summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAaron Sheffield <ajs@sheffieldfamily.net>2018-11-13 10:04:10 -0600
committerAaron Sheffield <ajs@sheffieldfamily.net>2018-11-28 10:01:40 -0600
commit0cac1cbe2fa8cba071cdee3a00caa8bf57d9e9a6 (patch)
treedb5d91d21689c5e8764c3b16a35c6073130ae2a2
parent03d7269b6ad9d7b734cb3a7bc1693139e639a9c5 (diff)
Updates cleartext-secrets RBAC Permissions
- Adds an RBAC check when returning raw configdocs. Change-Id: Ia4967ba4e1dfc49d44a3914cfa151177a49c3799
Notes
Notes (review): Code-Review+1: Rick Bartra <rb560u@att.com> Code-Review+1: Ahmad Mahmoudi <am495p@att.com> Code-Review+2: Bryan Strassner <strassner.bryan@gmail.com> Code-Review+1: Nishant Kumar <nishant.e.kumar@ericsson.com> Code-Review+2: Scott Hussey <sthussey@att.com> Workflow+1: Scott Hussey <sthussey@att.com> Verified+2: Zuul Submitted-by: Zuul Submitted-at: Fri, 21 Dec 2018 14:41:02 +0000 Reviewed-on: https://review.openstack.org/617722 Project: openstack/airship-shipyard Branch: refs/heads/master
-rw-r--r--charts/shipyard/values.yaml3
-rw-r--r--doc/source/CLI.rst12
-rw-r--r--src/bin/shipyard_airflow/shipyard_airflow/control/configdocs/configdocs_api.py5
-rw-r--r--src/bin/shipyard_airflow/shipyard_airflow/policy.py14
4 files changed, 28 insertions, 6 deletions
diff --git a/charts/shipyard/values.yaml b/charts/shipyard/values.yaml
index 60233b1..5a7ac1d 100644
--- a/charts/shipyard/values.yaml
+++ b/charts/shipyard/values.yaml
@@ -368,9 +368,10 @@ conf:
368 workflow_orchestrator:get_configdocs_status: rule:admin_read_access 368 workflow_orchestrator:get_configdocs_status: rule:admin_read_access
369 workflow_orchestrator:create_configdocs: rule:admin_create 369 workflow_orchestrator:create_configdocs: rule:admin_create
370 workflow_orchestrator:get_configdocs: rule:admin_read_access 370 workflow_orchestrator:get_configdocs: rule:admin_read_access
371 workflow_orchestrator:get_configdocs_cleartext: rule:admin_create
371 workflow_orchestrator:commit_configdocs: rule:admin_create 372 workflow_orchestrator:commit_configdocs: rule:admin_create
372 workflow_orchestrator:get_renderedconfigdocs: rule:admin_read_access 373 workflow_orchestrator:get_renderedconfigdocs: rule:admin_read_access
373 workflow_orchestrator:get_renderedconfigdocs_cleartext: rule:admin_read_access 374 workflow_orchestrator:get_renderedconfigdocs_cleartext: rule:admin_create
374 workflow_orchestrator:list_workflows: rule:admin_read_access 375 workflow_orchestrator:list_workflows: rule:admin_read_access
375 workflow_orchestrator:get_workflow: rule:admin_read_access 376 workflow_orchestrator:get_workflow: rule:admin_read_access
376 workflow_orchestrator:get_notedetails: rule:admin_read_access 377 workflow_orchestrator:get_notedetails: rule:admin_read_access
diff --git a/doc/source/CLI.rst b/doc/source/CLI.rst
index bca045f..57807fb 100644
--- a/doc/source/CLI.rst
+++ b/doc/source/CLI.rst
@@ -677,8 +677,10 @@ differences between the 'committed' and 'buffer' revision (default behavior).
677 collection, this will return an empty response (default) 677 collection, this will return an empty response (default)
678 678
679\--cleartext-secrets 679\--cleartext-secrets
680 Returns cleartext secrets in encrypted documents, otherwise those values 680 Returns secrets as cleartext for encrypted documents if the user has the
681 are redacted. Only impacts returned documents, not lists of documents. 681 appropriate permissions in the target environment. If the user does not
682 have the appropriate permissions and sets this flag to true an error is
683 returned. Only impacts returned documents, not lists of documents.
682 684
683Sample 685Sample
684^^^^^^ 686^^^^^^
@@ -745,8 +747,10 @@ applying Deckhand layering and substitution.
