Revert change of role for v3 service accounts

More work is needed on policy changes before we can have fine
grained RBAC for service accounts.

Add service project to cloud_admin rule to maintain service access
to admin-only calls.

Change-Id: I3d6776ec821e97353d63d2709b36efd9091f0123
Closes-Bug: 1655028
This commit is contained in:
Frode Nordahl 2017-01-11 14:37:21 +01:00
parent 23f6363cbd
commit dd65408d94
5 changed files with 18 additions and 27 deletions

View File

@ -1688,11 +1688,10 @@ def create_service_credentials(user, new_roles=None):
config('admin-role') role. Tenant is assumed to already exist.
For Keysteone v3 API compability services are given a user in project
config('service-tenant') in SERVICE_DOMAIN and are given the 'service'
role.
config('service-tenant') in SERVICE_DOMAIN and are given the
config('admin-role') role.
As of Mitaka Keystone v3 policy the 'service' role is sufficient for
services to validate tokens. Project is assumed to already exist.
Project is assumed to already exist.
"""
tenant = config('service-tenant')
if not tenant:
@ -1706,12 +1705,12 @@ def create_service_credentials(user, new_roles=None):
grants=[config('admin-role')],
domain=domain)
if get_api_version() > 2:
# v3 policy allows services to validate tokens when granted the
# 'service' role.
# Create account in SERVICE_DOMAIN as well using same password
domain = SERVICE_DOMAIN
passwd = create_user_credentials(user, passwd,
tenant=tenant, new_roles=new_roles,
grants=['service'], domain=domain)
grants=[config('admin-role')],
domain=domain)
return passwd
@ -1912,17 +1911,16 @@ def add_credentials_to_keystone(relation_id=None, remote_unit=None):
if get_api_version() == 2:
domain = None
grants = [config('admin-role')]
else:
domain = settings.get('domain') or SERVICE_DOMAIN
grants = ['service']
# Use passed project or the service project
credentials_project = settings.get('project') or config('service-tenant')
create_tenant(credentials_project, domain)
# Use passed grants or default grants
credentials_grants = (get_requested_grants(settings) or grants)
credentials_grants = (get_requested_grants(settings) or
[config('admin-role')])
# Create the user
credentials_password = create_user_credentials(

View File

@ -1,8 +1,8 @@
{% if api_version == 3 -%}
{
"admin_required": "role:{{ admin_role }}",
"cloud_admin": "rule:admin_required and (token.is_admin_project:True or domain_id:{{ admin_domain_id }})",
"service_role": "role:service and project_id:{{ service_tenant_id }}",
"cloud_admin": "rule:admin_required and (token.is_admin_project:True or domain_id:{{ admin_domain_id }} or project_id:{{ service_tenant_id }})",
"service_role": "role:service",
"service_or_admin": "rule:admin_required or rule:service_role",
"owner" : "user_id:%(user_id)s or user_id:%(target.token.user_id)s",
"admin_or_owner": "(rule:admin_required and domain_id:%(target.token.user.domain.id)s) or rule:owner",
@ -38,7 +38,7 @@
"admin_and_matching_target_project_domain_id": "rule:admin_required and domain_id:%(target.project.domain_id)s",
"admin_and_matching_project_domain_id": "rule:admin_required and domain_id:%(project.domain_id)s",
"identity:get_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id or project_id:%(target.project.id)s",
"identity:list_projects": "rule:cloud_admin or rule:admin_and_matching_domain_id or rule:service_role",
"identity:list_projects": "rule:cloud_admin or rule:admin_and_matching_domain_id",
"identity:list_user_projects": "rule:owner or rule:admin_and_matching_domain_id",
"identity:create_project": "rule:cloud_admin or rule:admin_and_matching_project_domain_id",
"identity:update_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id",

View File

@ -1,8 +1,8 @@
{% if api_version == 3 -%}
{
"admin_required": "role:{{ admin_role }}",
"cloud_admin": "rule:admin_required and (token.is_admin_project:True or domain_id:{{ admin_domain_id }})",
"service_role": "role:service and project_id:{{ service_tenant_id }}",
"cloud_admin": "rule:admin_required and (token.is_admin_project:True or domain_id:{{ admin_domain_id }} or project_id:{{ service_tenant_id }})",
"service_role": "role:service",
"service_or_admin": "rule:admin_required or rule:service_role",
"owner" : "user_id:%(user_id)s or user_id:%(target.token.user_id)s",
"admin_or_owner": "(rule:admin_required and domain_id:%(target.token.user.domain.id)s) or rule:owner",
@ -38,7 +38,7 @@
"admin_and_matching_target_project_domain_id": "rule:admin_required and domain_id:%(target.project.domain_id)s",
"admin_and_matching_project_domain_id": "rule:admin_required and domain_id:%(project.domain_id)s",
"identity:get_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id or project_id:%(target.project.id)s",
"identity:list_projects": "rule:cloud_admin or rule:admin_and_matching_domain_id or rule:service_role",
"identity:list_projects": "rule:cloud_admin or rule:admin_and_matching_domain_id",
"identity:list_user_projects": "rule:owner or rule:admin_and_matching_domain_id",
"identity:create_project": "rule:cloud_admin or rule:admin_and_matching_project_domain_id",
"identity:update_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id",

View File

@ -662,16 +662,10 @@ class KeystoneBasicDeployment(OpenStackAmuletDeployment):
'cloud_admin':
'rule:admin_required and '
'(token.is_admin_project:True or '
'domain_id:{admin_domain_id})'.format(
admin_domain_id=ks_ci_rel['admin_domain_id']),
'service_role':
'role:service '
'and project_id:{service_tenant_id}'.format(
'domain_id:{admin_domain_id} or '
'project_id:{service_tenant_id})'.format(
admin_domain_id=ks_ci_rel['admin_domain_id'],
service_tenant_id=ks_ci_rel['service_tenant_id']),
'identity:list_projects':
'rule:cloud_admin or '
'rule:admin_and_matching_domain_id or '
'rule:service_role',
}
else:
expected = {

View File

@ -283,7 +283,6 @@ class TestKeystoneUtils(CharmTestCase):
service_role = 'Admin'
if test_api_version > 2:
service_domain = 'service_domain'
service_role = 'service'
mock_keystone = MagicMock()
mock_keystone.resolve_tenant_id.return_value = 'tenant_id'
@ -1111,7 +1110,7 @@ class TestKeystoneUtils(CharmTestCase):
create_user_credentials.assert_called_with('requester', 'password',
domain='Non-Default',
new_roles=[],
grants=['service'],
grants=['Admin'],
tenant='services')
self.peer_store_and_set.assert_called_with(relation_id=relation_id,
**relation_data)