Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / packaging / sources / patrole / d02a8d836c560a3571b0a2f17f102e25bc7c5301^! / . / releasenotes / notes / requirements-authority-multi-role-support-0fe53fc49567e595.yaml
commitd02a8d836c560a3571b0a2f17f102e25bc7c5301[log] [tgz]
authorMykola Yakovliev <VegasQ@gmail.com>Tue Oct 30 21:35:20 2018 -0500
committerFelipe Monteiro <felipe.monteiro@att.com>Thu Nov 08 14:44:09 2018 +0000
treeea06f52eac491355b12bd1890020259f249b242b
parenta5f5590e2997fb2fbbb135cd2c38a9ef5bd4a5d2 [diff] [blame]
RequirementsAuthority multi role support enhancement

This patchset eliminates different behaviour between
policy_authority and requirements_authority.

Problem description:

`rbac_test_roles = [member,]`

Policy authority:

`update_port: role:member and role:viewer`

Results in 403/False (we are member but not viewer).

Requirements authority:

```
req_auth:
    update_port:
        - member
        - viewer
```

Results in 200/True (member in update_port list).

Proposed solution:

Change requirements_authority file sytax to support
comma separated roles to be considered as logical and.

Depends-On: https://review.openstack.org/#/c/606110/
Change-Id: I2e2a4a2020f5e85af15f1836d69386bc91a2d2ec
Co-Authored-By: Felipe Monteiro <felipe.monteiro@att.com>

diff --git a/releasenotes/notes/requirements-authority-multi-role-support-0fe53fc49567e595.yaml b/releasenotes/notes/requirements-authority-multi-role-support-0fe53fc49567e595.yaml
new file mode 100644
index 0000000..ffbae0a
--- /dev/null
+++ b/releasenotes/notes/requirements-authority-multi-role-support-0fe53fc49567e595.yaml

@@ -0,0 +1,37 @@
+---
+features:
+  - |
+    The ``requirements_authority`` module now supports the following 3 cases:
+
+    * logical or operation of roles (existing functionality)
+    * logical and operation of roles (new functionality)
+    * logical not operation of roles (new functionality)
+
+    .. code-block:: yaml
+
+        <service_foo>:
+          <logical_or_example>:
+            - <allowed_role_1>
+            - <allowed_role_2>
+          <logical_and_example>:
+            - <allowed_role_3>, <allowed_role_4>
+        <service_bar>:
+          <logical_not_example>:
+            - <!disallowed_role_5>
+
+    Each item under ``logical_or_example`` is "logical OR"-ed together. Each
+    role in the comma-separated string under ``logical_and_example`` is
+    "logical AND"-ed together. And each item prefixed with "!" under
+    ``logical_not_example`` is "logical negated".
+
+    This allows for expressing many more complex cases using the
+    ``requirements_authority`` YAML syntax. For example, the policy rule
+    (i.e. what may exist in a ``policy.yaml`` file)::
+
+        "foo_rule: (role:a and not role:b) or role:c"
+
+    May now be expressed using the YAML syntax as::
+
+        foo_rule:
+            - a, !b
+            - c