Revert change of role for v3 service accounts

More work is needed on policy changes before we can have fine grained RBAC for service accounts. Add service project to cloud_admin rule to maintain service access to admin-only calls. Change-Id: I3d6776ec821e97353d63d2709b36efd9091f0123 Closes-Bug: 1655028
2017-01-11 14:37:21 +01:00 · 2017-01-11 14:37:21 +01:00 · dd65408d94
parent 23f6363cbd
commit dd65408d94
5 changed files with 18 additions and 27 deletions
--- a/hooks/keystone_utils.py
+++ b/hooks/keystone_utils.py
@ -1688,11 +1688,10 @@ def create_service_credentials(user, new_roles=None):
    config('admin-role') role. Tenant is assumed to already exist.

    For Keysteone v3 API compability services are given a user in project
-    config('service-tenant') in SERVICE_DOMAIN and are given the 'service'
-    role.
+    config('service-tenant') in SERVICE_DOMAIN and are given the
+    config('admin-role') role.

-    As of Mitaka Keystone v3 policy the 'service' role is sufficient for
-    services to validate tokens. Project is assumed to already exist.
+    Project is assumed to already exist.
    """
    tenant = config('service-tenant')
    if not tenant:
@ -1706,12 +1705,12 @@ def create_service_credentials(user, new_roles=None):
                                     grants=[config('admin-role')],
                                     domain=domain)
    if get_api_version() > 2:
-        # v3 policy allows services to validate tokens when granted the
-        # 'service' role.
+        # Create account in SERVICE_DOMAIN as well using same password
        domain = SERVICE_DOMAIN
        passwd = create_user_credentials(user, passwd,
                                         tenant=tenant, new_roles=new_roles,
-                                         grants=['service'], domain=domain)
+                                         grants=[config('admin-role')],
+                                         domain=domain)
    return passwd


@ -1912,17 +1911,16 @@ def add_credentials_to_keystone(relation_id=None, remote_unit=None):

    if get_api_version() == 2:
        domain = None
-        grants = [config('admin-role')]
    else:
        domain = settings.get('domain') or SERVICE_DOMAIN
-        grants = ['service']

    # Use passed project or the service project
    credentials_project = settings.get('project') or config('service-tenant')
    create_tenant(credentials_project, domain)

    # Use passed grants or default grants
-    credentials_grants = (get_requested_grants(settings) or grants)
+    credentials_grants = (get_requested_grants(settings) or
+                          [config('admin-role')])

    # Create the user
    credentials_password = create_user_credentials(
--- a/templates/mitaka/policy.json
+++ b/templates/mitaka/policy.json
@ -1,8 +1,8 @@
 {% if api_version == 3 -%}
 {
    "admin_required": "role:{{ admin_role }}",
-    "cloud_admin": "rule:admin_required and (token.is_admin_project:True or domain_id:{{ admin_domain_id }})",
-    "service_role": "role:service and project_id:{{ service_tenant_id }}",
+    "cloud_admin": "rule:admin_required and (token.is_admin_project:True or domain_id:{{ admin_domain_id }} or project_id:{{ service_tenant_id }})",
+    "service_role": "role:service",
    "service_or_admin": "rule:admin_required or rule:service_role",
    "owner" : "user_id:%(user_id)s or user_id:%(target.token.user_id)s",
    "admin_or_owner": "(rule:admin_required and domain_id:%(target.token.user.domain.id)s) or rule:owner",
@ -38,7 +38,7 @@
    "admin_and_matching_target_project_domain_id": "rule:admin_required and domain_id:%(target.project.domain_id)s",
    "admin_and_matching_project_domain_id": "rule:admin_required and domain_id:%(project.domain_id)s",
    "identity:get_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id or project_id:%(target.project.id)s",
-    "identity:list_projects": "rule:cloud_admin or rule:admin_and_matching_domain_id or rule:service_role",
+    "identity:list_projects": "rule:cloud_admin or rule:admin_and_matching_domain_id",
    "identity:list_user_projects": "rule:owner or rule:admin_and_matching_domain_id",
    "identity:create_project": "rule:cloud_admin or rule:admin_and_matching_project_domain_id",
    "identity:update_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id",
--- a/templates/newton/policy.json
+++ b/templates/newton/policy.json
@ -1,8 +1,8 @@
 {% if api_version == 3 -%}
 {
    "admin_required": "role:{{ admin_role }}",
-    "cloud_admin": "rule:admin_required and (token.is_admin_project:True or domain_id:{{ admin_domain_id }})",
-    "service_role": "role:service and project_id:{{ service_tenant_id }}",
+    "cloud_admin": "rule:admin_required and (token.is_admin_project:True or domain_id:{{ admin_domain_id }} or project_id:{{ service_tenant_id }})",
+    "service_role": "role:service",
    "service_or_admin": "rule:admin_required or rule:service_role",
    "owner" : "user_id:%(user_id)s or user_id:%(target.token.user_id)s",
    "admin_or_owner": "(rule:admin_required and domain_id:%(target.token.user.domain.id)s) or rule:owner",
@ -38,7 +38,7 @@
    "admin_and_matching_target_project_domain_id": "rule:admin_required and domain_id:%(target.project.domain_id)s",
    "admin_and_matching_project_domain_id": "rule:admin_required and domain_id:%(project.domain_id)s",
    "identity:get_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id or project_id:%(target.project.id)s",
-    "identity:list_projects": "rule:cloud_admin or rule:admin_and_matching_domain_id or rule:service_role",
+    "identity:list_projects": "rule:cloud_admin or rule:admin_and_matching_domain_id",
    "identity:list_user_projects": "rule:owner or rule:admin_and_matching_domain_id",
    "identity:create_project": "rule:cloud_admin or rule:admin_and_matching_project_domain_id",
    "identity:update_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id",
--- a/tests/basic_deployment.py
+++ b/tests/basic_deployment.py
@ -662,16 +662,10 @@ class KeystoneBasicDeployment(OpenStackAmuletDeployment):
                'cloud_admin':
                    'rule:admin_required and '
                    '(token.is_admin_project:True or '
-                    'domain_id:{admin_domain_id})'.format(
-                        admin_domain_id=ks_ci_rel['admin_domain_id']),
-                'service_role':
-                    'role:service '
-                    'and project_id:{service_tenant_id}'.format(
+                    'domain_id:{admin_domain_id} or '
+                    'project_id:{service_tenant_id})'.format(
+                        admin_domain_id=ks_ci_rel['admin_domain_id'],
                        service_tenant_id=ks_ci_rel['service_tenant_id']),
-                'identity:list_projects':
-                    'rule:cloud_admin or '
-                    'rule:admin_and_matching_domain_id or '
-                    'rule:service_role',
            }
        else:
            expected = {
--- a/unit_tests/test_keystone_utils.py
+++ b/unit_tests/test_keystone_utils.py
@ -283,7 +283,6 @@ class TestKeystoneUtils(CharmTestCase):
        service_role = 'Admin'
        if test_api_version > 2:
            service_domain = 'service_domain'
-            service_role = 'service'

        mock_keystone = MagicMock()
        mock_keystone.resolve_tenant_id.return_value = 'tenant_id'
@ -1111,7 +1110,7 @@ class TestKeystoneUtils(CharmTestCase):
        create_user_credentials.assert_called_with('requester', 'password',
                                                   domain='Non-Default',
                                                   new_roles=[],
-                                                   grants=['service'],
+                                                   grants=['Admin'],
                                                   tenant='services')
        self.peer_store_and_set.assert_called_with(relation_id=relation_id,
                                                   **relation_data)