rule:container_project_admin or '
             '(rule:container_project_member and rule:container_owner) or '
             '(rule:container_project_member and '
             ' rule:container_is_not_private) or '
             'rule:container_acl_read)'),
-        scope_types=['project', 'system'],
+        scope_types=['project'],
         description='List a containers consumers.',
         operations=[
             {
@@ -120,12 +120,12 @@
         name='container_consumers:post',
         check_str=(
             'True:%(enforce_new_defaults)s and '
-            '(rule:system_admin or rule:container_project_admin or '
+            '(rule:container_project_admin or '
             '(rule:container_project_member and rule:container_owner) or '
             '(rule:container_project_member and '
             ' rule:container_is_not_private) or '
             'rule:container_acl_read)'),
-        scope_types=['project', 'system'],
+        scope_types=['project'],
         description='Creates a consumer.',
         operations=[
             {
@@ -139,12 +139,12 @@
         name='container_consumers:delete',
         check_str=(
             'True:%(enforce_new_defaults)s and '
-            '(rule:system_admin or rule:container_project_admin or '
+            '(rule:container_project_admin or '
             '(rule:container_project_member and rule:container_owner) or '
             '(rule:container_project_member and '
             ' rule:container_is_not_private) or '
             'rule:container_acl_read)'),
-        scope_types=['project', 'system'],
+        scope_types=['project'],
         description='Deletes a consumer.',
         operations=[
             {
@@ -158,11 +158,11 @@
         name='secret_consumers:get',
         check_str=(
             'True:%(enforce_new_defaults)s and '
-            '(rule:system_admin or rule:secret_project_admin or '
+            '(rule:secret_project_admin or '
             '(rule:secret_project_member and rule:secret_owner) or '
             '(rule:secret_project_member and rule:secret_is_not_private) or '
             'rule:secret_acl_read)'),
-        scope_types=['project', 'system'],
+        scope_types=['project'],
         description='List consumers for a secret.',
         operations=[
             {
@@ -176,11 +176,11 @@
         name='secret_consumers:post',
         check_str=(
             'True:%(enforce_new_defaults)s and '
-            '(rule:system_admin or rule:secret_project_admin or '
+            '(rule:secret_project_admin or '
             '(rule:secret_project_member and rule:secret_owner) or '
             '(rule:secret_project_member and rule:secret_is_not_private) or '
             'rule:secret_acl_read)'),
-        scope_types=['project', 'system'],
+        scope_types=['project'],
         description='Creates a consumer.',
         operations=[
             {
@@ -194,11 +194,11 @@
         name='secret_consumers:delete',
         check_str=(
             'True:%(enforce_new_defaults)s and '
-            '(rule:system_admin or rule:secret_project_admin or '
+            '(rule:secret_project_admin or '
             '(rule:secret_project_member and rule:secret_owner) or '
             '(rule:secret_project_member and rule:secret_is_not_private) or '
             'rule:secret_acl_read)'),
-        scope_types=['project', 'system'],
+        scope_types=['project'],
         description='Deletes a consumer.',
         operations=[
             {

barbican/common/policies/quotas.py

@@ -57,8 +57,8 @@
     ),
     policy.DocumentedRuleDefault(
         name='project_quotas:get',
-        check_str='True:%(enforce_new_defaults)s and rule:system_reader',
-        scope_types=['system'],
+        check_str='True:%(enforce_new_defaults)s and role:admin',
+        scope_types=['project'],
         description='List quotas for the specified project.',
         operations=[
             {
@@ -74,8 +74,8 @@
     ),
     policy.DocumentedRuleDefault(
         name='project_quotas:put',
-        check_str='True:%(enforce_new_defaults)s and rule:system_admin',
-        scope_types=['system'],
+        check_str='True:%(enforce_new_defaults)s and role:admin',
+        scope_types=['project'],
         description='Create or update the configured project quotas for '
                     'the project with the specified UUID.',
         operations=[
@@ -88,8 +88,8 @@
     ),
     policy.DocumentedRuleDefault(
         name='project_quotas:delete',
-        check_str='True:%(enforce_new_defaults)s and rule:system_admin',
-        scope_types=['system'],
+        check_str='True:%(enforce_new_defaults)s and role:admin',
+        scope_types=['project'],
         description='Delete the project quotas configuration for the '
                     'project with the requested UUID.',
         operations=[

barbican/common/policies/secretstores.py

@@ -57,7 +57,7 @@
     policy.DocumentedRuleDefault(
         name='secretstores:get',
         check_str='True:%(enforce_new_defaults)s and role:reader',
-        scope_types=['project', 'system'],
+        scope_types=['project'],
         description='Get list of available secret store backends.',
         operations=[
             {
@@ -70,7 +70,7 @@
     policy.DocumentedRuleDefault(
         name='secretstores:get_global_default',
         check_str='True:%(enforce_new_defaults)s and role:reader',
-        scope_types=['project', 'system'],
+        scope_types=['project'],
         description='Get a reference to the secret store that is used as ' +
                     'default secret store backend for the deployment.',
         operations=[
@@ -84,7 +84,7 @@
     policy.DocumentedRuleDefault(
         name='secretstores:get_preferred',
         check_str='True:%(enforce_new_defaults)s and role:reader',
-        scope_types=['project', 'system'],
+        scope_types=['project'],
         description='Get a reference to the preferred secret store if ' +
                     'assigned previously.',
         operations=[
@@ -126,7 +126,7 @@
     policy.DocumentedRuleDefault(
         name='secretstore:get',
         check_str='True:%(enforce_new_defaults)s and role:reader',
-        scope_types=['project', 'system'],
+        scope_types=['project'],
         description='Get details of secret store by its ID.',
         operations=[
             {

barbican/common/policies/transportkeys.py

@@ -45,7 +45,7 @@
     policy.DocumentedRuleDefault(
         name='transport_key:get',
         check_str='True:%(enforce_new_defaults)s and role:reader',
-        scope_types=['project', 'system'],
+        scope_types=['project'],
         description='Get a specific transport key.',
         operations=[
             {
@@ -57,8 +57,8 @@
     ),
     policy.DocumentedRuleDefault(
         name='transport_key:delete',
-        check_str='True:%(enforce_new_defaults)s and rule:system_admin',
-        scope_types=['system'],
+        check_str='True:%(enforce_new_defaults)s and role:admin',
+        scope_types=['project'],
         description='Delete a specific transport key.',
         operations=[
             {
@@ -71,7 +71,7 @@
     policy.DocumentedRuleDefault(
         name='transport_keys:get',
         check_str='True:%(enforce_new_defaults)s and role:reader',
-        scope_types=['project', 'system'],
+        scope_types=['project'],
         description='Get a list of all transport keys.',
         operations=[
             {
@@ -83,8 +83,8 @@
     ),
     policy.DocumentedRuleDefault(
         name='transport_keys:post',
-        check_str='True:%(enforce_new_defaults)s and rule:system_admin',
-        scope_types=['system'],
+        check_str='True:%(enforce_new_defaults)s and role:admin',
+        scope_types=['project'],
         description='Create a new transport key.',
         operations=[
             {

releasenotes/notes/remove-system-scope-from-policy-f2f68c42c0742812.yaml

@@ -0,0 +1,8 @@
+---
+security:
+  - |
+    System scope has been removed from the RBAC policies as specified in the
+    Consistent and Secure Default RBAC community goal. See:
+    https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html
+    APIs that required system scoped tokens can now be accessed by using a
+    project scoped token with the "admin" role.