Source code for glance.policies.base

#    Licensed under the Apache License, Version 2.0 (the "License"); you may
#    not use this file except in compliance with the License. You may obtain
#    a copy of the License at
#    Unless required by applicable law or agreed to in writing, software
#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
#    License for the specific language governing permissions and limitations
#    under the License.

from oslo_policy import policy

# Generic check string for checking if a user is authorized on a particular
# project, specifically with the member role.
PROJECT_MEMBER = 'role:member and project_id:%(project_id)s'
# Generic check string for checking if a user is authorized on a particular
# project but with read-only access. For example, this persona would be able to
# list private images owned by a project but cannot make any writeable changes
# to those images.
PROJECT_READER = 'role:reader and project_id:%(project_id)s'

# Make sure the member_id of the supplied target matches the project_id from
# the context object, which is derived from keystone tokens.
IMAGE_MEMBER_CHECK = 'project_id:%(member_id)s'
# Check if the visibility of the image supplied in the target matches
# "community"
COMMUNITY_VISIBILITY_CHECK = "'community':%(visibility)s"
# Check if the visibility of the resource supplied in the target matches
# "public"
PUBLIC_VISIBILITY_CHECK = "'public':%(visibility)s"
# Check if the visibility of the image supplied in the target matches "shared"
SHARED_VISIBILITY_CHECK = "'shared':%(visibility)s"

    f'role:member and (project_id:%(project_id)s or {IMAGE_MEMBER_CHECK} '
    f'role:reader and (project_id:%(project_id)s or {IMAGE_MEMBER_CHECK} '
    f'role:reader and (project_id:%(project_id)s or {PUBLIC_VISIBILITY_CHECK})'

# FIXME(lbragstad): These are composite check strings that represents glance's
# authorization code, some of which is implemented in the authorization wrapper
# and some is in the database driver.
# These check strings do not support tenancy with the `admin` role. This means
# anyone with the `admin` role on any project can execute a policy, which is
# typical in OpenStack services. But following check strings offer formal
# support for project membership and a read-only variant consistent with
# other OpenStack services.
ADMIN_OR_PROJECT_MEMBER = f'rule:context_is_admin or ({PROJECT_MEMBER})'
ADMIN_OR_PROJECT_READER = f'rule:context_is_admin or ({PROJECT_READER})'
    f'rule:context_is_admin or '
    f'rule:context_is_admin or '
    f'rule:context_is_admin or ({PROJECT_MEMBER} and project_id:%(owner)s)'
    f'rule:context_is_admin or ({PROJECT_READER_OR_PUBLIC_NAMESPACE})'

    f'rule:context_is_admin or (role:member and {IMAGE_MEMBER_CHECK})'
    f'rule:context_is_admin or '
    f'role:reader and (project_id:%(project_id)s or {IMAGE_MEMBER_CHECK})'

ADMIN = f'rule:context_is_admin'

rules = [
    policy.RuleDefault(name='default', check_str='',
                       description='Defines the default rule used for '
                                   'policies that historically had an empty '
                                   'policy in the supplied policy.json file.',
                           deprecated_reason='In order to allow operators to '
                           'accept the default policies from code by not '
                           'defining them in the policy file, while still '
                           'working with old policy files that rely on the '
                           '``default`` rule for policies that are '
                           'not specified in the policy file, the ``default`` '
                           'rule must now be explicitly set to '
                           '``"role:admin"`` when that is the desired default '
                           'for unspecified rules.',
    policy.RuleDefault(name='context_is_admin', check_str='role:admin',
                       description='Defines the rule for the is_admin:True '

[docs]def list_rules(): return rules