745 prior commit. (default) 747 prior commit. (default)
746 748
747\--cleartext-secrets 749\--cleartext-secrets
748 Returns secrets as cleartext for encrypted documents if the user has the appropriate 750 Returns secrets as cleartext for encrypted documents if the user has the
749 permissions in the target environment. 751 appropriate permissions in the target environment. If the user does not
752 have the appropriate permissions and sets this flag to true an error is
753 returned.
750 754
751Sample 755Sample
752^^^^^^ 756^^^^^^
diff --git a/src/bin/shipyard_airflow/shipyard_airflow/control/configdocs/configdocs_api.py b/src/bin/shipyard_airflow/shipyard_airflow/control/configdocs/configdocs_api.py
index 2b2f61e..2014aac 100644
--- a/src/bin/shipyard_airflow/shipyard_airflow/control/configdocs/configdocs_api.py
+++ b/src/bin/shipyard_airflow/shipyard_airflow/control/configdocs/configdocs_api.py
@@ -101,6 +101,11 @@ class ConfigDocsResource(BaseResource):
101 cleartext_secrets = req.get_param_as_bool('cleartext-secrets') or False 101 cleartext_secrets = req.get_param_as_bool('cleartext-secrets') or False
102 self._validate_version_parameter(version) 102 self._validate_version_parameter(version)
103 helper = ConfigdocsHelper(req.context) 103 helper = ConfigdocsHelper(req.context)
104
105 # Check access to cleartext_secrets
106 if cleartext_secrets:
107 policy.check_auth(req.context, policy.GET_CONFIGDOCS_CLRTXT)
108
104 # Not reformatting to JSON or YAML since just passing through 109 # Not reformatting to JSON or YAML since just passing through
105 resp.body = self.get_collection( 110 resp.body = self.get_collection(
106 helper=helper, collection_id=collection_id, version=version, 111 helper=helper, collection_id=collection_id, version=version,
diff --git a/src/bin/shipyard_airflow/shipyard_airflow/policy.py b/src/bin/shipyard_airflow/shipyard_airflow/policy.py
index fe506c3..4b8bc42 100644
--- a/src/bin/shipyard_airflow/shipyard_airflow/policy.py
+++ b/src/bin/shipyard_airflow/shipyard_airflow/policy.py
@@ -36,6 +36,7 @@ INVOKE_ACTION_CONTROL = 'workflow_orchestrator:invoke_action_control'
36GET_CONFIGDOCS_STATUS = 'workflow_orchestrator:get_configdocs_status' 36GET_CONFIGDOCS_STATUS = 'workflow_orchestrator:get_configdocs_status'
37CREATE_CONFIGDOCS = 'workflow_orchestrator:create_configdocs' 37CREATE_CONFIGDOCS = 'workflow_orchestrator:create_configdocs'
38GET_CONFIGDOCS = 'workflow_orchestrator:get_configdocs' 38GET_CONFIGDOCS = 'workflow_orchestrator:get_configdocs'
39GET_CONFIGDOCS_CLRTXT = 'workflow_orchestrator:get_configdocs_cleartext'
39COMMIT_CONFIGDOCS = 'workflow_orchestrator:commit_configdocs' 40COMMIT_CONFIGDOCS = 'workflow_orchestrator:commit_configdocs'
40GET_RENDEREDCONFIGDOCS = 'workflow_orchestrator:get_renderedconfigdocs' 41GET_RENDEREDCONFIGDOCS = 'workflow_orchestrator:get_renderedconfigdocs'
41GET_RENDEREDCONFIGDOCS_CLRTXT = 'workflow_orchestrator:get_renderedconfigdocs_cleartext' # noqa 42GET_RENDEREDCONFIGDOCS_CLRTXT = 'workflow_orchestrator:get_renderedconfigdocs_cleartext' # noqa
@@ -162,7 +163,18 @@ class ShipyardPolicy(object):
162 policy.DocumentedRuleDefault( 163 policy.DocumentedRuleDefault(
163 GET_CONFIGDOCS, 164 GET_CONFIGDOCS,
164 RULE_ADMIN_REQUIRED, 165 RULE_ADMIN_REQUIRED,
165 'Retrieve a collection of configuration documents', 166 ('Retrieve a collection of configuration documents with redacted '
167 'secrets'),
168 [{
169 'path': '/api/v1.0/configdocs/{collection_id}',
170 'method': 'GET'
171 }]
172 ),
173 policy.DocumentedRuleDefault(
174 GET_CONFIGDOCS_CLRTXT,
175 RULE_ADMIN_REQUIRED,
176 ('Retrieve a collection of configuration documents with cleartext '
177 'secrets.'),
166 [{ 178 [{
167 'path': '/api/v1.0/configdocs/{collection_id}', 179 'path': '/api/v1.0/configdocs/{collection_id}',
168 'method': 'GET' 180 'method': 'GET'