summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorZuul <zuul@review.openstack.org>2018-12-21 14:41:02 +0000
committerGerrit Code Review <review@openstack.org>2018-12-21 14:41:02 +0000
commitc1b12b9a9e37756749743e1e3404c7b15d853fdc (patch)
tree31a64cdb41123365ae4ff5f05d6915205da9c0a3
parent09d3238e7875e8cc869fae50e5e1ea64330116ea (diff)
parent0cac1cbe2fa8cba071cdee3a00caa8bf57d9e9a6 (diff)
Merge "Updates cleartext-secrets RBAC Permissions"
-rw-r--r--charts/shipyard/values.yaml3
-rw-r--r--doc/source/CLI.rst12
-rw-r--r--src/bin/shipyard_airflow/shipyard_airflow/control/configdocs/configdocs_api.py5
-rw-r--r--src/bin/shipyard_airflow/shipyard_airflow/policy.py14
4 files changed, 28 insertions, 6 deletions
diff --git a/charts/shipyard/values.yaml b/charts/shipyard/values.yaml
index 263f583..6688bd8 100644
--- a/charts/shipyard/values.yaml
+++ b/charts/shipyard/values.yaml
@@ -368,9 +368,10 @@ conf:
368 workflow_orchestrator:get_configdocs_status: rule:admin_read_access 368 workflow_orchestrator:get_configdocs_status: rule:admin_read_access
369 workflow_orchestrator:create_configdocs: rule:admin_create 369 workflow_orchestrator:create_configdocs: rule:admin_create
370 workflow_orchestrator:get_configdocs: rule:admin_read_access 370 workflow_orchestrator:get_configdocs: rule:admin_read_access
371 workflow_orchestrator:get_configdocs_cleartext: rule:admin_create
371 workflow_orchestrator:commit_configdocs: rule:admin_create 372 workflow_orchestrator:commit_configdocs: rule:admin_create
372 workflow_orchestrator:get_renderedconfigdocs: rule:admin_read_access 373 workflow_orchestrator:get_renderedconfigdocs: rule:admin_read_access
373 workflow_orchestrator:get_renderedconfigdocs_cleartext: rule:admin_read_access 374 workflow_orchestrator:get_renderedconfigdocs_cleartext: rule:admin_create
374 workflow_orchestrator:list_workflows: rule:admin_read_access 375 workflow_orchestrator:list_workflows: rule:admin_read_access
375 workflow_orchestrator:get_workflow: rule:admin_read_access 376 workflow_orchestrator:get_workflow: rule:admin_read_access
376 workflow_orchestrator:get_notedetails: rule:admin_read_access 377 workflow_orchestrator:get_notedetails: rule:admin_read_access
diff --git a/doc/source/CLI.rst b/doc/source/CLI.rst
index 651ede1..3d38aef 100644
--- a/doc/source/CLI.rst
+++ b/doc/source/CLI.rst
@@ -682,8 +682,10 @@ differences between the 'committed' and 'buffer' revision (default behavior).
682 collection, this will return an empty response (default) 682 collection, this will return an empty response (default)
683 683
684\--cleartext-secrets 684\--cleartext-secrets
685 Returns cleartext secrets in encrypted documents, otherwise those values 685 Returns secrets as cleartext for encrypted documents if the user has the
686 are redacted. Only impacts returned documents, not lists of documents. 686 appropriate permissions in the target environment. If the user does not
687 have the appropriate permissions and sets this flag to true an error is
688 returned. Only impacts returned documents, not lists of documents.
687 689
688Sample 690Sample
689^^^^^^ 691^^^^^^
@@ -750,8 +752,10 @@ applying Deckhand layering and substitution.
750 prior commit. (default) 752 prior commit. (default)
751 753
752\--cleartext-secrets 754\--cleartext-secrets
753 Returns secrets as cleartext for encrypted documents if the user has the appropriate 755 Returns secrets as cleartext for encrypted documents if the user has the
754 permissions in the target environment. 756 appropriate permissions in the target environment. If the user does not
757 have the appropriate permissions and sets this flag to true an error is
758 returned.
