Merge "Updates cleartext-secrets RBAC Permissions"

This commit is contained in:
Zuul 2018-12-21 14:41:02 +00:00 committed by Gerrit Code Review
commit c1b12b9a9e
4 changed files with 28 additions and 6 deletions

View File

@ -368,9 +368,10 @@ conf:
workflow_orchestrator:get_configdocs_status: rule:admin_read_access
workflow_orchestrator:create_configdocs: rule:admin_create
workflow_orchestrator:get_configdocs: rule:admin_read_access
workflow_orchestrator:get_configdocs_cleartext: rule:admin_create
workflow_orchestrator:commit_configdocs: rule:admin_create
workflow_orchestrator:get_renderedconfigdocs: rule:admin_read_access
workflow_orchestrator:get_renderedconfigdocs_cleartext: rule:admin_read_access
workflow_orchestrator:get_renderedconfigdocs_cleartext: rule:admin_create
workflow_orchestrator:list_workflows: rule:admin_read_access
workflow_orchestrator:get_workflow: rule:admin_read_access
workflow_orchestrator:get_notedetails: rule:admin_read_access

View File

@ -682,8 +682,10 @@ differences between the 'committed' and 'buffer' revision (default behavior).
collection, this will return an empty response (default)
\--cleartext-secrets
Returns cleartext secrets in encrypted documents, otherwise those values
are redacted. Only impacts returned documents, not lists of documents.
Returns secrets as cleartext for encrypted documents if the user has the
appropriate permissions in the target environment. If the user does not
have the appropriate permissions and sets this flag to true an error is
returned. Only impacts returned documents, not lists of documents.
Sample
^^^^^^
@ -750,8 +752,10 @@ applying Deckhand layering and substitution.
prior commit. (default)
\--cleartext-secrets
Returns secrets as cleartext for encrypted documents if the user has the appropriate
permissions in the target environment.
Returns secrets as cleartext for encrypted documents if the user has the
appropriate permissions in the target environment. If the user does not
have the appropriate permissions and sets this flag to true an error is
returned.
Sample
^^^^^^

View File

@ -123,6 +123,11 @@ class ConfigDocsResource(BaseResource):
cleartext_secrets = req.get_param_as_bool('cleartext-secrets') or False
self._validate_version_parameter(version)
helper = ConfigdocsHelper(req.context)
# Check access to cleartext_secrets
if cleartext_secrets:
policy.check_auth(req.context, policy.GET_CONFIGDOCS_CLRTXT)
# Not reformatting to JSON or YAML since just passing through
resp.body = self.get_collection(
helper=helper, collection_id=collection_id, version=version,

View File

@ -36,6 +36,7 @@ INVOKE_ACTION_CONTROL = 'workflow_orchestrator:invoke_action_control'
GET_CONFIGDOCS_STATUS = 'workflow_orchestrator:get_configdocs_status'
CREATE_CONFIGDOCS = 'workflow_orchestrator:create_configdocs'
GET_CONFIGDOCS = 'workflow_orchestrator:get_configdocs'
GET_CONFIGDOCS_CLRTXT = 'workflow_orchestrator:get_configdocs_cleartext'
COMMIT_CONFIGDOCS = 'workflow_orchestrator:commit_configdocs'
GET_RENDEREDCONFIGDOCS = 'workflow_orchestrator:get_renderedconfigdocs'
GET_RENDEREDCONFIGDOCS_CLRTXT = 'workflow_orchestrator:get_renderedconfigdocs_cleartext' # noqa
@ -162,7 +163,18 @@ class ShipyardPolicy(object):
policy.DocumentedRuleDefault(
GET_CONFIGDOCS,
RULE_ADMIN_REQUIRED,
'Retrieve a collection of configuration documents',
('Retrieve a collection of configuration documents with redacted '
'secrets'),
[{
'path': '/api/v1.0/configdocs/{collection_id}',
'method': 'GET'
}]
),
policy.DocumentedRuleDefault(
GET_CONFIGDOCS_CLRTXT,
RULE_ADMIN_REQUIRED,
('Retrieve a collection of configuration documents with cleartext '
'secrets.'),
[{
'path': '/api/v1.0/configdocs/{collection_id}',
'method': 'GET'