Add flavor permission rules#581
Draft
seb-kro wants to merge 2 commits into
Draft
Conversation
1108c89 to
76b89e5
Compare
90989d8 to
fb0d424
Compare
Flavor access is currently controlled via private/public flavors and the flavor access list aka `FlavorProjects`. To restrict access to a flavor, it must be turned private and access must be granted individually to each project. To support external customers, we want to restrict access to certain flavors for arbitrary domains while keeping these flavors publicly accessible on other domain without additional configuration needs. Additionally, we want to enable project owners to configure project-specific flavor access. This adds flavor permission rules as a new mechanism for controlling flavor access. These rules are independent of flavor privacy and the flavor access list. So a flavor is only available to a project if allowed by both the flavor permission rules and the flavor access list. Each flavor permission rule has a `project_id`, a scope (`domain` or `project`), an optional `flavor_id` and a `type` (`allow` or `deny`). The two scopes of flavor permission rules are derived from the project hierarchy: - `domain` scope rules have a domain `project_id` and apply to all projects within that domain - `project` scope rules have a `project_id` of a non-domain project, apply only to that project itself and are not inherited by sub-projects A flavor is permitted for a project if it is permitted at both the domain scope and the project scope. Rules without a `flavor_id` define the domain's or project's default behavior for flavors without a flavor-specific rule. If a domain or project does not have a default behavior rule, then all flavors are permitted at that scope by default. There is at most one flavor permission rule for each combination of `project_id` and `flavor_id`. Consequently, a flavor is only denied at a scope if for the corresponding `project_id`: - there is a `deny` rule matching the `flavor_id` - OR there is a `deny` rule without a `flavor_id` AND there is no `allow` rule matching the `flavor_id` Change-Id: I5e1332d111c07ee714f2965c558f393c8568ffaf
Enforce flavor permission rules for all flavor object get-functions by extending the filtering of the default flavor query. All get-functions are extended with an `include_project_denied` parameter that allows to return flavors denied at project scope also for non-admin contexts. Domain scope rules still apply. A flavor is denied at a scope if for the corresponding `project_id`: - there is a `deny` rule matching the `flavor_id` - OR there is a `deny` rule without a `flavor_id` AND there is no `allow` rule matching the `flavor_id` Just like the existing flavor privacy mechanisms (private flavors/flavor access list), the flavor permissions rules do not take effect for admin contexts and do not restrict the flavor object create, save and destroy methods in any way. The `Flavor` and `FlavorList` hashes in `test_objects` are updated to reflect the new fingerprints that result from adding the `include_project_denied` to the remotable class methods. Since the parameter has a default, the method signature changes are backward-compatible and we do not bump the object versions. Change-Id: Ic17dcc21a07a383e26822a5fbf7cf5cfc5383ec6
fb0d424 to
0ecf556
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Flavor access is currently controlled via private/public flavors and the flavor access list aka
FlavorProjects. To restrict access to a flavor, it must be turned private and access must be granted individually to each project.This adds flavor permission rules for a more flexible flavor permission management. These rules are independent of flavor privacy and the flavor access list. So a flavor is only available to a project if allowed by both the flavor permission rules and the flavor access list.
Each flavor permission rule has a
project_id, a scope (domainorproject), an optionalflavor_idand atype(allowordeny).The two scopes of flavor permission rules are derived from the project hierarchy:
domainscope rules have a domainproject_idand apply to all projects within that domainprojectscope rules have aproject_idof a non-domain project, apply only to that project itself and are not inherited by sub-projectsA flavor is permitted for a project if it is permitted at both the domain scope and the project scope. Rules without a 'flavor_id' define the domain's or project's default behavior for flavors without a flavor-specific rule. If a domain or project does not have a default behavior rule, then all flavors are permitted at that scope by default.
There is at most one flavor permission rule for each combination of
project_id,scopeandflavor_id. Consequently, a flavor is only denied at a scope if for the correspondingproject_id:denyrule matching theflavor_iddenyrule without aflavor_idAND there is noallowrule matching theflavor_idIssue: https://github.wdf.sap.corp/sap-cloud-infrastructure/nova-issues/issues/189
Change-Id: I5e1332d111c07ee714f2965c558f393c8568ffaf