755 759
756Sample 760Sample
757^^^^^^ 761^^^^^^
diff --git a/src/bin/shipyard_airflow/shipyard_airflow/control/configdocs/configdocs_api.py b/src/bin/shipyard_airflow/shipyard_airflow/control/configdocs/configdocs_api.py
index 92c8ac4..ac39f0d 100644
--- a/src/bin/shipyard_airflow/shipyard_airflow/control/configdocs/configdocs_api.py
+++ b/src/bin/shipyard_airflow/shipyard_airflow/control/configdocs/configdocs_api.py
@@ -123,6 +123,11 @@ class ConfigDocsResource(BaseResource):
123 cleartext_secrets = req.get_param_as_bool('cleartext-secrets') or False 123 cleartext_secrets = req.get_param_as_bool('cleartext-secrets') or False
124 self._validate_version_parameter(version) 124 self._validate_version_parameter(version)
125 helper = ConfigdocsHelper(req.context) 125 helper = ConfigdocsHelper(req.context)
126
127 # Check access to cleartext_secrets
128 if cleartext_secrets:
129 policy.check_auth(req.context, policy.GET_CONFIGDOCS_CLRTXT)
130
126 # Not reformatting to JSON or YAML since just passing through 131 # Not reformatting to JSON or YAML since just passing through
127 resp.body = self.get_collection( 132 resp.body = self.get_collection(
128 helper=helper, collection_id=collection_id, version=version, 133 helper=helper, collection_id=collection_id, version=version,
diff --git a/src/bin/shipyard_airflow/shipyard_airflow/policy.py b/src/bin/shipyard_airflow/shipyard_airflow/policy.py
index fe506c3..4b8bc42 100644
--- a/src/bin/shipyard_airflow/shipyard_airflow/policy.py
+++ b/src/bin/shipyard_airflow/shipyard_airflow/policy.py
@@ -36,6 +36,7 @@ INVOKE_ACTION_CONTROL = 'workflow_orchestrator:invoke_action_control'
36GET_CONFIGDOCS_STATUS = 'workflow_orchestrator:get_configdocs_status' 36GET_CONFIGDOCS_STATUS = 'workflow_orchestrator:get_configdocs_status'
37CREATE_CONFIGDOCS = 'workflow_orchestrator:create_configdocs' 37CREATE_CONFIGDOCS = 'workflow_orchestrator:create_configdocs'
38GET_CONFIGDOCS = 'workflow_orchestrator:get_configdocs' 38GET_CONFIGDOCS = 'workflow_orchestrator:get_configdocs'
39GET_CONFIGDOCS_CLRTXT = 'workflow_orchestrator:get_configdocs_cleartext'
39COMMIT_CONFIGDOCS = 'workflow_orchestrator:commit_configdocs' 40COMMIT_CONFIGDOCS = 'workflow_orchestrator:commit_configdocs'
40GET_RENDEREDCONFIGDOCS = 'workflow_orchestrator:get_renderedconfigdocs' 41GET_RENDEREDCONFIGDOCS = 'workflow_orchestrator:get_renderedconfigdocs'
41GET_RENDEREDCONFIGDOCS_CLRTXT = 'workflow_orchestrator:get_renderedconfigdocs_cleartext' # noqa 42GET_RENDEREDCONFIGDOCS_CLRTXT = 'workflow_orchestrator:get_renderedconfigdocs_cleartext' # noqa
@@ -162,7 +163,18 @@ class ShipyardPolicy(object):
162 policy.DocumentedRuleDefault( 163 policy.DocumentedRuleDefault(
163 GET_CONFIGDOCS, 164 GET_CONFIGDOCS,
164 RULE_ADMIN_REQUIRED, 165 RULE_ADMIN_REQUIRED,
165 'Retrieve a collection of configuration documents', 166 ('Retrieve a collection of configuration documents with redacted '
167 'secrets'),
168 [{
169 'path': '/api/v1.0/configdocs/{collection_id}',
170 'method': 'GET'
171 }]
172 ),
173 policy.DocumentedRuleDefault(
174 GET_CONFIGDOCS_CLRTXT,
175 RULE_ADMIN_REQUIRED,
176 ('Retrieve a collection of configuration documents with cleartext '
177 'secrets.'),
166 [{ 178 [{
167 'path': '/api/v1.0/configdocs/{collection_id}', 179 'path': '/api/v1.0/configdocs/{collection_id}',
168 'method': 'GET' 180 'method': 'GET'